The UK and US have committed in principle to establish a new data bridge that aims to enable unrestricted data sharing between the two nations, removing the data sharing restrictions currently set under the UK-GDPR. While this is sure to be welcomed news for British companies doing business with the US, this new commitment has sparked discussions about the potential consequences for the UK’s status as “on par” with the EU regarding data protection and privacy legislation.
It is important to acknowledge that many companies, knowingly or unknowingly, already share data with the US. Any companies using popular email providers like Gmail and Outlook, as well as major cloud services providers such as AWS, Google Cloud, and Microsoft Azure, will be engaging in data transfers with the US due to the complex, interconnected nature of servers and data transfers.
The proposed data bridge presents an opportunity for businesses to freely exchange data between the UK and the US, bypassing some of the data-sharing limitations imposed by the General Data Protection Regulation (GDPR). While this may benefit British companies with no ties to the EU, it raises concerns for those with EU business relationships or serving EU customers.
The EU still considers the US a third country that hasn’t implemented sufficient safeguards to protect the data of EU citizens. Consequently, this agreement between the US and the UK could potentially impact the UK’s adequacy decision, which confirms the alignment of its data protection framework with the GDPR. This creates a complex scenario where data flows between the UK, and the EU could face scrutiny, potentially affecting businesses that rely on unrestricted data transfers within the EU.
While the EU is already in talks with the US about a potential framework for the free flow of data between the two regions, concerns have been raised by the European Parliament and the European Data Protection Board about whether the US has done enough to ensure the security and protection of EU citizen’s data. If the implementation of the EU-US Data Privacy Framework faces delays or requires revisions, it remains uncertain how this may impact the UK-EU adequacy decision.
In light of these changes and the ongoing evolution of these UK/US/EU data-sharing rulings, continued compliance with local data protection regulations is still essential for all businesses. Whether your organisation works with the US or shares data with the EU, meeting compliance requirements under the UK-GDPR remains obligatory for companies in the UK. As you navigate the potential impact of the UK-US data bridge, consider these practical steps:
Take a closer look at how your company handles data transfers, especially between the UK, the US, and the EU. Understand the type of data being shared and whether you must comply with additional data compliance regulations.
If your business heavily relies on US-based email or cloud service providers, consider exploring alternative options that prioritise data localisation to the UK or the EU or have strong data protection measures in place.
At Naq, we are dedicated to providing accessible and practical compliance advice to businesses of all sizes. Our experts continually monitor and analyse developments in data protection regulations to ensure our customers have the information they need to maintain compliance.
For a more streamlined solution to your organisation’s compliance, Naq’s automated platform stays up-to-date with regulatory changes, automatically updating your data compliance and cyber security policies in line with the latest developments. Our platform ensures organisations remain continuously compliant, even as regulations change and their businesses grow.
Naq automates compliance with in-demand frameworks, including UK & EU GDPR, Cyber Essentials, ISO27001, and industry-specific compliances and due diligence obligations like NHS DSPT, DTAC, JOSCAR & DART.
Discover why hundreds trust Naq to achieve, monitor and manage their data compliance programme, eliminating hundreds of hours of manual work and keeping their data continuously compliant and protected. Click here to learn more.