Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Following on the heels of the launch of the EU-U.S. Data Privacy Framework (DPF)1 this summer, the U.S. Department of Commerce has extended the DPF to cover transfers of personal data from the United Kingdom (UK) (and Gibraltar) to the United States, in addition to transfers from the European Union to the United States. As of October 12, 2023, employers currently certified to the DPF can expand their certification to cover the transfer to the United States of the personal data of current and former applicants and employees who reside in the UK (“UK HR Data”).
Formally termed the UK Extension to the EU-U.S. Data Privacy Framework (the “Extension”), but commonly referred to as the UK-U.S. “data bridge,” the expansion of the DPF to cover UK personal data is the result of the UK government adopting The Data Protection (Adequacy)(United States of America) Regulations 2023 (“Adequacy Decision”) and the U.S. Attorney General designating the UK as a “qualifying state” by executive order.2 This designation opens the door for UK residents to seek remedies under a mechanism created in conjunction with the launch of the DPF for alleged unlawful access by U.S. government agencies to their personal data transferred to the United States pursuant to the Extension.
As discussed in our previous article, multinational employers that are not certified to the DPF should determine whether this cross-border transfer mechanism fits within their existing compliance model for trans-Atlantic data transfers, inclusive of transfers to service providers. For those employers with UK operations that certified to the DPF this summer or were “grandfathered” in, extending the certification to cover the transfer of UK HR Data would be a logical next step. However, employers should consider the following before self-certifying to the Extension:
- Timing Requirements for DPF-Certified Employers: Employers that are currently certified to the DPF should take note of the timing requirements for self-certifying to the Extension and performing the steps detailed above. In its guidance on the Extension, the International Trade Administration (ITA) explains that organizations that are already certified to the DPF and will be extending their certification to include the Extension will need to make its election either: (1) as part of their annual re-certification to the DPF; or (2) outside of their annual re-certification to the DPF “provided it makes that election no later than six months from July 17, 2023 [i.e., January 17, 2024].”3 For employers that were grandfathered into the DPF (i.e., those employers that maintained their Privacy Shield certification), the ITA’s guidance on timing is somewhat ambiguous; however, the more conservative approach would be to update the organization’s DPF certification to cover to the UK Extension before January 17, 2024, if the organization’s annual certification is not due until after January 17, 2024.
- Transfers to Service Providers: For multinational employers that use a U.S.-based HRIS platform provider to store UK HR Data, the Extension provides a straightforward way to legitimize the cross-border transfer of UK HR Data and avoid the burden of completing the detailed “transfer impact assessment” required when data is transferred pursuant to Standard Contractual Clauses (SCCs). However, these benefits can only be realized if the service provider has also certified to the Extension. The fact that a service provider has self-certified to the DPF will not be a sufficient basis for an employer to legitimize the transfer of UK HR Data without certification to the Extension, too. Of course, service providers that self-certified to the DPF are very likely to certify to the Extension also, but employers must wait until this occurs before transferring UK HR Data. Employers can check the certification list available at the DPF website to identify those service providers that have certified to the Extension.
- Transfers of “Sensitive” Personal Data: On September 21, 2023, the UK Information Commissioner’s Office (ICO), which is the UK’s data protection authority, published an Opinion4 on the Extension and Adequacy Decision. In the Opinion, the ICO noted that the Extension does not require UK organizations to identify any personal data as “sensitive.” As a result, categories of personal data that are categorized as “sensitive”—or “special categories”—under the UK General Data Protection Regulation (GDPR) that are often collected by employers will not be subject to any special protection when transferred to the United States pursuant to the Extension. This includes criminal history information, health data, and biometric data. Employers that use the Extension will therefore need to consider the internal technical and administrative controls that they will implement to protect sensitive data transferred pursuant to the Extension.
1 The authors discussed the EU-U.S. Data Privacy Framework in the following article: Department of Commerce Launches the EU-U.S. Data Privacy Framework: Considerations for Multinational Employers that Transfer EU Personal Data to the United States, Littler Insight (July 19, 2023).
2 88 Fed. Reg. 65405, Sep. 22, 2023.