The U.K. government recently confirmed its support for a transatlantic data transfer deal between the EU and the U.S., known as the “U.K.-U.S. data bridge.” This decision came after an initial agreement in June, and will enable digital commerce to flourish by permitting U.K. citizen’s information to be exported to the U.S. under the condition of sufficient protection in line with the U.K.’s data protection regime (U.K. GDPR).
The agreement, moved forward by Secretary of State Michelle Donelan, became effective on September 21st, 2023, and will come into force from October 12th. This means that U.K. businesses can safely transfer personal data to certified organizations in the U.S. Interestingly, this move is a result of Brexit, as the U.K.’s exit from the EU necessitated its own data sharing deal with the U.S.
Despite its convenience, this arrangement has raised several questions regarding its durability as it relies heavily on the EU’s framework which is set to face legal challenges in the EU. The main concern is whether or not it sufficiently protects citizens’ data. Previous EU-U.S. data transfer deals were invalidated by the EU’s top court in 2015 and 2020, leading many to question what would happen to the U.K.’s arrangement if the DPF were to be struck down.
Regardless of these concerns, it seems possible that the U.K.’s “bolt on” extension might survive should any issues arise with the DPF, especially as the EU court of justice no longer has jurisdiction in the U.K. In fact, this isn’t the first data sharing deal the U.K. has established since Brexit; that was an adequacy decision made in July 2022 with South Korea.