The UK’s Department of Science, Innovation and Technology (DSIT) recently announced that as from 12th October 2023, new UK legislation, namely the Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) will allow businesses in the UK to transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (UK Extension).
The EU-U.S. Data Privacy Framework (DPF) was adopted by the European Commission on 10th July 2023. It is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).
The DPF replaces the previous data transfer mechanism known as ‘Privacy Shield’.
The effect of the UK Extension (also known as the “UK-US Data Bridge”), will be that a transfer of personal data from the UK to an entity in the US, which has self-certified to DPF requirements, and agreed to abide by its principles, will be deemed to offer an adequate level of protection for processing personal data in accordance with Article 45(1) UK GDPR.
The DPF and UK Extension will allow UK organisations to transfer personal data more easily to US organisations i.e. clients, partners and service providers.
The DPF and UK Extension enables EU and UK based organisations to send personal data to organisations based in the US, provided those organisations have certified their compliance with the DPF controls and data transfer principles.
Organisations transferring personal data to the US using the DPF and UK extension are no longer required to apply ‘appropriate safeguards’ as defined in Article 46 of the GDPR (EU and UK versions). For instance, binding corporate rules (BCR), EU Standard Contractual Clauses (SCC) (2021 version) or International Data Transfer Agreements (ITDA). Additionally, there is no requirement for UK organisations to conduct a Transfer Risk Assessment (TRA) for transfers of personal data to the US.
The UK Regulator’s views on using the DPF and UK Extension can be found here.
US organisations previously registered under ‘Privacy Shield’ can use the DPF. A list of certified US organisations (the ‘DPF List’) can be found at DPF Participant List
US organisations that are DPF certified can opt-in to receiving data from the UK.
Only organisations on the ‘DPF List’ can receive data through a UK-US Data Bridge.
US companies must show the frameworks being used in their privacy policies.
It is expected that Big Tech platforms in the US will use the DPF and UK Extension.
The DPF includes a set of enforceable principles and requirements that must be certified to, and complied with, in order for organisations to be able to join the DPF.
These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations are to:
- provide notices to individuals
- give individuals access to their personal data
- provide opt-outs from new data processing or data sharing
- ensure accountability for onward transfers
- maintain the security of personal data
- limit information to what is relevant for the purposes of processing
US organisations must self-certify acceptance of, and adherence to the principles.
Enforcement of the principles can be exercised through the EU/UK supervisory authorities, independent recourse mechanisms and the US legal system.
UK organisations transferring personal data to the US should:
- Confirm whether new partner organisations are certified to use the DPF and UK Extension: if not, consider what other ‘appropriate safeguard’ to apply
- Determine whether existing US suppliers are certified to use the DPF and UK Extension: if so, consider future contract renewal arrangements
- Record the correct transfer mechanisms in Records of Processing Activities
- Update privacy notices with the mechanism being applied for data transfers to the US i.e. DPF and UK Extension or other ‘appropriate safeguard’
- Update policies and procedures as appropriate or necessary.
Further information can be found here:
- Data Protection (Adequacy) (United States of America) Regulations 2023
- Explanatory Memorandum
- UK-US data bridge: supporting documents
- UK-US data bridge: factsheet for UK organisations
- Analysis of the UK Extension to the EU-US Data Privacy Framework
The DPF and UK Extension will allow UK organisations to transfer personal data more easily to US organisations using the UK-US Data Bridge, thereby reducing administrative overheads and costs.