The UK Extension: Implications for International Data Transfers

Jan 24, 2024 by BBB National Programs' Global Privacy Division

On October 12, 2023, the UK Extension to the EU-U.S. Data Privacy Framework (DPF) took effect, permitting the flow of personal data from the United Kingdom (UK) to the U.S. without the need for further safeguards and making UK coverage accessible for companies of all sizes—small and medium-sized business to multinational corporations—participating in the DPF Program.  

The UK Extension, along with other significant data privacy actions by the UK government in the last two years, signals its commitment and enthusiasm for sustainable data flows.  

 

UK’s Evolution & Interoperable Approach  

Starting with 2020’s Brexit, the UK charged forward with a new perspective on its geopolitics, economic considerations, and data privacy strategy. One example is the UK’s General Data Protection Regulation, which is expected to reap serious economic benefits (estimating savings of $5.6 billion). Another is the UK’s fresh vision for its National Data Strategy, which underscores international flows of data and, with its international allies, establishes interoperability across jurisdictions.  

Grounding that strategy is the UK government’s International Data Transfers Expert Council, which launched in 2022 and is responsible for the November 2023 report, Towards a Sustainable, Multilateral, and Universal Solution for International Data Transfers, research backed by 20 global data experts from across academia and industry representative bodies. In the report, the Council agreed on key characteristics that will create sustainable data flows – “strong political endorsement, risk-based approach, accountability-based, interoperable and outcomes-focused, and consistent of multiple mechanisms” – and provided short, medium, and long-term recommendations for interoperability.  

Another aspect driving the UK’s digital data strategy is the Data Protection and Digital Information Bill (No.2), underpinned by “billions of pounds in the booming global data driven trade,” with the notion that the UK would build data bridges to sustain the vital, free, and secure sharing of data with allies that had shared democratic visions. The UK data bridge with the Republic of Korea last November and the momentous UK extension to the EU-U.S. DPF in October are two such examples. 

Looking to the year ahead, the UK has signaled interest in creating more digital bridges with a list of priority countries, such as Australia, Brazil, Colombia, and more. 

 

Explaining the UK Extension 

After Brexit, the UK retained the provisions of the EU General Data Protection Regulation (GDPR) and included slight modifications, known as the UK GDPR, along with all European Economic Area (EEA) adequacy decisions – signaling adequate levels of protection for data transfers across jurisdictions – in effect up to that point. 

In July 2023, the European Commission adopted an adequacy decision for transatlantic transfers under the terms of the EU-U.S. DPF Framework. However, the EU-U.S. DPF Framework was adopted after Brexit so it does not apply to transfers originating from the UK. 

As a result, the UK needed to create its own transfer mechanism with the U.S. After an extensive analysis of relevant U.S. law, the UK approved the UK Extension, a mechanism that functions as a “territorial extension” of the EU-U.S. DPF, meaning that transfers of personal data from the UK to the U.S. will be carried out under similar conditions to those coming from the EEA. 

The UK Extension (also known as the UK-U.S. Data Bridge) allows UK data subjects, whose personal data has been transferred to the U.S., to enjoy guarantees essentially equivalent to the fundamental rights offered to EEA data subjects. This mechanism relies on changes in U.S. law, which require enforcement authorities to limit their access to the personal data transferred for national security purposes. The UK was designated as a qualifying state under U.S. Executive Order 14086, and therefore, similar to their EEA counterparts, UK-based data subjects may access the U.S. Data Protection Review Court, established for data subjects to enforce their rights. 

 

The Benefits of Transfer Mechanisms  

  • The UK Extension facilitates a seamless transfer of data back and forth between the U.S. and the UK, and U.S. companies that certify to the UK Extension are deemed adequate for those data transfers. 
  • Leveraging the DPF Program provides organizations with a streamlined and cost-efficient approach to data transfers. Other transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), require significantly more resources and effort to implement, making the DPF Program an ideal choice for businesses of all sizes. 
  • DPF Program participating organizations are exempted from the need to conduct transfer impact assessments or institute supplementary measures. In contrast, if companies rely on other transfer mechanisms such as SCCs or BCRs, they are still mandated to implement supplementary measures.  

 

Earlier this year, the UK laid out important initiatives regarding the regulation of emerging technologies such as AI. As companies that do business in and transfer data with the UK leverage the latest technologies and AI-enabled tools, it will be important for them to strengthen their data flows, a core foundation for AI-based systems.  

As the data protection landscape evolves, consumers will increasingly expect companies to actively take advantage of and participate in available data privacy frameworks to protect their data. 

 

Ring in 2024 with Sustainable Digital Data Flows Across the Atlantic 

Companies have realized they can remove the headache of managing the above processes by leveraging a third-party accountability agent, such as BBB National Programs, the longest-running IRM in the U.S., to do the heavy lifting.  

For a free consultation with the Global Privacy Division, contact us.  

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more