International: DSIT announces UK-US Data Bridge effective October 12, 2023
On September 21, 2023, the Department of Science, Innovation and Technology (DSIT) published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). In particular, the UK-US Data Bridge provides that for the purposes of Part 2 of the Data Protection Act 2018 (the Act) and the UK General Data Protection Regulation (UK GDPR), the Secretary of State designates the United States of America as ensuring an adequate level of personal data protection for data transfers that meet the following criteria:
- the transfer is to a person in the United States of America listed as participating in the UK Extension to the EU-US Data Privacy Framework (EU-US DPF); and
- the transfer will be subject to the EU-US DPF Principles upon receipt by the recipient.
Starting from October 12, 2023, businesses in the UK can transfer personal data to US organizations certified under the UK Extension to the EU-US DPF without needing additional safeguards, as required by Articles 46 and 49 of the UK GDPR. However, the UK Government highlighted that UK organizations should be mindful of the need to update privacy policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.
Independent supervisory authorities
The independent supervisory authorities for the UK Extension to the EU-US DPF are the United States Federal Trade Commission (FTC) and the United States Department of Transportation (DoT), administered by the Department of Commerce (DoC).
Types of organizations included and excluded under the DPF
Notably, UK organizations cannot freely transfer personal data to any US data importer/recipient. To facilitate data flow, the recipient must be certified under the UK Extension and listed on the DPF List. Only US organizations under the jurisdiction of the FTC or the DoT are currently eligible to participate in the DPF program. Other US organizations, such as those in banking, insurance, and telecommunications cannot participate at this time.
Categories of data excluded from transfer under the DPF
Data defined as journalistic under Supplemental Principle 2(b) of the DPF is exempt from the EU-US DPF requirements and cannot be transferred under the UK-US Data Bridge.
Should special category or sensitive data be shared under the UK-US Data Bridge?
Regarding the sharing of special category or sensitive data under the UK-US Data Bridge, the Choice principle under the DPF does not mirror the definition of special category data in Article 9(1) of the UK GDPR, as it does not include genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning sexual orientation. However, organizations under the DPF are required to treat information received as sensitive if identified and treated as such by third parties sharing the information. UK organizations must correctly identify and label special category data and sensitive data when sharing it with US organizations under the DPF.