By: 6 December 2023
UK adopts regulations mirroring EU legislation

The UK government has now published the Data Protection (Adequacy) (United States of America) Regulation 2023. The regulation came into force on 12 October.

The regulations provide an extension to the already existing EU-US Data Privacy Framework (DPF). The DPF was implemented on 10 July 2023 to permit a safe and free exchange of personal data between the EU and the US.

As a result of Brexit, the UK did not have such a framework, triggering the implementation of the regulations to mirror the EU legislation. Jenna Meehan, sssociate solicitor in the commercial team at Blacks Solicitors, discusses what these regulations are and how this change will impact UK businesses.

The regulations

The regulations allow businesses in the UK to begin to transfer personal data to certified US organisations listed within the “UK Extension to the EU-US Data Privacy Framework” (data bridge).

This means businesses can transfer data without the need to introduce more safeguards. Businesses can now execute data transfers with the assurance that certain US organisations are considered safe recipients of personal data.

The data bridge is an opt-in certification scheme for US organisations, enforced by certain US Government departments. For a US organisation to obtain certification for the data bridge, they must comply with specific principles and requirements. This includes commitments to data protection and governance on how an organisation uses, collects and discloses personal data.

What does this mean for UK businesses?

The Information Commissioner’s Office (ICO) has endorsed the data bridge. However, it has expressed concerns that the regulations may not provide enough protection for sensitive data. This is due to the differences between Article 9 UK GDPR and the regulations. The regulations do not highlight the special categories of personal data. Instead, they include a catch-all provision requiring that any information received from a third party to be treated as sensitive. These changes mean:

  • Business owners who have a relationship with US organisations should check if they have been placed on the DPF list.
  • All transferred personal data must be handled in line with DPF principles when received by the US data importer.

  • Businesses should update their privacy policies and document their own processing activity to reflect changes in how personal data is transferred to the US.

  • Identify sensitive data, such as genetic or biometric data, sexual orientation data, or criminal offence data, to ensure proper protection under the DPF.

  • Consider adopting an alternative safeguard as another layer of protection in case the UK-US data bridge is ever cancelled.

Image: © Yaroslav Danylchenko via Canva
Emma Cockings
Emma is a content editor for Claims Media. Emma is a experienced writer with a background in client-centric personal injury for a major firm. She has attended and reported on multiple brokerage events throughout her career.