On the heels of the EU-US Data Privacy Framework (DPF), another bridge has been built across the Atlantic to streamline data transfers between businesses.

In July, the European Commission adopted its much-anticipated adequacy decision for the EU-US DPF. On September 21, 2023, the UK and US governments announced that they have established a “UK Extension” to the DPF.^[1]

The UK Extension will allow organizations in the UK to transfer personal data to US businesses that have certified to the UK Extension, without the need for additional safeguards, such as International Data Transfer Agreements (IDTAs). The UK Extension—also referred to as the “Data Bridge”—will take effect on October 12, 2023.^[2]

As with the DPF, US organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation may certify to the UK Extension. In order to implement it, both UK and US organizations must take certain measures, such as updating their privacy policies and adopting redress mechanisms for data subjects. As an addition to the DPF, the UK Extension cannot be entered into separately from the DPF; therefore, organizations that wish to participate in the UK Extension must also participate in the EU-US DPF and comply with its principles.^[3]

The US Department of Commerce will administer the UK Extension, alongside the DPF. US organizations that are certified under the DPF can extend their certification to cover data from the UK by selecting the option to add the UK Extension through their online DPF account.

The UK government has published a series of supporting documents for the UK Extension, which includes an explainer, a fact sheet, and a detailed analysis of relevant US privacy safeguards.^[4] The UK Extension announcement comes after the US designated the UK as a “qualifying state” under Executive Order 14086.^[5] This designation gives UK individuals whose personal data is transferred to the US (under any transfer mechanism) access to newly established redress mechanisms in the US.^[6]

As a reminder, the DPF was designed to address the perceived gaps in US surveillance law, which were viewed as undercutting data protection rights for individuals. The UK has now found that UK data subjects receive adequate protection (i.e., protection comparable to what they receive in the UK) when their data is transferred to the US pursuant to the UK Extension.^[7]

Organizations that do not certify to the DPF and UK Extension may still use other transfer mechanisms, such as IDTAs or binding corporate rules. Although UK organizations will no longer need to perform Data Transfer Impact Assessments (DTIAs) when transferring data to the US on the basis of the UK Extension, the UK government has not indicated whether UK businesses that transfer data to the US via other mechanisms still must conduct DTIAs. Until guidance is clearer, it is prudent for organizations to continue to prepare short DTIAs, taking into account the UK’s findings about data protection in the US.

The EU-US DPF has already begun facing legal challenges,^[8] which could affect the ongoing validity of the UK Extension. The UK data regulator, and the Information Commissioner’s Office, gave only “qualified assurance” to the UK Extension, noting specific areas, such as the fact that the UK Extension does not contain a “substantially similar right” to the UK’s “right to be forgotten,” that could still pose some risks to UK data subjects if certain protections are not properly applied.^[9] Even with those considerations, the UK Extension procedures for transferring data between the US and the UK offer businesses a simplified method for cross-border data transfers.

Footnotes

[1] Notice, Department for Science, Innovation and Technology, UK-US data bridge: explainer (Sept. 21, 2023), https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer.

[2] Id.

[3] Id.

[4] Notice, Department for Science, Innovation and Technology, UK-US data bridge: supporting documents (Sept. 21, 2023), https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents.

[5] Office of the Attorney General, Designation Pursuant to Section 3(f) of Executive Order 14086 (Sept. 18, 2023), https://www.justice.gov/d9/2023-09/Attorney%20General%20Designation%20of%20the%20United%20Kingdom%20as%20a%20Qualifying%20State.pdf.

[6] Office of the Director of National Intelligence, Intelligence Community Directive 126 – Implementation Procedures for the Signals Intelligence Redress Mechanism under Executive Order 14086, https://www.dni.gov/index.php/who-we-are/organizations/clpt/clpt-related-menus/clpt-related-links/signals-intelligence-redress-mechanism-icd-126.

[7] The Data Protection (Adequacy) (United States of America) Regulations 2023, 2023 No. 1028, https://www.legislation.gov.uk/uksi/2023/1028/regulation/3/made.

[8] Laura Kayali, French lawmaker challenges transatlantic data deal before EU court, Politico (Sept. 7, 2023), https://www.politico.eu/article/french-lawmaker-challenges-transatlantic-data-deal-before-eu-court/?utm_medium=social&utm_source=Twitter.

[9] Information Commissioner’s Office, The UK Government’s assessment of adequacy for the UK Extension to the EU-US Data Privacy Framework for the general processing of personal data, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/09/opinion-on-uk-government-s-assessment-of-adequacy-for-the-uk-extension-to-the-eu-us-data-privacy-framework/.

[View source.]