UK Extension to the EU-U.S. Data Privacy Framework takes effect

The UK Extension to the EU-U.S. Data Privacy Framework takes effect

On 12 October 2023, the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension) – also known as the UKUS Data Bridge – took effect, paving the way for transatlantic personal data transfers from the United Kingdom (UK) to the United States (US). The UK Extension permits the flow of personal data from the UK to the US without the need for further safeguards.

What is the UK Extension and how does it relate to the EU-US Data Privacy Framework (DPF)?

Under Chapter V of the General Data Protection Regulation (GDPR), transfers of personal data outside the European Economic Area (EEA), which includes the European Union (EU), Norway, Iceland, and Liechtenstein, are prohibited unless the intended destination offers an ‘adequate level of protection’ of personal data compared to EU law (Article 45 GDPR). Alternatively, such transfers can proceed if certain appropriate safeguards are in place (Article 46 GDPR), or if specific derogations apply (Article 49 GDPR).

After the UK’s withdrawal from the EU, the UK retained the provisions of the GDPR, known as the UK GDPR, along with all EEA adequacy decisions in effect up to that point.

On 10 July 2023, the European Commission adopted an adequacy decision for transatlantic transfers under the terms of the DPF (see our Client Alert of 7 August 2023). The DPF applies to transfers of personal data from the EEA to the US. However, as the DPF was adopted after Brexit, it does not apply to transfers originating from the UK.

Therefore, the UK needed to create its own transfer mechanism with the US. After an extensive analysis of relevant US law, the UK approved the UK Extension. Technically, the UK Extension functions as a territorial extension of the EU-US DPF, meaning that transfers of personal data from the UK to the US will be carried out under similar conditions to those coming from the EEA.

The UK Extension allows UK data subjects, whose personal data has been transferred to the US, to enjoy guarantees essentially equivalent to the fundamental rights offered to EEA data subjects. This mechanism relies on changes in US law, which require enforcement authorities to limit their access to the personal data transferred for national security purposes. The UK was designated as a qualifying state under US Executive Order 14086, and therefore, similar to their EEA counterparts, UK-based data subjects may access the US Data Protection Review Court (DPRC), established for data subjects to enforce their rights.

What do businesses transferring data from the UK need to know?

Before transferring personal data to the US, a UK-based exporter must confirm that the US-based recipient has self-certified under the DPF and signed up to the UK Extension. This can be done through a search of the DPF List.

To qualify for self-certification under the DPF (and the UK Extension), US businesses must be subject to the jurisdiction of the Federal Trade Commission (FTC) or Department of Transport (DoT). As a result, some sectors, such as banking and personal data gathered for journalistic purposes, currently do not qualify for self-certification under the DPF.

In addition, in its review of the UK Extension, the UK’s Information Commissioner’s Office (ICO), flagged a few concerns, such as a narrower scope of the concept of “sensitive information”. As a result, various types of sensitive information are excluded from the UK Extension’s protection. To remedy that, the UK Government clarified that such information “must be appropriately identified as sensitive to US organisations when transferred under the UK-US data bridge to ensure it receives appropriate protections”.

If a UK-based organisation cannot rely on the UK Extension, it can opt instead for one of the pre-existing appropriate safeguards, such as the UK International Data Transfer Agreement, or the UK Addendum to the EU’s Standard Contractual Clauses (SCCs). Alternatively, and in specific cases, UK exporters may be able to rely on the derogations under Article 49 UK GDPR for international data transfers. However, with these methods, UK-based exporters may still be required to carry out a transfer impact (risk) assessment (TIA, TRA).

Register now for your free, tailored, daily legal newsfeed service.

UK Extension to the EU-U.S. Data Privacy Framework takes effect

Filed under

Topics

Popular articles from this firm

EU Pharmaceutical Package Moves Closer to Formal Adoption *

EU-UK Competition Cooperation Agreement signed *

EU General Court Annuls Anti Circumvention Extension and rejects Commission’s Broad View of “Assembly Operations”. *

Is that a Threat? No, We’re just stating a Fact -- When does joint lobbying violate EU competition law? *

Competition Law, Volume 2026, No.1 *

Professional development

Related practical resources PRO

Related research hubs

United Kingdom

European Union

IT & Data Protection

Litigation