2023 No. 1028

DATA PROTECTION

The Data Protection (Adequacy) (United States of America) Regulations 2023

Made

Laid before Parliament

Coming into force

The Secretary of State makes these Regulations in exercise of the powers conferred by section 17A(1), (3), (5) and (6) of the Data Protection Act 2018 (“the 2018 Act”)1.

In accordance with section 17A(1) and (3) of the 2018 Act, the Secretary of State considers that the United States of America ensures an adequate level of protection of personal data for certain transfers.

In accordance with section 182(2) of the 2018 Act, the Secretary of State has consulted the Commissioner2 and such other persons as the Secretary of State considers appropriate.

Citation, commencement and extent1

1

These Regulations may be cited as the Data Protection (Adequacy) (United States of America) Regulations 2023.

2

These Regulations come into force on 12th October 2023.

3

These Regulations extend to England and Wales, Scotland and Northern Ireland.

Interpretation2

In these Regulations—

  • Data Privacy Framework List” means the list of that name, as it has effect from time to time, which is maintained and made publicly available by the United States Department of Commerce3;

  • EU-US Data Privacy Framework” means the programme of that name administered by the United States Department of Commerce;

  • EU-US Data Privacy Framework Principles” means the principles and supplemental principles issued by the United States Department of Commerce under the EU-US Data Privacy Framework as they apply to transfers of personal data from the United Kingdom under the UK Extension to the EU-US Data Privacy Framework4;

  • UK Extension to the EU-US Data Privacy Framework” means the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom.

Adequate level of protection3

1

For the purposes of Part 2 of the Data Protection Act 20185 and the UK GDPR6, the Secretary of State specifies the United States of America as ensuring an adequate level of protection of personal data7 for a transfer described in paragraph (2).

2

A transfer described by this paragraph is a transfer of personal data which—

a

is to a person in the United States of America who is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework; and

b

will be subject to the EU-US Data Privacy Framework Principles on receipt by that person.

Independent supervisory authorities4

The independent supervisory authorities8 for the UK Extension to the EU-US Data Privacy Framework are—

a

the United States Federal Trade Commission; and

b

the United States Department of Transportation.

John WhittingdaleMinister of StateDepartment for Science, Innovation and Technology
Explanatory Note

(This note is not part of the Regulations)

These Regulations specify the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 (“the 2018 Act”) and the UK GDPR (defined in section 3 of the 2018 Act). This means that personal data which will be in the scope of the EU-US Data Privacy Framework Principles can be transferred to persons in the United States of America who participate in the UK Extension to the EU-US Data Privacy Framework without the need for any specific authorisation. “Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.

A full impact assessment of the effect that this instrument will have on the costs of businesses, the voluntary sector and the public sector will be published with the explanatory memorandum alongside this instrument on www.legislation.gov.uk. Hard copies can be obtained from the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.