The UK Extension: Implications for International Data Transfers

Jan 24, 2024 by BBB National Programs' Global Privacy Division

On October 12, 2023, the UK Extension to the EU-U.S. Data Privacy Framework (DPF) took effect, permitting the flow of personal data from the United Kingdom (UK) to the U.S. without the need for further safeguards and making UK coverage accessible for companies of all sizes—small and medium-sized business to multinational corporations—participating in the DPF Program.  

The UK Extension, along with other significant data privacy actions by the UK government in the last two years, signals its commitment and enthusiasm for sustainable data flows.  

 

UK’s Evolution & Interoperable Approach  

Starting with 2020’s Brexit, the UK charged forward with a new perspective on its geopolitics, economic considerations, and data privacy strategy. One example is the UK’s General Data Protection Regulation, which is expected to reap serious economic benefits (estimating savings of $5.6 billion). Another is the UK’s fresh vision for its National Data Strategy, which underscores international flows of data and, with its international allies, establishes interoperability across jurisdictions.  

Grounding that strategy is the UK government’s International Data Transfers Expert Council, which launched in 2022 and is responsible for the November 2023 report, Towards a Sustainable, Multilateral, and Universal Solution for International Data Transfers, research backed by 20 global data experts from across academia and industry representative bodies. In the report, the Council agreed on key characteristics that will create sustainable data flows – “strong political endorsement, risk-based approach, accountability-based, interoperable and outcomes-focused, and consistent of multiple mechanisms” – and provided short, medium, and long-term recommendations for interoperability.  

Another aspect driving the UK’s digital data strategy is the Data Protection and Digital Information Bill (No.2), underpinned by “billions of pounds in the booming global data driven trade,” with the notion that the UK would build data bridges to sustain the vital, free, and secure sharing of data with allies that had shared democratic visions. The UK data bridge with the Republic of Korea last November and the momentous UK extension to the EU-U.S. DPF in October are two such examples. 

Looking to the year ahead, the UK has signaled interest in creating more digital bridges with a list of priority countries, such as Australia, Brazil, Colombia, and more. 

 

Explaining the UK Extension 

After Brexit, the UK retained the provisions of the EU General Data Protection Regulation (GDPR) and included slight modifications, known as the UK GDPR, along with all European Economic Area (EEA) adequacy decisions – signaling adequate levels of protection for data transfers across jurisdictions – in effect up to that point. 

In July 2023, the European Commission adopted an adequacy decision for transatlantic transfers under the terms of the EU-U.S. DPF Framework. However, the EU-U.S. DPF Framework was adopted after Brexit so it does not apply to transfers originating from the UK. 

As a result, the UK needed to create its own transfer mechanism with the U.S. After an extensive analysis of relevant U.S. law, the UK approved the UK Extension, a mechanism that functions as a “territorial extension” of the EU-U.S. DPF, meaning that transfers of personal data from the UK to the U.S. will be carried out under similar conditions to those coming from the EEA. 

The UK Extension (also known as the UK-U.S. Data Bridge) allows UK data subjects, whose personal data has been transferred to the U.S., to enjoy guarantees essentially equivalent to the fundamental rights offered to EEA data subjects. This mechanism relies on changes in U.S. law, which require enforcement authorities to limit their access to the personal data transferred for national security purposes. The UK was designated as a qualifying state under U.S. Executive Order 14086, and therefore, similar to their EEA counterparts, UK-based data subjects may access the U.S. Data Protection Review Court, established for data subjects to enforce their rights. 

 

The Benefits of Transfer Mechanisms  

  • The UK Extension facilitates a seamless transfer of data back and forth between the U.S. and the UK, and U.S. companies that certify to the UK Extension are deemed adequate for those data transfers. 
  • Leveraging the DPF Program provides organizations with a streamlined and cost-efficient approach to data transfers. Other transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), require significantly more resources and effort to implement, making the DPF Program an ideal choice for businesses of all sizes. 
  • DPF Program participating organizations are exempted from the need to conduct transfer impact assessments or institute supplementary measures. In contrast, if companies rely on other transfer mechanisms such as SCCs or BCRs, they are still mandated to implement supplementary measures.  

 

Earlier this year, the UK laid out important initiatives regarding the regulation of emerging technologies such as AI. As companies that do business in and transfer data with the UK leverage the latest technologies and AI-enabled tools, it will be important for them to strengthen their data flows, a core foundation for AI-based systems.  

As the data protection landscape evolves, consumers will increasingly expect companies to actively take advantage of and participate in available data privacy frameworks to protect their data. 

 

Ring in 2024 with Sustainable Digital Data Flows Across the Atlantic 

Companies have realized they can remove the headache of managing the above processes by leveraging a third-party accountability agent, such as BBB National Programs, the longest-running IRM in the U.S., to do the heavy lifting.  

For a free consultation with the Global Privacy Division, contact us.  

Suggested Articles

Blog

KOSA (and Children’s Privacy) on the Move

The Kids Online Safety Act (KOSA) is gaining traction in the U.S. Senate after the most recent round of revisions released this month by Senators Richard Blumenthal and Marsha Blackburn, following on the heels of proposed changes to the COPPA Rule. Here are CARU's high-level takeaways from the KOSA revisions with some insight into each revision.
Read more
Blog

Location Not Found: Mitigating Precise Geolocation Consent Flow Risk

Privacy-minded Federal Trade Commission (FTC) watchers have seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data. The Privacy Initiative team delves into those cases, the breadth of the penalties the FTC has included in the proposed orders, and best practices to avoid the crosshairs.
Read more
Blog

The ABCs of DPF and GDPR

Easing data flows across the Atlantic, the EU-U.S. DPF satisfies requirements outlined under the General Data Protection Regulation (GDPR), helping companies avoid steep fines.
Read more
Blog

The FTC Joins the Global CBPR Party

This month the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), signaling the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs.
Read more