Today, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. In particular, the UK Secretary of State for Science, Innovation, and Technology today laid new adequacy regulations before the UK Parliament to give effect to the proposed arrangement. The deal, announced "in principle" in June, is a UK extension to the EU-US Data Privacy Framework ("DPF"), finalised in July. The extension creates a UK-US data bridge, allowing organisations to transfer personal data subject to the UK General Data Protection Regulation (“UK GDPR”) to participating US organisations.
Previously, standard contractual clauses or binding corporate rules would typically be in place before a UK-based data transfer could be made across the Atlantic. Those mechanisms can still be used, but US organisations subject to the jurisdiction of the US Federal Trade Commission ("FTC") or the US Department of Transportation ("DOT") will now be able to self-certify to the UK extension to the DPF and benefit from the new UK-US data bridge. Organisations that wish to participate in the UK extension must also participate in the EU-US DPF and comply with its principles.
The UK government estimates that the country exported £79 billion of data-enabled services to the United States in 2021. It is hoped that the new data flow agreement will further stimulate economic growth between the two countries and encourage more businesses to operate on an international scale. However, US organisations outside the jurisdiction of either the FTC or DOT—such as banks and insurance and telecommunications companies—are currently unable to participate in the DPF program.
Businesses in the United Kingdom can start to transfer personal data to certified US organisations on 12 October 2023.
Additional author: Oliver Jones