Following on the heels of the launch of the EU-U.S. Data Privacy Framework (DPF)1 this summer, the U.S. Department of Commerce has extended the DPF to cover transfers of personal data from the United Kingdom (UK) (and Gibraltar) to the United States, in addition to transfers from the European Union to the United States. As of October 12, 2023, employers currently certified to the DPF can expand their certification to cover the transfer to the United States of the personal data of current and former applicants and employees who reside in the UK ("UK HR Data").
Formally termed the UK Extension to the EU-U.S. Data Privacy Framework (the "Extension"), but commonly referred to as the UK-U.S. "data bridge," the expansion of the DPF to cover UK personal data is the result of the UK government adopting The Data Protection (Adequacy)(United States of America) Regulations 2023 ("Adequacy Decision") and the U.S. Attorney General designating the UK as a "qualifying state" by executive order.2 This designation opens the door for UK residents to seek remedies under a mechanism created in conjunction with the launch of the DPF for alleged unlawful access by U.S. government agencies to their personal data transferred to the United States pursuant to the Extension.
As discussed in our previous article, multinational employers that are not certified to the DPF should determine whether this cross-border transfer mechanism fits within their existing compliance model for trans-Atlantic data transfers, inclusive of transfers to service providers. For those employers with UK operations that certified to the DPF this summer or were "grandfathered" in, extending the certification to cover the transfer of UK HR Data would be a logical next step. However, employers should consider the following before self-certifying to the Extension:
- Modifications Needed for Employers Already Certified to
the DPF: For employers that have already certified to the
DPF, extending the certification to cover transfers of UK HR Data
will require some modifications to their existing DPF compliance
documents. A self-certified employer will need to log into its DPF
program account, click on "Self-Certify" and choose the
option to add the Extension to the scope of the existing
self-certification. At the same time, employers making this
election must ensure that their privacy policy conveys that it
applies to the transfer of both EU and UK personal data, pursuant
to both the DPF and the UK Extension.
- Timing Requirements for DPF-Certified
Employers: Employers that are currently certified to the
DPF should take note of the timing requirements for self-certifying
to the Extension and performing the steps detailed above. In its
guidance on the Extension, the International Trade Administration
(ITA) explains that organizations that are already certified to the
DPF and will be extending their certification to include the
Extension will need to make its election either: (1) as part of
their annual re-certification to the DPF; or (2) outside of their
annual re-certification to the DPF "provided it makes that
election no later than six months from July 17, 2023
[i.e., January 17, 2024]."3 For employers
that were grandfathered into the DPF (i.e., those
employers that maintained their Privacy Shield certification), the
ITA's guidance on timing is somewhat ambiguous; however, the
more conservative approach would be to update the
organization's DPF certification to cover to the UK Extension
before January 17, 2024, if the organization's annual
certification is not due until after January 17, 2024.
- Transfers to Service Providers: For
multinational employers that use a U.S.-based HRIS platform
provider to store UK HR Data, the Extension provides a
straightforward way to legitimize the cross-border transfer of UK
HR Data and avoid the burden of completing the detailed
"transfer impact assessment" required when data is
transferred pursuant to Standard Contractual Clauses (SCCs).
However, these benefits can only be realized if the service
provider has also certified to the Extension. The fact that a
service provider has self-certified to the DPF will not be a
sufficient basis for an employer to legitimize the transfer of UK
HR Data without certification to the Extension, too. Of course,
service providers that self-certified to the DPF are very likely to
certify to the Extension also, but employers must wait until this
occurs before transferring UK HR Data. Employers can check the
certification list available at the DPF website to identify those
service providers that have certified to the Extension.
- Transfers of "Sensitive" Personal Data: On September 21, 2023, the UK Information Commissioner's Office (ICO), which is the UK's data protection authority, published an Opinion4 on the Extension and Adequacy Decision. In the Opinion, the ICO noted that the Extension does not require UK organizations to identify any personal data as "sensitive." As a result, categories of personal data that are categorized as "sensitive"—or "special categories"—under the UK General Data Protection Regulation (GDPR) that are often collected by employers will not be subject to any special protection when transferred to the United States pursuant to the Extension. This includes criminal history information, health data, and biometric data. Employers that use the Extension will therefore need to consider the internal technical and administrative controls that they will implement to protect sensitive data transferred pursuant to the Extension.
Footnotes
1. The authors discussed the EU-U.S. Data Privacy Framework in the following article: Department of Commerce Launches the EU-U.S. Data Privacy Framework: Considerations for Multinational Employers that Transfer EU Personal Data to the United States, Littler Insight (July 19, 2023).
2. 88 Fed. Reg. 65405, Sep. 22, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
