The UK adopts the EU-US Data Privacy Framework
The UK ICO has announced that from 12 October 2023, businesses in the UK can start to transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (UK Extension) under Article 45 of the UK General Data Protection Regulation (GDPR) without the need for further safeguards such as the complex EU Standard Contractual Clauses or an International Data Transfer Agreement.
As the ICO explains, the EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).
The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, in order for organisations to be able to join the Data Privacy Framework. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the Data Privacy Framework can opt in to receive data from the UK.
Once a US organisation has been certified and is publicly placed on to the Data Privacy Framework List (DPF List) on the DPF website they can receive UK personal data through a UK-US data bridge.
This is a positive step for UK organisations that process UK and EU personal data, but is dependent on US organisations adopting the principles and self-certifying. Where the US data recipient hasn’t adopted the Framework, a contact mechanism will still be required to ensure that data exports to the US are lawful. UK organisations should:
· carry out due diligence before transferring any data to the US- including to a member of the same group of companies
· update their Privacy Policy if transfers will be covered by the UK Extension
· update their data processing records and mapping to reflect the new transfer mechanism.
Orange Grove Law’s experienced data privacy experts can give you practical guidance on how to navigate this minefield.