On 8 June 2023, US President Joe Biden and UK Prime Minister Rishi Sunak announced that the US and UK had reached a commitment in principle to establish a UK/US ‘data bridge’ between their two countries. The data bridge will be an extension of the new EU-US Data Privacy Framework, which is expected to be adopted by the EU Commission this summer.
Further technical work on the data bridge will be completed in the coming months, with the UK and US aiming to get it finalised later this year. Once finalised, the data bridge will act as a UK adequacy decision and data will be able to flow freely from the UK to US organisations that certify for the scheme.
For transfers from the UK to US organisations that are not certified under the scheme, a safeguard will still be needed such as the UK international data transfer agreement (IDTA) or, where standard contractual clauses (SCCs) approved under the EU GDPR are also being used, the UK international data transfer addendum. In these circumstances, a data transfer impact assessment (DTIA) should also be carried out.
An adequacy decision on the EU-US Data Privacy Framework is expected to be adopted this summer. Once adopted, EU data will be able to flow freely from the EU to US organisations certified for the scheme. The new EU SCCs, or another safeguard, will still be needed for EU transfers to US organisations that are not certified under the scheme, and a DTIA should also be carried out.
Until an adequacy decision on the EU-US Data Privacy Framework is adopted by the EU Commission (for EU to US transfers) and adequacy regulations in relation to the UK/US data bridge are passed by Parliament (for UK to US transfers), organisations will continue to need appropriate safeguards, such as the new EU SCCs (for EU to US transfers) or the new IDTA (for UK to US transfers) and, in both cases, to conduct DTIAs.
Any data transfer agreements relying on the old EU SCCs for transfers from the EU must be updated with the new EU SCCs (the deadline to update was 27 December 2022). Any data transfer agreements relying on old SCCs for transfers from the UK must be updated by 23 March 2024. For further information, see our SCC toolkit.
We will be pleased to help with updating your organisation’s SCCs.
To assist companies which have numerous data transfer arrangements relying on the old form SCCs, we have developed PennSIFT. PennSIFT is an innovative AI tool that quickly sifts through volumes of contracts to identify those using old form SCCs, generating an easily readable report that will inform compliance strategy and help organisations to prioritise. For further information on PennSIFT click here.
We have considerable experience in advising our clients on all aspects of data protection law. We can provide template contracts, help negotiate contracts and provide end to end management of repapering projects. We also regularly assist with preparing DTIAs for the US and other key jurisdictions.
If you would like to discuss PennSIFT or your organisation’s international data transfers generally, please get in touch with your usual Penningtons Manches Cooper contact or Joanne Vengadesan or Anna Frankum.