Guidance

Explanatory note

Published 7 October 2022

In 2016, the EU-US Privacy Shield framework was established, allowing personal data to be transferred freely, from the U.K., to over 5,300 U.S. companies through an EU adequacy decision. The Privacy Shield is a self-certification framework, administered by the U.S. Department of Commerce, that US-based businesses and organisations could join to receive personal data through the adequacy decision. Those businesses in turn serve hundreds of thousands of companies (mostly SMEs) and public sector organisations that rely upon the sharing of personal data between the UK and US

Since July 2020, when the Court of Justice of the European Union (CJEU) judgment in Schrems II invalidated the EU’s adequacy decision for the Privacy Shield, the UK and US have been in technical discussions on a new UK adequacy arrangement. Over the last two years, UK officials have been working closely with U.S. counterparts in the Departments of Commerce, Justice, and State and in the Office for the Director of National Intelligence, as well as with other UK government departments, legal experts, and other key stakeholders such as the Information Commissioner’s Office (see the DCMS-ICO Memorandum of Understanding on new adequacy assessments). This work has been building a detailed evidence-based technical assessment of the data protection laws and practices relevant for a UK adequacy assessment.

The UK and the US have led the way in attempting to realise a more peaceful and prosperous, growth focused, future by promoting the trustworthy use and exchange of data across borders. Both countries share a commitment to tackling these important issues, and in 2021 the UK’s Secretary of State for DCMS, The Rt Hon Nadine Dorries, and the US Commerce Secretary, Gina M. Raimondo met to publish the UK-US Joint Statement on Deepening the Data Partnership. These joint ambitions were further reinforced earlier this year when DCMS Minister of State Matthew Warman met with US Under Secretary of Commerce Marisa Lago where they reiterated a shared ambition to realise the benefits of UK-US data transfers.

The test for adequacy under the UK GDPR requires the Secretary of State to be satisfied that UK data protection standards under the UK GDPR are not undermined when personal data is transferred to another country. To determine this, the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision are taken into account, including those that relate to how public authorities can access personal data.  The third country’s international commitments to data protection and its respect for the rule of law and human rights is also taken into account. The test does not require point by point replication of UK law in another country’s regime. The technical assessment has followed the rigorous and robust approach set out last year by DCMS, alongside the technical documentation published at the same time.

A new UK-US adequacy arrangement will uphold the rights of UK data subjects and facilitate trade and innovation by reducing the compliance costs associated with alternative transfer mechanisms. In 2020, 85% of the UK’s service exports to the US were data-enabled, amounting to £69.3bn (about 30% of the UK’s global data-enabled services exports). A new adequacy decision will reduce the costs for UK businesses in doing business with the US and in using US services.

Today, 7th October, the UK’s Secretary of State for DCMS, The Rt Hon Michelle Donelan MP, has highlighted the excellent progress made by both countries towards a UK adequacy assessment. In particular, the Secretary of State welcomed the new US Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”. These safeguards include:

• Relevant commercial data privacy protections, and the existence and track record of relevant redress, enforcement, and oversight.

• Relevant US laws and practices relating to US authorities’ processing of personal data, including those set out in the White Paper published in September 2020 by the US Departments of Commerce and Justice and the Office of the Director of National Intelligence.

• The US Government’s intention to strengthen the safeguards being implemented by US public authorities as concern signals intelligence through the recently-released Executive Order and to establish a new redress mechanism for individuals whose personal data has been transferred from the UK to the US (including via other non-adequacy-based international transfer mechanisms under the UK GDPR), in the form of the Data Protection Review Court.  The UK Government looks forward to reviewing these changes in the coming weeks.

Following the publication of the recently-released Executive Order, the UK intends to work expediently to review the enhanced safeguards and redress mechanism. This includes concluding discussions on remaining areas of the assessment, formally consulting the Information Commissioner for an opinion as set out in the Memorandum of Understanding, and making preparations for the laying of adequacy regulations in Parliament in early 2023 alongside the issuing of guidance for organisations and individuals.