UK-U.S. Data Bridge Allows Transfer of Personal Data From the United Kingdom to the United States

Beginning October 12, 2023, the UK-U.S. Data Bridge will allow UK companies to transfer personal data to the United States using the new EU-U.S. Data Privacy Framework.

The UK data protection rules ("UK GDPR") restrict transfers of personal data to countries that do not have adequate levels of protection such as the United States. Transfers can be made provided the parties put in place appropriate safeguards such as approved standard contractual clauses or binding corporate rules. However, these arrangements impose administrative burdens.

The European Union applies similar transfer restrictions. It recently enacted the EU-U.S. Data Privacy Framework ("DPF"), which allows transfers of personal data from the EU to U.S. organizations that have self-certified within the U.S. Department of Commerce under the DPF without the need for further arrangements or a transfer risk assessment. (Please see our Commentary, European Union and United States Reach New Agreement for Data Flow Across the Atlantic.)

The UK government has now adopted regulations (the "UK-U.S. Data Bridge") which allow UK companies to transfer personal data to the United States under the DPF. The UK-U.S. Data Bridge allows the transfer of personal data from the UK to U.S. organizations that have: (i) certified under the DPF; and (ii) opted-in to receive UK data. The DPF only applies to U.S. organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation and so will not apply to banking, insurance, and telecommunications companies.

There are minor differences between the wording of the UK GDPR and the DPF in relation to special category and sensitive data. As a result, genetic data, biometric data, data concerning sexual orientation, and criminal offence data must be identified by the UK organization to the U.S. recipient before transfer. 

The UK government has published a factsheet providing further details of the UK-U.S. Data Bridge.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.