October 5th, 2023
The UK-US Data Bridge was announced by UK’s Department for Science, Innovation and Technology (DSIT) on 21 September and starts on 12 October.
If companies meet certain conditions, they will be able to transfer personal data to the US without using legal safeguards, such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs).
The UK-US Data Bridge follows the recently adopted EU-US version.
Sending Personal Data
UK organisations cannot simply transfer personal data to any data importer/recipient in the US - for the data to flow freely, the relevant recipient must be certified to the UK Extension and appear on the Data Privacy Framework (DPF) List.
UK-based companies planning to send personal data to the US using this Data Privacy Framework (DPF) must check whether the recipient companies have self-certified to conform with privacy principles enforced by the Foreign Trade Commission (FTC) and Department of Transportation (DoT).
US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the UK. Once a US organisation has been certified and is publicly placed onto the Data Privacy Framework List (DPF List) on the DPF website they can receive UK personal data through a UK-US data bridge.
Before sending personal data to the US, you must confirm that the recipient is certified with the DPF (and when transferring HR data specifically, US organisations must have highlighted this on their certification).
In summary before sending personal data to the US you must:
1. Confirm whether an organisation is an active DPF participant
2. Confirm that said organisation has signed up to the UK Extension to the EU-US Data Privacy Framework program.
wishing to transfer HR data) Confirm that HR data is covered by the
organisation’s DPF commitments
The following link provides access to the US Data Privacy Framework:
Special Category and Sensitive Data
The ICO has highlighted that certain categories of personal data that are treated as particularly sensitive under the UK GDPR are not treated as ‘sensitive information’ under the DPF, unless this data is expressly identified as sensitive by the transferring organisation.
The following UK personal data which is considered to be sensitive must therefore be identified as sensitive to US organisations:
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning sexual orientation
Organisations currently excluded from the DPF
The following organisations are unable to participate in the DPF at this time; banking, insurance, and telecommunications companies.
The ICO have issued a comprehensive factsheet that can be found here.
The ICO has further supporting documents which can be found here.
The BHBIA’s Ethics & Compliance Committee is providing this guidance as general information for its members. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to any specific legal problems or matters. Whilst every reasonable effort is made to ensure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA.