On September 21, 2023, the UK Information Commissioner’s Office (“ICO”) published an opinion on the UK Government’s assessment of adequacy for the UK Extension to the EU-U.S. Data Privacy Framework (the “UK Extension”). The ICO provides that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and lay regulations to that effect, there are four specific areas that could pose risks to UK data subjects if the protections identified are not properly applied. These four risks are:
- The definition of “sensitive information” under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR but instead specifies “ […] any other information received from a third party that is identified and treated by that party as sensitive.” UK organizations transferring data will therefore need to identify biometric, genetic, sexual orientation, and criminal offense data as ‘sensitive data’ when sending it to a U.S. certified organization to ensure it will be treated as sensitive information under the UK Extension. There is currently no requirement for UK organizations to identify information as sensitive, and therefore the ICO believes this creates a risk that the protections may not be applied in practice.
- Regarding criminal offense data, the ICO anticipates that, even if identified as sensitive, there may still be a risk to such data as it is not aware of equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974. This Act places limits on the use of data relating to criminal convictions when those convictions have become ‘spent’ following the relevant rehabilitation period. According to the ICO, it is not clear how these protections would apply once the information has been transferred to the U.S.
- The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual, in particular the right to obtain a review of an automated decision by a human.
- The UK Extension does not contain a substantially similar right to the UK GDPR’s right to be forgotten, or an unconditional right to withdraw consent, meaning individuals are given less control in relation to their personal data.
As a result, the ICO recommends that the Secretary of State monitor the implementation of the UK Extension and relevant developments in the U.S. to ensure UK data subjects are afforded substantially similar protections in practice and their rights are not undermined, and take actions, as needed, to mitigate these risks.