UK formally recognises the US as having adequate data protection, simplifying transatlantic transfers of personal data

On 21 September 2023, the government laid The Data Protection (Adequacy) (United States Of America) Regulations 2023. The regulations will come into force on 12 October 2023 and establish a UK-US ‘data bridge’ by formally recognising transfers of personal data to certain US organisations as having an adequate level of data protection. Where applicable, this will replace the need to put in place additional safeguards, such as the International Data Transfer Agreement (IDTA) (see our earlier coverage here), or rely on exemptions, for transatlantic transfers of personal data.

Background

The EU and US have previously put in place legal frameworks to allow for the transatlantic transfer of personal data. However, on each occasion those frameworks have been invalidated by the courts. Since 2020 the EU and US have been negotiating a new framework, which was finally agreed in 2022 and became known as the EU-US Data Privacy Framework.

On 10 July 2023 the European Commission formally recognised the Framework as providing an adequate level of data protection, bringing the Framework into operation for EU-US transfers. However, due to Brexit, this did not apply to the UK which now makes its own, separate decisions regarding adequacy. The UK and US have therefore negotiated and agreed a UK Extension to the Framework, and the Regulations formally recognise the UK Extension as adequate.

Scope

The adequacy decision does not apply to all transatlantic transfers of personal data, only to those covered by the Framework. To be covered, US organisations must be included on the Data Privacy Framework List published by the US Department of Commerce. To be included, the organisations must self-certify that they will adhere to the Framework Principles. These constitute a detailed set of requirements on how to protect and process data, based on privacy principles such as notice, choice, access, and accountability for onward transfers (both domestically and internationally). Organisations must also be subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transportation, to ensure that these agencies can enforce the Framework Principles.

The list and principles are available via the UK government website.

Comments

This will be a very welcome and overdue development for any organisation involved in transatlantic transfers of personal data, minimising the costs and burdens of having to put additional safeguards (such as the IDTA) in place. This will make it easier for UK and US markets and businesses to connect with one another and create opportunities for businesses to operate and attract investment across the Atlantic.

However, transfers to or from US organisations not on the list will continue to require the usual safeguards, such as the IDTA. It remains to be seen exactly how many organisations will decide to be included on the list; while international and multinational firms involved in large scale data transfers already will almost certainly look to take advantage of the Framework, the balance of advantages and burdens may be different for organisations carrying out less frequent or ad hoc transfers. The costs and time involved in implementing safeguards can also be overstated in some scenarios.

Post-Brexit, much discussion takes places about the relative benefits of regulatory convergence or divergence with the EU. The UK’s decision to adopt an extension to the EU-US framework is a clear and decisive decision to align directly with the regulatory approach adopted and negotiated by the EU. Many will see this as a welcome and pragmatic step, and one that illustrates the benefits of regulatory alignment. However, it is fair to say this is a case where the grounds for alignment are compelling, whereas divergence in other areas of regulation may offer advantages. For example, the UK’s Data Protection and Digital Information (No. 2) Bill, currently progressing through parliament, specifically aims (amongst other things) to introduce a different approach to that used by the EU to assess adequacy, which could help the UK establish data bridges with other countries on its own initiative, rather than continuing to piggyback on EU adequacy decisions.

The Framework will be the third legal framework put in place by the EU and US for transatlantic exchanges of personal data. The first two, Safe Harbour and Privacy Shield, were each invalidated by the courts in the Schrems I and Schrems II cases respectively (named after their namesake, privacy campaigner Max Schrems). The new Framework aims to address the issues raised in those cases, but only time will tell if it will be third time lucky for the Framework or there will be a Schrems III.

For further detail and support, get in touch with any of the key contacts listed below.