I
L
T
A
W
H
I
T
E
P
A
P
E
R
&
S
U
R
V
E
Y
R
E
S
U
L
T
S
|
L
I
T
I
G
A
T
I
O
N
&
P
R
A
C
T
I
C
E
S
U
P
P
O
R
T
20
I L T A ' S 2 0 2 3 L I T I G A T I O N & P R A C T I C E S U P P O R T S U R V E Y R E S U L T S
Concomitantly, the U.S. Department of Commerce launched a new Data Privacy
Framework (DPF) program website that enables US companies to certify their participation
in the EU-U.S. DPF and facilitate cross-border transfers of personal data in compliance with
EU law.
The new DPF enables a US business to self-certify under the new framework, meaning
that the business has privacy safeguards in place to protect personal data. Companies
interested in learning about the self-certification process may begin the registration process
on the US Department of Commerce's website here.
The United Kingdom is not part of the European Union or the EEA, and this of course
raises the question of how businesses transfer data between the UK and the US?
In October of 2023, the governments of the UK and the US enacted regulations that
are being called the UK-US Data Bridge (the actual name is the UK Extension to the EU-
US Data Privacy Framework). The legislative enactment in the UK is The Data Protection
(Adequacy) (United States of America) Regulations 2023, which came into force on
October 12, 2023. This legislation provides for an adequacy decision under UK law and
allows for data transfers between companies in the UK and those US businesses that are
certified under the DPF.
In the US, the authority for UK-US data transfers stems from the DPF and an executive
order issued by the Biden Administration, which directs US businesses and parts of the US
government to meet GDPR-like requirements.
These new processes are intended to be simpler than the safe harbor and privacy shield
provisions that were shot down by the European Court of Justice for failure to meet EU data
privacy requirements. This new regulatory framework also appears to be simpler than the
existing standard contractual clause and binding corporate rules that currently exist for
businesses moving data from the EU to the US.
While certification under the DPF and the Data Bridge is voluntary, once a business self-certifies
and publicly declares its commitment to the principles of the DPF, follow-through is enforceable
under US law by the Department of Commerce.
Hundreds of companies have already been certified for the UK Data Bridge. Anyone interested
in reviewing the companies certified under the DPF and the Data Bridge may search company
names here.
According to the US Department of Commerce website, the DPF program is particularly
valuable for small- and medium-sized enterprises that can now access an affordable and streamlined
mechanism for personal data transfers from the EEA to the US.
More data flows between the United States and Europe than anywhere else in the world.
Companies, litigants, and even service providers regularly engaged in trans-Atlantic data transfers
would be wise to become familiar with the new regulations. ILTA
