The Data Protection (Adequacy) (United States of America) Regulations 2023 No. 1028


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Statutory Instruments


You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Data Protection (Adequacy) (United States of America) Regulations 2023 No. 1028
URL: http://www.bailii.org/uk/legis/num_reg/2023/uksi_20231028_en_1.html

[New search] [Help]


Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

Statutory Instruments

2023 No. 1028

DATA PROTECTION

The Data Protection (Adequacy) (United States of America) Regulations 2023

Made

20th September 2023

Laid before Parliament

21st September 2023

Coming into force

12th October 2023

The Secretary of State makes these Regulations in exercise of the powers conferred by section 17A(1), (3), (5) and (6) of the Data Protection Act 2018 (“ the 2018 Act”)( 1).

In accordance with section 17A(1) and (3) of the 2018 Act, the Secretary of State considers that the United States of America ensures an adequate level of protection of personal data for certain transfers.

In accordance with section 182(2) of the 2018 Act, the Secretary of State has consulted the Commissioner( 2) and such other persons as the Secretary of State considers appropriate.

Citation, commencement and extent

1.—(1) These Regulations may be cited as the Data Protection (Adequacy) (United States of America) Regulations 2023.

(2) These Regulations come into force on 12th October 2023.

(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.

Interpretation

2.  In these Regulations—

Data Privacy Framework List” means the list of that name, as it has effect from time to time, which is maintained and made publicly available by the United States Department of Commerce( 3);

EU-US Data Privacy Framework” means the programme of that name administered by the United States Department of Commerce;

EU-US Data Privacy Framework Principles” means the principles and supplemental principles issued by the United States Department of Commerce under the EU-US Data Privacy Framework as they apply to transfers of personal data from the United Kingdom under the UK Extension to the EU-US Data Privacy Framework( 4);

UK Extension to the EU-US Data Privacy Framework” means the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom.

Adequate level of protection

3.—(1) For the purposes of Part 2 of the Data Protection Act 2018( 5) and the UK GDPR( 6), the Secretary of State specifies the United States of America as ensuring an adequate level of protection of personal data( 7) for a transfer described in paragraph (2).

(2) A transfer described by this paragraph is a transfer of personal data which—

(a) is to a person in the United States of America who is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework; and

(b) will be subject to the EU-US Data Privacy Framework Principles on receipt by that person.

Independent supervisory authorities

4.  The independent supervisory authorities( 8) for the UK Extension to the EU-US Data Privacy Framework are—

(a) the United States Federal Trade Commission; and

(b) the United States Department of Transportation.

John Whittingdale

Minister of State

Department for Science, Innovation and Technology

20th September 2023

Explanatory Note

(This note is not part of the Regulations)

These Regulations specify the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 (“ the 2018 Act”) and the UK GDPR (defined in section 3 of the 2018 Act). This means that personal data which will be in the scope of the EU-US Data Privacy Framework Principles can be transferred to persons in the United States of America who participate in the UK Extension to the EU-US Data Privacy Framework without the need for any specific authorisation. “Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.

A full impact assessment of the effect that this instrument will have on the costs of businesses, the voluntary sector and the public sector will be published with the explanatory memorandum alongside this instrument onwww.legislation.gov.uk. Hard copies can be obtained from the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.

( 1)

2018 c. 12; section 17A was inserted by S.I. 2019/419, Schedule 2, paragraphs 1 and 23.

( 2)

“The Commissioner” is defined in section 3(8) of the Data Protection Act 2018.

( 3)

A link to the Data Privacy Framework List can be found at https://www.gov.uk/government/publications/uk-us-data-bridge-data-privacy-framework-principles-and-list. Hard copies can also be inspected during office hours and free of charge at the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.

( 4)

Electronic copies of these principles can be obtained from https://www.gov.uk/government/publications/uk-us-data-bridge-data-privacy-framework-principles-and-list. Hard copies can also be inspected during office hours and free of charge at the offices of the Department for Science, Innovation and Technology, 100 Parliament Street, London SW1A 2BQ.

( 5)

2018 c. 12.

( 6)

The “UK GDPR” is defined in section 3(10) of the 2018 Act.

( 7)

“Personal data” is defined in Article 4(1) of the UK GDPR and has the same meaning in Part 2 of the 2018 Act by virtue of section 5 of that Act.

( 8)

Referred to in Article 45(2)(b) of the UK GDPR.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/legis/num_reg/2023/uksi_20231028_en_1.html