Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Data Protection Update: UK-US Data Transfers

  • Published: October 12, 2023
  • Category: International Standards

Share this post

Georgina Daugherty
Georgina Daugherty

Share this post

UK-US Data Transfers

The ability for UK and EU organisations to safely and lawfully share data with US organisations is key for fostering trade and helping economies. Therefore, it has been a key priority for the EU and the UK to facilitate trade and the transfer of personal data to the US. On 10th July 2023, the European Commission announced its adequacy decision on the EU-US Data Privacy Framework (DPF). This meant that any data transfers between the European Union and the United States (US) from any public or private entity in the EEA to certified US companies were covered under the approved EU-US Framework with immediate effect. Recently, the UK Government announced it will follow the EU’s decision and confirmed that the ‘UK-US Data Bridge’ will come into effect from 12th October 2023. This would introduce another mechanism for the lawful transfer of personal data between the UK and the US.   

Why are UK-US Data Transfers Contentious?

The US is the home of many companies which specialise in technology, data storage, and data processing.  Well known examples include Meta, X (formerly Twitter), Google and Microsoft. These companies are also known as ‘Big Tech’ and they are responsible for facilitating large volumes of data transfers to and from the US. The desire to develop mechanisms that facilitate data transfers between the UK and the US in line with data protection legislation has been the focus of significant work for many years. Originally the International Safe Harbor Privacy Principles were developed to protect personal data however in 2015, Austrian activist and lawyer, Max Schrems brought a case against the Irish Data Protection Commissioner (DPC) arguing that the use of the US-EU Safe Harbor Framework was illegal.  Following the revelations from the 2013 Snowden case, Schrems was concerned that US intelligence agencies could access his personal data in violation of his EU data protection rights. This led to the Schrems I ruling where on 6th October 2015, the European Court of Justice declared that the Safe Harbor Framework, which had been in place since 26th July 2000, was invalid.  In response to the Schrems I ruling, the EU-US Privacy Shield was developed in 2016. However, the legality of the Privacy Shield only lasted four years.  Schrems made another complaint to the Irish DPC focussed on Facebook’s use of Standard Contractual Clauses (SCCs) to transfer personal data. SCCs had become the primary accepted mechanism for sharing the personal data of European citizens with third countries outside of the European Economic Area (EEA) so the legal challenge raised questions about their effectiveness. This case made its way to the Court of Justice of the European Union (CJEU) and Schrem’s complaint (11 questions) also queried if the Privacy Shield was a suitable mechanism for protecting EU personal data from US government agencies. On 16th July 2020, CJEU ruled in favour of Schrems declaring the Privacy Shield unlawful in what is now known as the Schrems II Judgement.  Following the Schrems II Judgement, companies that were previously relying on the  EU-US Privacy Shield needed to identify an alternative legal mechanism for transferring personal data to the US.  In their judgement, the CJEU upheld the use of SCCs but raised doubt over the effectiveness of their use. This caused significant confusion and problems for companies as the rules relating to US data transfers had become even more complex and confusing than before.  The Schrems II case therefore had the potential to severely impact trade with the US for organisations based in the EU and UK.  

EU-US Data Privacy Framework

Just over three years after the Schrems II Judgement, the EU-US Data Privacy Framework (EU-US DPF) was announced.  This is a bespoke, opt-in certification scheme for US companies, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).  The EU-US DPF covers the transfers of personal data from any public or private entity in the European Economic Area (EEA) to self-certified companies in the United States (US). Once a US organisation has self-certified through the US DoC, they are required to adhere to the privacy principles within the EU-US DPF.   The principles of the new framework provide assurance to EU data subjects that when their personal data is transferred to the US under the EU-US DPF, it will receive the same level of protection as stipulated by EU data protection legislation. The EU-US DPF builds on the previous frameworks (Safe Harbor and the EU-US Privacy Shield) and still retains the self-certification mechanism. As part of the EU-US DPF, national surveillance agencies are held to stricter standards when it comes to the personal data they can access and how they can access it, as well as providing a clearer definition of what is regarded as “necessary and proportionate”. Furthermore, data subjects will have access to an individual redress mechanism in cases of non-compliance.   

UK-US Data Bridge 

Although the UK’s departure from the EU resulted in a UK-specific data protection regime, the UK Data Protection Act and UK GDPR, currently remain in line with the EU GDPR.  Despite this, the UK government has defined the term ‘data bridge’ as their preferred terminology for ‘adequacy’ (which is the term used by the EU to describe a country outside the EU that offers an adequate level of data protection).  They describe a data bridge as the ability to transfer (flow) personal data from the UK to another country without the need for further safeguards.  Following the introduction of the EU-US DPF, the UK Government announced that it had established a data bridge with the US through a UK Extension to the EU-US DPF.  From  12th October 2023, UK businesses and organisations will also be able to transfer data to organisations in the US that comply with the requirements of the EU-US DPF.  In response, the US Attorney General announced the UK as a ‘qualifying state’.  This extends the newly established redress mechanism which deals with potentially unlawful access to personal data by US authorities under the guise of national security to all UK data subjects whose personal data has been transferred to the US. The UK-US Data Bridge is not the first data-sharing agreement the UK has signed post-Brexit, and it will not be the last. The first data-sharing agreement was the South Korea Adequacy Decision in July 2022.   

What does the UK-US Data Transfers mean for organisations?

The EU-US DPF and the UK Extension simplify the process of transferring personal data to the US.  Previously organisations were required to undertake a Transfer Risk Assessment (TRA) and implement SCCs and/or an International Data Transfer Agreement (IDTA) which was often a lengthy, complex and costly process.  Instead, organisations based in the EEA can now rely on the EU-US DPF, and UK organisations can rely on the UK-US Data Bridge to facilitate transfers of data between them and the US.  All that is required is for the US organisation to abide by the principles and self-certify with the US Department of Commerce.  If an organisation uses the UK-US data bridge to transfer personal data, they must ensure that high standards of data protection are maintained when data is transferred from the UK to certified US organisations. It’s important to note that the data bridge does not remove the obligations of UK companies under UK data protection legislation to ensure that data, and in particular, special category data is appropriately protected and that data subject rights are upheld.  Appropriate technical and organisational measures must therefore still be implemented and maintained to adequately protect personal data. Cyber Essentials, Cyber Essentials Plus and ISO27001 are all established information security frameworks with associated certifications that organisations can implement and adhere to to support the use of appropriate technical and organisational measures.  As with previous mechanisms to facilitate the transfers of personal data to the US, there is the likelihood that Schrems (or others) may object to the use of both the EU-US DPF and the UK-US Data Bridge. The UK Government is however confident that the bridge will be an appropriate and reliable safeguard that has addressed the concerns raised by the 2020 Schrems II Judgement.  It remains to be seen if either the UK-US Data Bridge or the EU-US DPF will stand the test of time. There is an ongoing debate that the EU-US DPF and the UK Extension, do not provide adequate protection to data subject’s personal data. In particular, there are still concerns about the effectiveness of the limitations placed on US national security organisations and whether these are sufficient to protect data subject’s rights under UK and EU data protection legislation.  Only time will tell if Schrems, through his organisation ‘noyb,’ will file further legal action(s) to challenge the validity of either the EU-US DPF or the UK-US Data Bridge. For now, however, organisations once again have some clarity and simplicity when it comes to data sharing with the US.  

Useful Links 

  • Questions & Answers: EU-US Data Privacy Framework
  • UK Government Press Release
  • Data Privacy Framework Program
  • UK-US data bridge: factsheet for UK organisations
 

Other Articles​

Loading...
How ISO 42001 Compliments Other Regulatory Frameworks

How ISO 42001 Compliments Other Regulatory Frameworks

Read More →

November 26, 2025
Blog post: How to integrate ISO 42001 with other Management Systems

How to integrate ISO 42001 with other Management Systems

Read More →

October 8, 2025

FAQ: What is ISO 42001?

Read More →

September 26, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept