Further to the European Commission’s adequacy decision in respect of the USA in July of this year, and the UK’s commitment to piggyback on the EU-US Trans-Atlantic Data Privacy Framework arrangement through a ‘data bridge’ (or flyover, as we preferred to call it), the Secretary of State for Science, Innovation and Technology has today laid before Parliament The Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028). The Regulations will come into force on 12th October 2023. The Department for Science, Innovation and Technology has also published supporting documentation.

The effect of the Regulations will be that, as of 12 October 2023, a transfer of personal data from the UK to an entity in the USA which has self-certified to the Trans-Atlantic EU-US Data Privacy Framework and its UK extension and which will abide by the EU-US Data Privacy Framework Principles, will be deemed to offer an adequate level of protection for personal data and shall be lawful in accordance with Article 45(1) UK GDPR.

This will mean that it will no longer be necessary for UK data exporters to rely on standard contractual clauses, binding corporate rules or other safeguards to legitimise the transfer of personal data to self-certified entities in the US.

Currently, data transfers from the UK to the US under the UK GDPR must either be based on a safeguard, such as standard contractual clauses or binding corporate rules, or fall within the scope of a derogation under Article 49 UK GDPR.

When relying on the standard data protection clauses safeguard, under the post-Brexit transitional provisions UK data exporters subject to the UK GDPR are currently still permitted to rely on either the European Commission’s original standard contractual clauses (the standard data protection clauses which were issued under European Commission Decision 2001/497/EC and European Commission Decision 2010/87/EU) – provided these are subject to supplementary measures - or the European Commission’s modernised SCCs (issued under European Commission Decision 2021/914/EU) as a lawful basis for transfers of personal data outside the UK which are covered by a contract entered into on or before 21 September 2022. Such contracts will continue to be valid until 21 March 2024.

While available for use from 21 March 2022 onward, since 22 September 2022 any new transfers of personal data reliant on standard data protection clauses as the lawful basis for transfer under the UK GDPR have been required to use the Information Commissioner’s International Data Transfer Agreement (IDTA) or its Addendum together with the European Commission’s modernised standard contractual clauses (SCCs) (the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

The introduction of the Regulations therefore means that as of 21 March 2024, when pre-21 September 2022 agreements would cease to be valid, UK data exporters to certified entities will not be required to enter into new standard data protection clauses using the ICO IDTA or Addendum and modernised EC SCCs, but can instead simply choose to rely on the US adequacy regulation, amending the contracts to remove the SCC related requirements.

Given the additional compliance burdens inherent in reliance on standard data protection clauses as the lawful basis for transfer, eligible contracting parties may seek to vary existing agreements to remove the additional obligations associated with SCCs in respect of transfers of personal data to data importers which are self-certified to the Data Privacy Framework.

Any new data transfer arrangements from the UK to self-certified entities in the US under the UK GDPR will not need to use either the IDTA or Addendum and modernised EC SCCs and can instead simply proceed in reliance on the regulations.  

Looming over this bonfire of red tape, however, is the spectre of the CJEU. The EU-US Data Privacy Framework is already subject to legal challenge by a French politician, and further legal challenges are expected. While these are likely to take at least a number of months to resolve, there is a risk that the DPF will suffer the same fate as its predecessors, Safe Harbor and the Privacy Shield, and be struck down. The drafting of the UK’s Adequacy Regulations, coupled with the implications of the Retained EU Law (Revocation and Reform) Act 2023, are such, however, that even if the Framework were to be struck down by the CJEU, this would not automatically render it ineffective for transfers of personal data from the UK to the USA. However, continued reliance on the Framework by the UK could serve to jeopardise the European Commission’s adequacy decision in respect of the UK and we would therefore anticipate some action by relevant authorities to regularise the arrangements. 

The risks associated with moving to sole reliance on the Adequacy Regulations may therefore be lessened for UK data exporters to the US, although it may prove wise to keep an alternative emergency lawful basis in the boot, to jump start your transfers in case of breakdown.

For further information on countries subject to UK adequacy regulations,  check out our Resources. You can access our Helping Hand checklist for UK - overseas personal data transfers here.