The UK Extension: Implications for International Data Transfers

Jan 24, 2024 by BBB National Programs' Global Privacy Division

On October 12, 2023, the UK Extension to the EU-U.S. Data Privacy Framework (DPF) took effect, permitting the flow of personal data from the United Kingdom (UK) to the U.S. without the need for further safeguards and making UK coverage accessible for companies of all sizes—small and medium-sized business to multinational corporations—participating in the DPF Program.  

The UK Extension, along with other significant data privacy actions by the UK government in the last two years, signals its commitment and enthusiasm for sustainable data flows.  

 

UK’s Evolution & Interoperable Approach  

Starting with 2020’s Brexit, the UK charged forward with a new perspective on its geopolitics, economic considerations, and data privacy strategy. One example is the UK’s General Data Protection Regulation, which is expected to reap serious economic benefits (estimating savings of $5.6 billion). Another is the UK’s fresh vision for its National Data Strategy, which underscores international flows of data and, with its international allies, establishes interoperability across jurisdictions.  

Grounding that strategy is the UK government’s International Data Transfers Expert Council, which launched in 2022 and is responsible for the November 2023 report, Towards a Sustainable, Multilateral, and Universal Solution for International Data Transfers, research backed by 20 global data experts from across academia and industry representative bodies. In the report, the Council agreed on key characteristics that will create sustainable data flows – “strong political endorsement, risk-based approach, accountability-based, interoperable and outcomes-focused, and consistent of multiple mechanisms” – and provided short, medium, and long-term recommendations for interoperability.  

Another aspect driving the UK’s digital data strategy is the Data Protection and Digital Information Bill (No.2), underpinned by “billions of pounds in the booming global data driven trade,” with the notion that the UK would build data bridges to sustain the vital, free, and secure sharing of data with allies that had shared democratic visions. The UK data bridge with the Republic of Korea last November and the momentous UK extension to the EU-U.S. DPF in October are two such examples. 

Looking to the year ahead, the UK has signaled interest in creating more digital bridges with a list of priority countries, such as Australia, Brazil, Colombia, and more. 

 

Explaining the UK Extension 

After Brexit, the UK retained the provisions of the EU General Data Protection Regulation (GDPR) and included slight modifications, known as the UK GDPR, along with all European Economic Area (EEA) adequacy decisions – signaling adequate levels of protection for data transfers across jurisdictions – in effect up to that point. 

In July 2023, the European Commission adopted an adequacy decision for transatlantic transfers under the terms of the EU-U.S. DPF Framework. However, the EU-U.S. DPF Framework was adopted after Brexit so it does not apply to transfers originating from the UK. 

As a result, the UK needed to create its own transfer mechanism with the U.S. After an extensive analysis of relevant U.S. law, the UK approved the UK Extension, a mechanism that functions as a “territorial extension” of the EU-U.S. DPF, meaning that transfers of personal data from the UK to the U.S. will be carried out under similar conditions to those coming from the EEA. 

The UK Extension (also known as the UK-U.S. Data Bridge) allows UK data subjects, whose personal data has been transferred to the U.S., to enjoy guarantees essentially equivalent to the fundamental rights offered to EEA data subjects. This mechanism relies on changes in U.S. law, which require enforcement authorities to limit their access to the personal data transferred for national security purposes. The UK was designated as a qualifying state under U.S. Executive Order 14086, and therefore, similar to their EEA counterparts, UK-based data subjects may access the U.S. Data Protection Review Court, established for data subjects to enforce their rights. 

 

The Benefits of Transfer Mechanisms  

  • The UK Extension facilitates a seamless transfer of data back and forth between the U.S. and the UK, and U.S. companies that certify to the UK Extension are deemed adequate for those data transfers. 
  • Leveraging the DPF Program provides organizations with a streamlined and cost-efficient approach to data transfers. Other transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), require significantly more resources and effort to implement, making the DPF Program an ideal choice for businesses of all sizes. 
  • DPF Program participating organizations are exempted from the need to conduct transfer impact assessments or institute supplementary measures. In contrast, if companies rely on other transfer mechanisms such as SCCs or BCRs, they are still mandated to implement supplementary measures.  

 

Earlier this year, the UK laid out important initiatives regarding the regulation of emerging technologies such as AI. As companies that do business in and transfer data with the UK leverage the latest technologies and AI-enabled tools, it will be important for them to strengthen their data flows, a core foundation for AI-based systems.  

As the data protection landscape evolves, consumers will increasingly expect companies to actively take advantage of and participate in available data privacy frameworks to protect their data. 

 

Ring in 2024 with Sustainable Digital Data Flows Across the Atlantic 

Companies have realized they can remove the headache of managing the above processes by leveraging a third-party accountability agent, such as BBB National Programs, the longest-running IRM in the U.S., to do the heavy lifting.  

For a free consultation with the Global Privacy Division, contact us.  

Suggested Articles

Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more
Blog

Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

ICYMI, a procedural rule change to update the GDPR has been agreed upon by the European Parliament to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases.
Read more