Following the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) (for further information see here), the UK Government has announced that from 12 October 2023, organisations in the UK can transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (“UK Extension”), without the need for additional data protection safeguards.
This follows the designation of the UK as a ‘qualifying state’ under US Executive Order 14086, which provides UK individuals with rights in relation to personal data that has been transferred to the US, including access to the newly established redress mechanism. The UK Secretary of State for Science, Innovation, and Technology, has stated that the “designation by the US of the UK was an important factor that led to the data bridge assessment being successful, providing increased safeguards and redress mechanisms for UK individuals”.
In order to rely on the UK Extension, UK organisations will need to ensure that the relevant recipient in the US is certified to the UK Extension and appears on the DPF List. Any US organisation that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may certify under the DPF. Organisations that are ineligible or prefer not to rely on the UK Extension will still need to use SCCs, BCRs, or another transfer mechanism and carry out TIAs.
Following the UK Government’s announcement in relation to the UK Extension, the UK Information Commissioner (ICO) has published an opinion, stating that, “while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied”. These include:
- The definition of ‘sensitive information’ under the UK Extension not specifying all the categories listed in Article 9 of the UK GDPR. The ICO concludes that this “creates a risk that the protections may not be applied in practice“.
- Concerns about a lack of clarity as to how specific protections afforded to criminal offence data (i.e. limits on the use of data relating to criminal convictions when those convictions have become ‘spent’) would apply once the information has been transferred to the US.
- Concerns about the UK Extension not containing a right, substantially similar the safeguards in the UK GDPR, protecting individuals from being subject to decisions based solely on automated processing. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.
- The UK Extension containing neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent.
The ICO concludes that “the Secretary of State should monitor these areas closely to ensure UK data subjects are afforded substantially similar protection in practice and their rights are not undermined”.
Given that the EU-US DPF is expected to be contested – Max Schrems’ privacy organisation, NOYB, which led the previous legal challenges to both Privacy Shield and Safe Harbor, has already announced that it will also challenge the DPF, it is likely that similar challenges will be made in the UK in relation to the UK Extension. As the European Court of Justice no longer has jurisdiction in the UK, the approach of the UK courts to any challenge remains uncertain.
- For DPF-eligible organisations, the UK Extension will streamline the compliance burden, enabling the flow of data from UK-US without the need to conclude SCCs and complete TIAs.
- US Organisations who wish to benefit from the UK Extension, will need to be certified to the UK Extension and appear on the DPF List. This should be a straightforward process for organisations who are already DPF certified.
- For those organisations that are ineligible to certify under the DPF (i.e. not subject to FTC or DOT jurisdiction), SCCs and BCRs will likely remain the default transfer mechanisms. As they are not covered by the DPF, such organisations will still need to conduct TIAs, although the changes to US surveillance laws under the EO should simplify the TIA process.
- The UK Department for Science, Innovation, and Technology (DSIT’s) will monitor the DPF to ensure that it functions as intended, as part of the DSIT’s requirement to monitor data bridges.
- There remains a residual risk that transfers to the US under the UK Extension are subject legal challenge. This should be managed with care and appropriate contingency plans adopted.