Listen to this post

Beginning today, the UK adequacy decision for US data protection measures goes into effect. As a result, UK companies can transfer personal information to entities in the US that are participants in the EU-US Data Privacy Framework (DPF). As part of the decision, the UK Secretary of State will review the ongoing sufficiency of the DPF every four years. The ICO, in supporting the decision, suggested that the UK Secretary of State look at specific factors when reassessing the program. These include the risk to UK data subjects for automated decision making and right to be forgotten.

Not all US companies will necessarily want to participate in the DPF (see more about the process here). If they do not, then UK companies making transfers will need to rely on existing mechanisms, like SCCs coupled with supplemental safeguard measures.

Putting in into Practice: This extension was expected, but companies who are considering DPF participation for UK-EU transfers should keep in mind that the UK review of the program is on a different cadence than that in the EU.