Research and analysis

New Data Protection (Adequacy) Regulations IA: RPC Opinion (Green-rated)

Regulatory Policy Committee opinion on DSIT’s Data Protection (Adequacy) Regulations - UK Extension to the EU-US Data Privacy Framework IA

• From: Regulatory Policy Committee
• Published: 17 October 2023

Documents

RPC Opinion: New Data Protection (Adequacy) Regulations

PDF, 180 KB, 9 pages

This file may not be suitable for users of assistive technology.

Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email enquiries@bis.gsi.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Details

The proposals seek to grant data adequacy status to the Data Protection Framework (DPF) so that UK-based organisations can transfer personal data to US companies that have signed up to the DPF and opt-in to a UK extension of the EU-US DPF.

As originally submitted for RPC scrutiny, the IA was not fit for purpose due to the RPC assessing the IA as having missed impacts and unsupportive assumptions relating to the calculation of the EANDCB. The IA now contains a proportionate assessment of the direct and indirect impacts on business, and the Department has provided suitable evidence to support the estimation of the EANDCB and the indicative analysis and its assumptions.

The IA clearly explains the different types of familiarisation costs faced by businesses and has justified the key assumptions using best available evidence. The SaMBA is proportionate and fit for purpose, although the IA would benefit from further assessment in respect of medium-sized businesses. Overall, the IA should further discuss the impact of legal challenge (including Schrems III and future UK challenge) on the take-up of the DPF and the risks that it poses.

Published 17 October 2023