UK Extension to the EU-US Data Privacy Framework for UK-US personal data transfers
On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) came into force, with which the UK government adopted an adequacy decision for the US (the UK-US Data Bridge). The UK-US Data Bridge enables UK organisations to freely and securely transfer personal data to certified US companies under the "UK Extension to the EU-US Data Privacy Framework" (UK Extension).
Which types of organisations may receive data under the UK Extension?
- Data importers/recipients in the US must be certified under the UK Extension and appear on the EU-US Data Privacy Framework (DPF) list.
- Only US organisations subject to the jurisdiction of the US Federal Trade Commission (FTC) or the US Department of Transportation (DoT) are currently eligible to participate in the DPF programme. Those US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies — are unable to participate in the DPF programme at this time.
How can you check which specific organisations have certified under the UK Extension?
Before transferring any personal data to the US, UK organisations must ensure the following:
- Confirm that the recipient is certified under the DPF
- Confirm that the organisation has adopted the UK Extension to the DPF
- (If wishing to transfer HR data), confirm that HR data is covered by the organisation’s DPF commitments
- Review the organisation’s privacy policies that apply to ensure that the relevant data is covered (for both non-HR and/or HR data)
If the UK Extension is not applicable to your data transfer, you will have to rely on other transfer tools, such as one of the pre-existing appropriate safeguards or one of the available derogations under Article 49 of the UK GDPR for international data transfers. A transfer risk assessment may also be necessary to validate your transfers.
The DPF List can be found here.
The UK-US Data Bridge factsheet for UK organisations can be found here.
The UK-US Data Bridge explanatory guide can be found here.
The UK Information Commissioner’s Opinion on the adequacy for the UK Extension to the EU-US Data Privacy Framework for the general processing of personal data can be found here.
Our previous blog post on the EU-US DPF can be found here.