UK to piggyback on EU-US framework for data transfers

Published: 28 September 2023

On 21 September 2023, the UK’s Department for Science, Innovation & Technology published a notice confirming that from 12 October 2023 “businesses in the UK can start to transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (UK Extension) under Article 45 of the UK General Data Protection Regulation (GDPR) without the need for further safeguards such as those set out in Articles 46 and 49 of the UK GDPR.”

To sum this up in plain English, this means that from 12 October 2023, UK businesses are able to ‘piggyback’ on the EU-US Data Privacy Framework to ensure that people’s data is protected as it moves from UK to the US.

Why is this important?
When an organisation moves personal data from one jurisdiction to another (this is known as a ‘data transfer’), certain laws apply to how this is done. This is to ensure the protection of the data travels with it. You can read more about why this protection is needed at www.odpa.gg/data-transfer

A short summary of the torturous history of transatlantic data transfers
There is complicated history around the rules that govern how data is protected when it moves between the EU and the US:
  • 2000 and 2015 - transfers were covered by a set of principles outlined in the ‘Safe Harbour Agreement’.
  • October 2015 - Safe Harbour declared invalid following legal challenge in EU by Max Schrems (this is known as the ‘Schrems I’).
  • February 2016 - a new legal framework called ‘Privacy Shield’ was established.
  • January 2020 – the UK withdraws from the European Union, and begins developing its own legal framework for data transfers to the US.
  • July 2020 – Privacy Shield declared invalid in a second legal challenge from Max Schrems (known as ‘Schrems II’).
  • July 2023 - the European Commission adopt an ‘adequacy decision’ for the ‘EU-US Data Privacy Framework’. This means they were satisfied that the protection offered to data in the US was comparable to the protections in the EU.
  • October 2023 – UK regulations known as ‘UK-US data bridge’ come into effect, allowing UK to piggy back on the EU-US Data Privacy Framework.
What does this mean for the Bailiwick?
If you are based in the Bailiwick of Guernsey and process data about, or related to, people you need to be aware of your legal obligations under The Data Protection (Bailiwick of Guernsey) Law, 2017 when transferring people’s data outside of the Bailiwick. As you will gather from the details above, this is a complex and dynamic legal area so you should speak to your Data Protection Officer or legal advisor where appropriate. You can also refer to our existing guidance at https://www.odpa.gg/information-hub/guidance/transferring-data.