Data Flows Between UK and US to be Simplified Under New Agreement

Written by

The US and UK have reached an agreement to create a ‘data bridge’ to enable the free flow of data between the two regions.

The ‘commitment in principle’ represents a UK extension to the Data Privacy Framework agreed between the EU and US in 2022. This means that US companies who are approved to join the framework will be able to receive UK personal data.

The preliminary Data Privacy Framework is designed to revamp the previous Privacy Shield arrangement between the US and EU, which was ruled unlawful under GDPR rules in the Schrems II case in 2020.

The new UK-US deal follows two years of technical discussions between the two governments, with further work to be completed in the coming months “before a final decision on whether to establish a data bridge is made,” according to a UK government statement. 

Both parties emphasized that the arrangement is designed to boost economic growth and facilitating innovation in areas like science and research.

The UK’s Secretary of State for Science, Innovation, and Technology, Chloe Smith, commented: “Data bridges not only offer simpler avenues for the safe transfer of personal data between countries, but also remove red tape for businesses of all sizes and allow them to access new markets.

“International collaboration is key to our science and technology superpower ambitions, and working with global partners like the United States ensures we can open new opportunities to grow our innovation economy,” she added

The White House said in a statement: “​​The trusted and secure flow of data across our borders is foundational to efforts to further innovation. To that end, we have committed in principle to establish a US-UK Data Bridge to facilitate data flows between our countries while ensuring strong and effective privacy protections. We are working to finalize our respective assessments swiftly to implement this framework.”

Commenting on the news, Sarah Pearce, partner at Hunton Andrews Kurth, said: “This is very welcome news: not only does it facilitate transfers from the UK to the US but it also shows a sense of alignment of the UK and EU position in respect of data transfers to the US.

“The idea is that US companies who are approved to join the framework would be able to receive personal data without the need for the additional contractual provisions that are currently required” Pearce added. 

In a blog post by law firm Pinsent Masons, Rosie Nance, senior practice development lawyer, welcomed the announcement, noting that the approach of extending the EU-US agreement rather than a standalone arrangement “is likely to be the smoothest approach for reaching political agreement.”

She added: “It is also the least likely to cause issues for the UK’s own EU adequacy status, as the UK approach will presumably align with the EU’s.”

In March 2023, the UK government introduced the Data Protection and Digital Information (DPDI) Bill to parliament, which will revamp current GDPR rules. The main purpose is to reduce costs and complexities for businesses in transferring and using data.

However, experts have warned that the provisions could damage consumers’ privacy rights as well as risk the UK’s adequacy arrangement with the EU.

What’s hot on Infosecurity Magazine?