- Latest available (Revised)
- Original (As made)
This is the original version (as it was originally made). This item of legislation is currently only available in its original format.
Statutory Instruments
DATA PROTECTION
Made
20th September 2023
Laid before Parliament
21st September 2023
Coming into force
12th October 2023
The Secretary of State makes these Regulations in exercise of the powers conferred by section 17A(1), (3), (5) and (6) of the Data Protection Act 2018 (“the 2018 Act”)(1).
In accordance with section 17A(1) and (3) of the 2018 Act, the Secretary of State considers that the United States of America ensures an adequate level of protection of personal data for certain transfers.
In accordance with section 182(2) of the 2018 Act, the Secretary of State has consulted the Commissioner(2) and such other persons as the Secretary of State considers appropriate.
1.—(1) These Regulations may be cited as the Data Protection (Adequacy) (United States of America) Regulations 2023.
(2) These Regulations come into force on 12th October 2023.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
2. In these Regulations—
“Data Privacy Framework List” means the list of that name, as it has effect from time to time, which is maintained and made publicly available by the United States Department of Commerce(3);
“EU-US Data Privacy Framework” means the programme of that name administered by the United States Department of Commerce;
“EU-US Data Privacy Framework Principles” means the principles and supplemental principles issued by the United States Department of Commerce under the EU-US Data Privacy Framework as they apply to transfers of personal data from the United Kingdom under the UK Extension to the EU-US Data Privacy Framework(4);
“UK Extension to the EU-US Data Privacy Framework” means the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom.
3.—(1) For the purposes of Part 2 of the Data Protection Act 2018(5) and the UK GDPR(6), the Secretary of State specifies the United States of America as ensuring an adequate level of protection of personal data(7) for a transfer described in paragraph (2).
(2) A transfer described by this paragraph is a transfer of personal data which—
(a)is to a person in the United States of America who is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework; and
(b)will be subject to the EU-US Data Privacy Framework Principles on receipt by that person.
4. The independent supervisory authorities(8) for the UK Extension to the EU-US Data Privacy Framework are—
(a)the United States Federal Trade Commission; and
(b)the United States Department of Transportation.
John Whittingdale
Minister of State
Department for Science, Innovation and Technology
20th September 2023
(This note is not part of the Regulations)
These Regulations specify the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 (“the 2018 Act”) and the UK GDPR (defined in section 3 of the 2018 Act). This means that personal data which will be in the scope of the EU-US Data Privacy Framework Principles can be transferred to persons in the United States of America who participate in the UK Extension to the EU-US Data Privacy Framework without the need for any specific authorisation. “Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.
A full impact assessment of the effect that this instrument will have on the costs of businesses, the voluntary sector and the public sector will be published with the explanatory memorandum alongside this instrument on www.legislation.gov.uk. Hard copies can be obtained from the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.
2018 c. 12; section 17A was inserted by S.I. 2019/419, Schedule 2, paragraphs 1 and 23.
“The Commissioner” is defined in section 3(8) of the Data Protection Act 2018.
A link to the Data Privacy Framework List can be found at https://www.gov.uk/government/publications/uk-us-data-bridge-data-privacy-framework-principles-and-list. Hard copies can also be inspected during office hours and free of charge at the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.
Electronic copies of these principles can be obtained from https://www.gov.uk/government/publications/uk-us-data-bridge-data-privacy-framework-principles-and-list. Hard copies can also be inspected during office hours and free of charge at the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.
The “UK GDPR” is defined in section 3(10) of the 2018 Act.
“Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.
Referred to in Article 45(2)(b) of the UK GDPR.
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: