Building Bridges – Q&A About the UK’s Extension to the EU-U.S. Data Privacy Framework

It’s been two and a half months since the EU’s adequacy decision regarding the EU-U.S. Data Privacy Framework (DPF) entered into force. While we are already seeing challenges to the DPF in the EU, the confirmation that the UK’s “data bridge” or adequacy decision in respect of the DPF has been finalized will be welcome news to UK, U.S., and global businesses that routinely engage in cross-border data transfers.

From October 12, 2023, organizations subject to the UK GDPR may now rely on the DPF for cross-border transfers of personal information to DPF-certified companies without implementing other transfer mechanisms like the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (“UK Addendum”), or Binding Corporate Rules (BCRs).

The UK government has also confirmed that – like the EU – its adequacy decision will also benefit personal information transferred to the United States under other transfer mechanisms, as companies can now onboard the decision into their transfer risk assessments.

Read our Q&A to find out more about some of the key aspects and implications of the UK DPF extension:

1. When can UK companies start relying on the DPF?

The UK’s regulations giving effect to the DPF come into force on October 12, 2023. From this date, the DPF can be used instead of the IDTA, the UK Addendum or BCRs for transfers to DPF-certified companies that have opted in to the UK DPF extension.

2. How do U.S. companies opt in to the UK extension to the DPF?

Eligible U.S. companies have been able to certify under the UK DPF extension since July 17, 2023. The UK DPF extension is only available to companies that are part of the DPF (so a company must participate in the EU-U.S. DPF to partake in the UK DPF extension).

3. How does the UK DPF extension affect other data transfer mechanisms?

While participation in the DPF is limited to U.S. companies subject to the investigatory and enforcement powers of the Federal Trade Commission and the U.S. Department of Transportation, other transfer mechanisms under UK law will continue to be valid for data transfers to the United States.  

Both the U.S. and the UK government have stated that the DPF will be relevant to all transfers of personal information, regardless of the transfer tool used.

This means that the protections afforded by Executive Order (EO) 14086 (which limits U.S. surveillance activities to what is necessary and proportionate and established the Data Protection Review Court as a means of redress) will also apply to transfers made on the basis of the IDTA, UK Addendum, or BCRs. As the United States designated the UK as a qualifying state for the purposes of EO 14086 on September 18, 2023, these protections are already in place for UK personal information transferred to U.S. companies.

The Information Commissioner’s Office (ICO) requires that companies subject to the UK GDPR complete a transfer risk assessment when relying on the UK IDTA, UK Addendum or BCRs to transfer personal information to a non-adequate country. Following that assessment, the company must determine if mitigation measures are required to reduce the risk of the proposed transfer. Following the UK DPF extension, when transferring personal information to a U.S. company that is not certified by the DPF, the company will be able to also benefit from the commitments made by the United States under EO 14086 and the UK government’s assessment of these commitments.

When transferring personal information to a DPF-certified company, transfer risk assessments or mitigation measures are not required. This position aligns with the EU approach, according to the European Data Protection Board’s opinion following the DPF.

4. What additional considerations are there for transferring sensitive and criminal information when using the DPF?

The definition of “sensitive information” in the UK DPF extension does not specify all of the types of information in the UK GDPR which are subject to additional requirements (it omits genetic and biometric information, as well as information about an individual’s sexual orientation and criminal offense information). However, the definition does include “any other information received from a third party that is identified and treated by that party as sensitive.” The ICO and the UK government have stated that organizations will need to identify such information as sensitive when sending it to DPF-certified organizations.

In its opinion published after the UK DPF extension was finalized, the ICO has also raised a concern that the protections set out in the UK Rehabilitation of Offenders Act 1974 (which limit the use of information relating to historic criminal convictions) is not provided for in the DPF. UK companies transferring such information to the United States should ensure that limitations are placed on the use and retention of such information in a manner that complies with UK law.

5. Are there risks to relying on the UK DPF extension?

The UK government is required to review the UK DPF extension every four years from the date it entered into force. However, if it becomes aware of a significant change in the level of data protection provided under the DPF, it must amend or revoke its adequacy decision as necessary.

The DPF is already under challenge in the EU, as an individual in France has brought an action before the General Court of the European Union for annulment and immediate suspension against the DPF (on the basis that the DPF violates the EU Charter of Fundamental Rights). The EU Charter of Fundamental Rights no longer applies under UK law and the adequacy finding from the UK will not be directly affected by any such challenge.

6. Will the UK be creating more “data bridges”?

The UK government has indicated its intention of doing so. Following the UK DPF extension, the EU and the UK now recognize the same countries as adequate. The UK government has also published a list of priority destinations to recognize as adequate, which, in addition to the United States, includes Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya and Singapore.

The UK’s new data protection bill, which is still making its way through the UK legislative process, proposes to change the test on which the UK government can recognize a country as adequate from “essentially equivalent” to “not materially lower” data protection standards. This suggests that the UK may seek to recognise more countries as adequate through additional data bridges.

7. What about the EU’s adequacy decision for the UK?

Data transfers from the EU to the UK are currently covered by the adequacy decision granted by the European Commission in 2021. The European Commission’s adequacy decision contains a sunset clause, which means that it will expire on June 27, 2025, if it is not renewed. To date, the UK government has maintained that the proposed reforms to its data protection laws will not affect its adequacy status.

We are grateful to Lewis Ball, trainee solicitor, for his contribution to this alert.