Security News > 2023 > October > What to expect when the UK-US Data Bridge comes into force this week

Opinion The UK Extension to the EU-US Data Privacy Framework will enter into force on October 12, allowing certifying entities to easily transfer personal data from the UK to the US. Transferring personal data across the Atlantic would otherwise be prohibited under the UK General Data Protection Regulation without transfer mechanisms.

As the UK is no longer a member of the European Union, the DPF does not automatically enable the transfer of personal data from the UK to the US. Transfers of personal data from the UK will require a Data Bridge.

The Regulations provide that for the purposes of the UK GDPR and the Data Protection Act 2018, the Secretary of State considers that the US provides an adequate level of protection for personal data for certain types of transfers.

In order for UK data exporters to be able to rely on the Data Bridge, the US importer must have self-certified to the DPF and the Data Bridge.

British data watchdog the Information Commissioner's Office has expressed reservations concerning the Data Bridge.

The Data Bridge definition of "Sensitive data" does not match that of the UK GDPR, as the definition that appears in the Data Bridge does not specify all of the special categories of personal data identified in Article 9 UK GDPR. In addition, the Data Bridge definition includes a catch-all provision specifying "... any other information received from a third party that is identified and treated by that party as sensitive." This discrepancy means that UK exporters will need to identify biometric, genetic, sexual orientation, and criminal offence data as "Sensitive data" when sending information to the US. However, nothing in the UK GDPR currently requires UK organizations to identify information as sensitive.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/11/uk_us_data_bridge/