On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology and the US Secretary of Commerce issued a joint Statement confirming that the UK and the USA have committed in principle to establishing a “data bridge” to allow for the free flow of data between organisations in the UK and participating organisations in the USA.

Whilst the government’s accompanying Press Release characterises the announcement as being a “significant milestone”, there is little that goes beyond January’s commitment to finalize and implement a data bridge during the course of 2023[1], with one important exception.  The latest statement clarifies that the intention is for the UK data bridge to be an “extension” to the planned EU/US Data Privacy Framework, which is currently subject to approval by MEPs and a review committee before a final adequacy decision may be issued in respect of it.  This harmonised approach seems logical (and politically expedient), particularly due to the fact it will reduce the likelihood of the UK’s own EU adequacy decision being called into question.

Notably, each of the Statement and the Press Release refer to a commitment in principle, as opposed to a firm commitment.  The description of the potential benefits of the data bridge is caveated with a statement that these will only be realised if it is finalised, and we are told “further technical work will now be completed in the coming months before a decision on whether to establish the data bridge is made.”  Whilst the Statement does explicitly identify several dependencies for the establishment of the data bridge (such as completion of the UK’s assessment of the proposal and the USA’s designation of the UK as a qualifying state under EO 14086), a potential further dependency (and one over which the UK has no control) seems to be whether the EU-US Data Privacy Framework is in fact finalised.  The Statement and Press Release are silent on the impact that any decision to delay or abandon the EU-US Data Privacy Framework would have on the commitment in principle and whether the UK data bridge would be progressed independently of it, potentially risking the UK’s existing EU adequacy decision.

Our take

Whilst the current iteration of the data bridge may be contingent on the EU-US Data Privacy Framework, it appears the commitment of the UK and USA is not, necessarily.  The Statement concludes by affirming the countries’ shared intention to “work together to facilitate trusted cross-border data flows, including on multilateral initiatives, such as the Global Cross-Border Privacy Rules Forum[2].  For now, it remains to be seen whether the UK will be forced to choose between  protecting its own adequacy decision and its desire to strengthen the UK-US relationship. Given that the data bridge announcement forms part of a broader “Atlantic Declaration” setting out the UK and USA’s plans to work together more closely across the full spectrum of “economic, technological, commercial and trade relations”, if faced with this choice, it is not immediately clear which way the UK Government would go. 

[1] A key deliverable identified at January’s Inaugural Meeting of U.S.-UK Comprehensive Dialogue on Technology and Data in January 2023 is “to finalize and implement a data bridge for U.S.-UK data flows”: https://www.gov.uk/government/news/inaugural-meeting-of-us-uk-comprehensive-dialogue-on-technology-and-data

[2] CBPR is a voluntary accountability-based scheme to facilitate data transfers, of which the USA is already a member and which the UK applied to join on 17 April 2023