back to article What to expect when the UK-US Data Bridge comes into force this week

The UK Extension to the EU-US Data Privacy Framework (aka Data Bridge) will enter into force on October 12, allowing certifying entities to easily transfer personal data from the UK to the US. Transferring personal data across the Atlantic would otherwise be prohibited under the UK General Data Protection Regulation (UK GDPR) …

  1. Pascal Monett Silver badge

    It's always from The World to The USA

    I wonder if anybody has actually taken notice of that.

    All the agreements are for transfer of Personally Identifiable Information to the USA. Never the other way around.

    The USA is the black hole of PII on the Internet.

    Maybe someone should do something about that.

    1. Doctor Syntax Silver badge

      Re: It's always from The World to The USA

      I think there's one simple principle that would sort this out for good. If I hand over personal information to a second party for some reason that party becomes directly responsible to me, and answerable in a court in the jurisdiction where I live, for safeguarding that information. If they hand it over to a 3rd party they're still responsible, even if that 3rd party hands it over to a 4th party etc. up to infinity, it doesn't matter whichever party is responsible for any abuse, it's the second party on the hook.

      The sole exception would be access required by law of the jurisdiction where I live. CLOUD Act? If I don't live in the US the 2nd party is on the hook.

      International agreements? The 2nd party is on the hook.

      If the 2nd party wants to use a 3rd party they need to come to a judgement about that party's reliability and exposure because they're going to be liable for the 3rd party's failures.

      1. SCP

        Re: It's always from The World to The USA

        Surely that is the case as it stands now - the 2nd party is on the hook for data breaches anyway; and it can already be quite tricky to remain compliant (e.g. The Reg).

        The imbalance between UK/EU and US information exchange rules is AIUI largely down the the US having lax rules cf UK/EU and these International Treaties are to try and put enforceable agreements in place to better support the global nature of things like internet based businesses.

        I do not like the idea of some types of personal data (e.g. health) moving outside my local jurisdiction, and I want it protected from unwarranted sharing/use even within that jurisdiction. Given the imbalance between the underlying UK/EU and US consideration of personal data I am more distrustful of moving data to US.

        IMO the two biggest risks seem to be the 2nd party directly misusing data (e.g. selling it [or somederivative of it] on), or data breaches from external threats. Using 3rd parties is a two-edged sword; done right the 2nd party can use use a business that is able to provide the expertise necessary to adequately protect data; done wrong it is just another possible point of failure.

        1. heyrick Silver badge

          Re: It's always from The World to The USA

          The place I work is outsourcing all sorts of HR stuff to third parties. Third parties that talk big about respecting the GDPR, then do dumb shit like have a friendly "employee list" that hands out everybody's personal email address (I didn't report that to CNIL as the place I work would have been responsible, but I dropped the report in the lap of the workers committee, by emailing a screenshot to the head of the committee's personal mailbox...we no longer use that company). But, still, stuff is outsourced. Right now they're launching a fancy internal social network (think Facebook Lite for employees) and I have zero interest, but I bet this outfit has a dump of my PII anyway "just in case". Grrr!

          According to the GDPR, an employer is entitled to share with whoever the hell as they deem necessary for the purposes of managing the business.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's always from The World to The USA


      The likes of Google, MS and Amazon will collect all the data that they can on each and everyone of us and ship it back to the USA even if it is illegal. These companies are bigger than some countries and are relatively immune from action against them. Any fines will be less that 1days' profit so that is just the cost of doing business.

      What I'd like to see is a few million people demand that the 'usual suspects' produce all the data that they have on the person making the request. That would inconvenience them more than a few pesky fines.

  2. elsergiovolador Silver badge

    Hokey Cokey

    You put your data in, you pull your data out,

    In, out, in, out, it's what it's all about.

    You do the Data Bridge-y and you turn around,

    That's what it's all about.

    Woah-oh, the Data Bridge-y

    Woah-oh, the Data Bridge-y

    Woah-oh, the Data Bridge-y

    Regs unclear, fines mere, ra, ra, ra

    You send your GDPR in, US gives a pout,

    In, out, in, out, privacy's thrown about.

    You do the Data Bridge-y, it's pointless, no doubt,

    Is this what it’s all about?

    Woah-oh, the Data Joke-y

    Woah-oh, the Data Joke-y

    Woah-oh, the Data Joke-y

    Rights dismissed, what a twist, ha, ha, ha

    You think you have rights, but they've sold you short,

    In, out, in, out, it's a corporate sport.

    You do the Data Bridge-y, and give a skeptical snort,

    Seems fines are just a resort.

    Woah-oh, the Data Sham-y

    Woah-oh, the Data Sham-y

    Woah-oh, the Data Sham-y

    All for show, this we know, ha, ha, ha

  3. t245t
    Big Brother

    "You have zero privacy anyway, get over it."

    "You have zero privacy anyway, get over it."

  4. Strahd Ivarius Silver badge

    A small loophole...

    In order for UK data exporters to be able to rely on the Data Bridge, the US importer must have self-certified to the DPF and the Data Bridge.

    So all US companies can use the Data Brige?

    1. heyrick Silver badge

      Re: A small loophole...

      So, essentially then, it's a worthless subterfuge?

      1. Nick Ryan Silver badge

        Re: A small loophole...

        Yes, the same as all of the previous agreements were. There is no equivalent to the ICO in the US, there is no data protection in state law, particularly if one is a non-US citizen. The only recourse is legal action in a US court, which as a non-US citizen is pretty much guaranteed to go nowhere other than very expensive very fast.

        1. Nick Ryan Silver badge

          Re: A small loophole...

          *federal law, not state law. That's what I meant to write but for most countries the state is the same, but in the US it's often seen differently.

    2. alain williams Silver badge

      Re: A small loophole...

      And when said company goes bust its assets get sold to the highest bidder. That includes your PI - the purchaser will then do what it wants with it - there is nothing in law to constrain it.

  5. Mike 137 Silver badge

    A giant fly filling the ointment jar

    I entirely agree with the reservations stated by James Castro-Edwards, but there's an even bigger problem -- indeed an overriding one that potentially invalidates the entire ostensible purpose. The Data Privacy Framework List is maintained in the US, and it's not apparent that there will be any scrutiny from the UK side on signatories thereto. So it will be yet another instance of notional 'trust' imposed on these required to acquiesce without the option. Real trust, earned as a result of demonstration or investigation of trustworthiness and maintained by scrutiny, is out the window.

    The net result of this (rushed and one page) piece of legislation is to utterly eliminate any real protection UK data subjects might have had from the data snooping behemoths across the pond, as 'compliance' will be assumed as a result of their having signed up to the list, instead of processing being constrained by specific, even if only contractual, obligations.

    Oddly enough, these behemoths are the very parties that have featured most publicly in actions by data protection regulators in Europe and even here in the UK. But maybe there's a sliver lining to the cloud -- I guess the ICO might have some free time now to deal with the multifarious abuses of personal data by smaller organisations. Don't hold your breath though...

  6. Anonymous Coward
    Anonymous Coward

    Schrems III looks inevitable

    Apparently EU-US Data Privacy Framework (DPF) is roughly the same as the last version which Max Schrems struck down - so Schrems III is on the cards (Schrems/NOYB webpage =

    Also, you can't use Standard Contractual Clauses (SCCs) when doing EU to US, as that was struck down as part of Schrems II.

    Ho hum.

    1. Pascal Monett Silver badge

      Re: Schrems III looks inevitable

      Unfortunately not. Mr. Schrems looks out for EU privacy violations.

      You have regained control. Schrems is not going to save UK privacy.

      1. DS999 Silver badge

        Re: Schrems III looks inevitable

        I'm sure there is some UK rabble rouser who will fill his role.

        The powers that be will continue to ignore them both. Schrems will get something struck down, minor changes will be made so it is a "new agreement" and business carries on pretty much as before while Schrems' new complaint winds its way through the bureaucracy. Lather, rinse, repeat.

  7. Anonymous Coward
    Anonymous Coward

    All Your Datum Are Belong To Us

    Ha ha ha ha ....

  8. Usermane

    Another benefit of the Brexit?

    1. Roj Blake Silver badge

      Damn those unelected eurocrats for forcing privacy on us along with their funny bananas and red passports.

      Now we can finally enjoy the freedom to have anyone who wants to, do anything they want with our data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like