UK–US data bridge — Extension to the Data Privacy Framework now in force

On October 12, 2023 the UK Extension to the EU–US Data Privacy Framework ("UK data bridge") took effect following a UK adequacy decision. UK controllers can now rely on certified U.S. organizations listed on the Data Privacy Framework (DPF) website for transfers of personal data from the UK without executing Standard Contractual Clauses, provided the organization elects to participate in the UK extension.

Although the data bridge streamlines transatlantic transfers, organisations must continue transfer risk assessments, vendor due diligence, and redress notices to satisfy UK GDPR accountability expectations.

Governance impacts

• Transfer mechanisms inventory. Update records of processing to note when the UK data bridge is used instead of SCCs, and track vendor DPF certification status (including the UK extension) as part of onboarding and annual reviews.
• Onward transfer controls. Verify that U.S. service providers relying on the data bridge impose equivalent protections on sub-processors, including contractual restrictions on surveillance-related disclosures and timely breach notification.
• Data subject communications. Refresh privacy notices to explain the UK data bridge mechanism, available redress via independent dispute resolution or the Data Protection Review Court, and how individuals can verify a provider’s listing.

Operational steps

• Vendor monitoring. Implement automated checks of the Data Privacy Framework list to detect lapsed certifications or scope limitations, triggering fallback to SCCs or suspension of transfers.
• Transfer impact assessments. Document how the data bridge and U.S. safeguards (Executive Order 14086 and DOJ redress process) mitigate surveillance risks identified in earlier TIAs.
• Contract alignment. Align data processing addenda with the DPF Principles, ensuring right-to-audit clauses and incident reporting align with UK ICO expectations and sectoral codes.

What to watch

• Periodic review. The UK government committed to periodic reassessment of the data bridge; organisations should track review milestones and potential court challenges that could affect transfer legality.
• ICO guidance. Monitor ICO updates on how the data bridge interacts with international data transfer tools and breach notification duties, especially for mixed UK/EU processing environments.
• DPF scope changes. Stay current on U.S. Department of Commerce updates to the DPF Principles or verification procedures that may affect UK-specific commitments.

Sources

• UK government explanatory note on the UK-US data bridge (October 2023)
• Data Privacy Framework participant list with UK extension selection

Data protection teams should still maintain TIAs and vendor monitoring even when using the data bridge to keep evidence aligned with UK GDPR accountability requirements.