The UK government has published its “adequacy decision” to allow transfers of personal data from the UK to U.S. businesses that have completed certification to the EU-U.S. Data Privacy Framework (DPF). The UK’s adequacy decision creates a “UK Extension” to the DPF that takes effect on October 12, 2023, a little more than three months after the EU’s adoption of DPF. (Please see our DPF FAQS for more information about DPA.)
What are the benefits of the UK Extension?
Transfers of personal data to the U.S. from the UK that are subject to the UK Extension will not require a transfer risk assessment (TRA) or additional measures, such as the use of the UK Addendum to the EU Standard Contractual Clauses (SCCs) or the free-standing UK International Data Transfer Agreement. A personal data transfer to a DPF-certified business is considered to provide individuals in the UK with a level of data protection that is “essentially equivalent” to that provided by the General Data Protection Regulation (GDPR) and UK GDPR.
A key element in the UK government’s adequacy decision was confirmation by the U.S. government that the UK is a ‘qualifying state’ under Executive Order 14086 (EO14086). EO 14086 allows UK individuals whose personal data was transferred to the U.S. under any transfer mechanism (i.e., including those set out under UK GDPR Articles 46 and 49) to have access to the newly established DPF redress mechanisms if they believe that their personal data was unlawfully accessed by U.S. authorities for national security purposes. (EO 14086 is described in more detail here.)
What do UK organizations need to do to rely on the UK Extension?
The DPF and UK Extension apply to a personal data transfer if, and only if, the receiving organization is on the DPF List maintained by the U.S. Department of Commerce’s International Trade Administration (ITA).
DPF certified businesses must renew their certifications annually. A DPF certified business can voluntarily withdraw from the DPF and the ITA can remove a business for non-compliance with DPF obligations. Accordingly, before relying on DPF for transferring personal data, a UK organization should ensure the receiving U.S. business is an active DPF participant by checking here. UK organizations also must regularly check the DPF List when undertaking ongoing or recurring personal data transfers.
What documentation is required for a UK organization relying on DPF for personal data transfers?
The UK adequacy decision (like its EU counterpart) relates only to the requirements of Chapter V of the UK GDPR and so removes only the need for “appropriate safeguards” such as SCCs and for TRAs. It does not remove the need to comply with other parts of UK GDPR.
In particular, the adequacy decision does not remove the need for a contract between a UK data controller and its processor in the United States or for a contract between a UK processor and its sub-processor in the United States. Consequently, when personal data is transferred to the U.S. for the purpose of processing (rather than on a controller-to-controller basis), then a contract compliant UK GDPR Article 28 still is required.
Does DPF help with transfers to a U.S. organization that is not DPF certified?
While the DPF Principles are enforceable against U.S. business that have certified to DPF, EO 14086 (together with the U.S. Attorney General’s Order No. 5517-2022 establishing the Data Protection Review Court) apply to all personal data transfers to the U.S. Consequently, key assurances and redress mechanisms apply to UK individuals even when their personal data are transferred to an organization in the U.S. that is not DPF certified.
One practical benefit that flows from the general application of EO 14086 and the Attorney General’s Order is that, while a TRA is still required when a transfer is made to a non-DPF organization, the “country risk” part of that assessment is made much easier than was previously the case. A TRA carried out before transferring personal data to a non-DPF organization in the United States can now (from a UK perspective) note that the UK government considers that the U.S. government measures provide sufficient protection and routes to redress in relation to US government digital surveillance activities.
Is DPF or the UK Extension vulnerable to legal challenge?
The EU-U.S. DPF was negotiated and put in place as an act of political will following the decision of the European Court to strike down its predecessors (i.e., Safe Harbor and Privacy Shield) as “adequate” transfer mechanisms. Immediately after formal adoption of DPF by the European Commission in July 2023, privacy campaigners announced their intention to launch fresh challenges, arguing that DPF has essentially the same structural problems as the previous arrangements. More recently, a member of the French legislature announced his intention (in a personal capacity) to make an application under Article 263 of the Treaty for Functioning of the European Union – which allows EU private citizens to seek the annulment of the actions/decisions taken by EU institutions.
The UK adequacy decision also is under scrutiny. The UK Regulatory Policy Committee (RPC) considered that the government’s initial impact assessment in support of the adequacy decision was “not sufficiently robust” and that the issues raised “generate a red-rated opinion, if not addressed adequately”. The RPC has resumed its scrutiny and is due to provide a published opinion to assist both the government and Parliament. If that opinion also were to identify a “red rating”, then the UK adequacy decision could be reversed by a negative resolution in Parliament which is unlikely. The ICO also has published a statement broadly welcoming the adequacy decision, but indicating concerns about specific points:
- The DPF definition of “sensitive data” does not specify all of the categories listed in UK GDPR. Instead, it includes a catch-all provision referring to “any other information received from a third party that is identified and treated by that party as sensitive”. The ICO is concerned that this could result, in practice, in diminished protection for biometric, genetic, sexual orientation and criminal offense data unless they are specifically identified and treated as “sensitive data” when transferred under DPF. The UK government proposes to address this issue by means of guidance to UK data exporters;
- The lack of provisions within DPF to provide protection in relation to criminal offense data equivalent to that under the UK Rehabilitation of Offenders Act 1974;
- The absence from DPF of any provision conferring a right (similar to that under UK GDPR) not to be subject to decisions based solely on automated processing that would produce legal or similarly significant effects on the individual;
- The lack of a right substantially similar to the UK GDPR right to be forgotten; and
- The absence of an unconditional right to withdraw consent.
The ICO’s current position is that the UK government’s adequacy decision in favour of DPF is “reasonable”, but it has called for close and ongoing monitoring to ensure that appropriate levels of protection are maintained in practice.
Despite those challenges and ongoing scrutiny, the case for DPF certification remains strong. DPF certification materially assists the flow of personal data to the U.S. from the UK and EEA (and prospectively Switzerland) and also reduces the compliance burden on data exporters and the commercial complexities that U.S. businesses have faced since 2020. Businesses may, however, wish to consider fall-back “appropriate safeguards” if the DPF does not survive legal challenges.
We are updating our DPF FAQs to reflect the adequacy decision for the UK extension as well as some new FAQs. Subscribe to our Privacy World blog to stay up to date. We welcome your questions – click here to contact us or email the authors directly.