Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: UK-US Data Bridge, an extension to the EU-US DPF

On September 21, 2023, the Department of Science, Innovation and Technology (DSIT) published the Data Protection (Adequacy) (United States of America) Regulations 2023 (UK-US Data Bridge) for the UK Extension to the EU-US Data Privacy Framework (UK Extension). In particular, the UK-US Data Bridge provides that for the purposes of Part 2 of the Data Protection Act 2018 (the Act) and the UK General Data Protection Regulation (Regulation (EU) 2016/679) (UK GDPR), the Secretary of State designates the US as ensuring an adequate level of personal data protection for data transfers that meet the following criteria:

  • the transfer is to a person in the US listed as participating in the UK Extension to the EU-US Data Privacy Framework (EU-US DPF); and
  • the transfer will be subject to the EU-US DPF Principles upon receipt by the recipient.
traffic_analyzer / Signature collection / istockphoto.com

Background

The DPF was set up and is administered by the US Department of Commerce (DoC). The DPF is a framework consisting of the Principles, Supplemental Principles, and Annex I of the Principles (the DPF Principles) that provide protections for personal data transferred from the EU to certified US organizations. Eligible US organizations must agree to comply with the DPF Principles and make a public commitment to do so via a published privacy policy in order to self-certify. The DPF is a voluntary self-certification framework that US organizations may choose to join. The DPF Principles take the form of requirements in relation to data protection and set out requirements on how an organization collects, processes, and discloses personal data. Please refer to our Insight Article on the EU-US DPF, International: Commission adopts adequacy decision on EU-US DPF - what you need to know, for further information on the DPF Principles.

UK-US Data Bridge

The DoC has agreed to extend the DPF, and the protections that exist under it, to personal data transferred from the UK to certified US organizations, under the UK extension. Organizations may elect to utilize the DPF where they are acting as processors for UK organizations or where they have a controller-controller transfer relationship with a UK organization. Organizations in the US that have successfully self-certified to the DPF are included on the Data Privacy Framework List (DPF List) on the Data Privacy Framework website (DPF Website) and may also elect to be certified under the UK Extension by making additional UK-specific commitments within their public commitments and indicating on their self-certification to the DoC that they are electing to participate in the UK Extension.

Effective date

Starting from October 12, 2023, businesses in the UK can transfer personal data to US organizations certified under the UK Extension to the EU-US DPF without needing additional safeguards, as required by Articles 46 and 49 of the UK GDPR. However, the UK Government highlighted that UK organizations should be mindful of the need to update privacy policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.

Scope

As outlined above, the UK-US Data Bridge designated the US as ensuring an adequate level of personal data protection for data transfers that meet the following criteria:

  • the transfer is to a person in the United States of America listed as participating in the UK Extension to the EU-US DPF; and
  • the transfer will be subject to the EU-US DPF Principles upon receipt by the recipient.

Types of organizations included and excluded under the DPF

Notably, UK organizations cannot freely transfer personal data to any US data importer/recipient. To facilitate data flow, the recipient must be certified under the UK Extension and listed on the DPF List. Only US organizations under the jurisdiction of the FTC or the DoT are currently eligible to participate in the DPF program. Other US organizations, such as those in banking, insurance, and telecommunications cannot participate at this time.

In addition, the Analysis of the UK Extension to the EU-US Data Privacy Framework (the Analysis) notes that the DPF does not make a distinction between certified US organizations acting as controllers and those acting as processors for UK organizations with respect to DPF applicability. All certified US organizations are subject to the DPF Principles and requirements. In terms of onward transfers, a distinction is made between transfers from a certified US organization to other parties acting as 'controllers,' (a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data) and those to other parties acting as an 'agents' (who perform tasks on behalf of and under the instructions of the organization).

Categories of data excluded from transfer under the DPF

Data defined as journalistic under Supplemental Principle 2(b) of the DPF is exempt from the EU-US DPF requirements and cannot be transferred under the UK-US Data Bridge.

Should special category or sensitive data be shared under the UK-US Data Bridge?

Regarding the sharing of special category or sensitive data under the UK-US Data Bridge, the Choice 2(c) Principle under the DPF (Choice Principle) does not mirror the definition of special category data in Article 9(1) of the UK GDPR, as it does not include genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning sexual orientation. However, the UK-US Data Bridge: factsheet for UK organizations (the Fact Sheet) highlights that organizations under the DPF are required to treat information received as sensitive if identified and treated as such by third parties sharing the information. UK organizations must correctly identify and label special category data and sensitive data when sharing it with US organizations under the DPF. The Analysis, further clarifies that, if UK organizations who are sending information to certified US organizations have highlighted specific personal data as being sensitive, this will require certified US organizations to treat it as such, as it will be covered by the 'sensitive data' requirements of the DPF.

In addition, the Analysis notes that Supplemental Principle 10 under the DPF (Supplemental Principle) would apply where onward transfers from certified US organizations to other processors and controllers are concerned. In this context, contracts between controllers and processors are required to provide the same level of protection as provided under the DPF. Furthermore, the Analysis recognizes that risks may not be fully mitigated in fringe scenarios under Supplemental Principle 10(a)(ii)(3), which specifies that contracts put in place between controllers and processors are for the purpose of ensuring the processor takes into account the nature of the processing including whether the data is sensitive. However, the Analysis confirms that DSIT will continue to monitor how such transfers take place and where risks to data subjects become apparent.

Criminal offenses data and HR

In relation to criminal offenses data, where such data is to be shared under the UK-US Data Bridge as part of a human resources (HR) data relationship, US recipient organizations are required to indicate that they are seeking to receive such data under the DPF.

HR data transferred under the DPF is subject to the requirements set out within Supplemental Principle 9. For a certified US organization to receive HR data under the DPF, the Analysis confirms that they must notify the DoC when self-certifying of their intention to transfer such data, and, to ensure that UK laws and requirements concerning the handling and use of HR data are maintained, certified US organizations must agree to comply with UK regulators where enforcement or redress is necessary pursuant to Supplemental Principle 9(d). In addition, the Analysis notes that DSIT considered Supplemental Principle 9(e)(i) for employment-related purposes on a small scale does not pose a considerable risk to UK data subjects, especially taking into account that certified US organizations are still required to comply with the Notice and Choice Principles.

Furthermore, criminal offense data may also be shared outside of an HR relationship. Importantly, however, when sharing criminal offense data it should be indicated to the US recipient organization that it is sensitive data requiring additional protections, in line with protections for special category or sensitive data set out in the question above.

Independent supervisory authorities

The independent supervisory authorities for the UK Extension to the EU-US DPF are the United States Federal Trade Commission (FTC) and the United States Department of Transportation (DoT), administered by the DoC.

Specifically, the Analysis clarifies that the FTC's legislative authority stems from Section 5 of the Federal Trade Commission Act (the FTC Act), which allows for investigation by the FTC. and to take action against businesses for 'unfair or deceptive acts or practices that affect consumers.' Certified US organizations that fail to uphold their publicly stated commitments to follow the DPF Principles are open to enforcement under Section 5 of the FTC Act. However, the Analysis notes that, in recognition of the Recourse, Enforcement, and Liability Principle of the DPF, the FTC will give priority consideration to referrals of non-compliance with the DPF Principles to the DoC and national data protection authorities.

The DoC, though not providing a redress mechanism for individuals under the DPF, does have the ability to remove certified US organizations from the DPF for persistent failure to comply with the DPF Principles. The requirements of 'persistent failure' are set out under Supplemental Principle 11(g) of Dispute Resolution and Enforcement of the UK Extension. Further, the Analysis outlines that the role of the DoC is to facilitate cooperation with national supervisory authorities, such as the ICO, and certified businesses where a complaint is received or where the ICO has raised a question over a certified US organization's compliance.

Notably, the Analysis details the more specific role of the DoT, which as a supervisory authority under the UK Extension, may take action, pursuant to 49 U.S.C. 41712 'Unfair and deceptive practices and unfair methods of competition,' against a US or foreign air carrier or ticker agent to abide by its public commitment to implement the DPF for 'unfair or deceptive practice' in the sale of air transportation that results in or is likely to result in consumer harm. Enforcement actions by the DoT are handled internally within the Office of Aviation Consumer Protection (OACP). Functionally, the Analysis clarifies that DoT enforcement acts in the same way as Section 5 of the FTC Act and allows the investigation of certified US organizations who violate the DPF through their published privacy notices.

Sectoral laws

The Analysis confirms that the DSIT's assessment was limited solely to transfers of personal data which will be subject to the UK Extension and that only personal data covered by the definitions and scope of the DPF may be transferred from the UK.

In addition, the Analysis notes that there are various state and sectoral laws within the US that may provide additional protections for personal data and further mitigations to supplement the protections under the DPF. The DPF accounts for this in the Overview section. In this context, the DPF highlights that where there are conflicts in requirements and where organizations have the option to do so, they are expected to opt for a higher level of protection. However, the Analysis provides that the scope of the DSIT's assessment is limited solely to transfers under the UK Extension, and the protections of the DPF itself. Though there may be additional protections from state or sectoral law, these should be taken as additional, rather than foundational. In addition, the Analysis highlights the importance of considering the limitations of such protections, in that the level of protection may vary and may not be applicable to all data transferred, depending on the state or sector in which a US organization resides.

Although DPF Principles are framed in EU terminology reflecting the EU-US negotiations to establish the DPF and to reflect the EU's laws and practices in relation to data protection and privacy, the Analysis notes that the DoC, including other relevant authorities, has agreed to extend the protections of the DPF Principles and the DPF to personal data transferred from the UK.

DPF Principles

The Analysis notes, that the DSIT considers that the DPF Principles broadly align with those of the UK and provide comparable protections for UK data subjects, and are mitigated where differences are apparent, precisely under the lawfulness principle and accountability principle under the UK GDPR.

Moreover, DSIT considered as provided under the Analysis that the lack of an underlying requirement for a legal basis for processing in the DPF, is to some extent mitigated by the combination of the DPF Principles of Data Integrity and Purpose Limitation, and Choice, which limit how certified US organizations are able to process UK personal data. Where those organizations wish to undertake changes to the purpose for which the personal data is being processed they are required to provide UK data subjects with a means to exercise control over their personal data through the Choice principle.

Redress

The Analysis notes that there are numerous routes available to data subjects for redress against certified US organizations who have breached their obligations under the DPF or failed to satisfactorily respond to a request or complaint. In this context, the Analysis highlights that there is a multi-layered process of redress available to UK data subjects. Though there are some areas that do not map directly across to UK GDPR, the options available, including the arbitration panel, allow UK data subjects to exercise these rights and enforce them as necessary, including ultimately through a judicial decision, and provide comparable protections for UK data subjects.

Onward transfers

The Analysis recognizes that the DPF does not set out any specific requirements for the international transfer of data by controllers or processors who have transferred personal data from the UK. However, the Analysis clarifies that the Accountability for Onward Transfer Principle, under the UK GDPR, does apply for all transfers of personal data from certified US organizations that have received and/or transferred personal data under the DPF to organizations both within and outside the US. Specifically, according to the Accountability for Onward Transfer Principle, certified US organizations that wish to share or transfer personal data with other controllers or processors must enter into a contract that requires:

  • such data to only be processed for limited and specific purposes consistent with the original purposes or consent provided by the individual;
  • the recipient of any transfer to continue providing the same level of protection as would be found under the DPF and notify the original certified US organization if it makes a determination that it can no longer meet such an obligation; and
  • if such a determination is made, the third party will cease processing or take steps to remedy the situation.

To ensure compliance, the contract between controllers and third parties are required to put in place may need to be shared with the US DoC to check adherence to the Principles. Though receiving controllers are not required to be participants of the DPF or have an independent redress mechanism, they are required to provide an equivalent mechanism.

Notably, the Analysis provides that even though the US participates in the US Cross Border Privacy Rules (CBPR) System, which provides a framework for organizations to certify compliance, an organization that has committed to comply with DPF Principles is still subject to the Accountability for Onwards Transfers Principle, even if certified to the CBPR system. Organizations who have a controller-controller or controller-processor relationship with a certified US organization and who themselves are not certified US organizations may wish to use the CBPR framework for international transfers received originally through the DPF from UK data subjects. In such cases, US organizations are expected to have put in place contractual requirements under the Accountability for Onward Transfers Principle and Obligatory Contracts for Onwards Transfers.

Government access to personal data

The Analysis highlights that DSIT considers that there are appropriate limitations, safeguards, redress mechanisms, and oversight regarding access by the US government to UK personal data for national security purposes. DSIT made such an assessment with reference to the powers available to the US government under the Foreign Intelligence Surveillance Act (FISA) and the safeguards, oversight, and redress mechanisms provided by Executive Order (EO) 14086, among other legislation.

Conclusion

Before sending personal data to the US via the UK extension, the Fact Sheet highlights that organizations should:

  • confirm whether an organization is an active DPF participant by visiting the DPF List and searching alphabetically or by typing in the organization's name in the search bar;
  • ensure that said organization has signed up for the UK Extension to the EU-US Data Privacy Framework program;
  • verify that HR data is covered by the organization's DPF commitments (if wishing to transfer HR data):
    • click on the organization’s name within the DPF List; and
    • within the organization’s DPF program record, click on the link to the relevant privacy policy or policies (for HR data and/or non-HR data) under the Privacy Policy section of the record; and
  • review the privacy policy that applies to the covered information, within the organization's DPF program record by clicking on the link to the relevant privacy policy or policies (for HR data and/or non-HR data).

Harry Chambers Senior Privacy Analyst
[email protected]
Bahar Toto Privacy Analyst
[email protected]

Feedback