How does the UK Extension to the EU-US Data Privacy Framework work?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
At a glance
- The UK Extension to the EU-US Data Privacy Framework refers to the UK’s adequacy regulations for the US. This is often shortened to the ‘UK Extension’.
- The UK Extension is a partial adequacy finding. It allows UK organisations, as well those based in Gibraltar, to make restricted transfers to certain self-certified businesses in the US.
- Certain US businesses can choose to participate in the UK Extension by self-certifying to the US Department of Commerce that they will comply with the Data Privacy Framework (DPF) requirements.
- Only US businesses regulated by the US Federal Trade Commission (FTC) or US Department of Transportation (DoT) are eligible to join the DPF.
- If you’re relying on the adequacy regulations for the UK Extension:
- You must only make a restricted transfer to a US business that has an active status on the DPF list.
- You must only transfer the types of personal information that a US business has registered to receive under the DPF, ie human resources personal information (known as ‘HR data’ under the DPF), non-HR data, or both.
- If you’re transferring HR data, you must check the receiving US business complies with its additional DPF obligations.
- You must take additional steps for certain types of special category data and criminal offence data. You must make sure the receiving US business is aware they need to treat this personal information as ‘sensitive data’ under the DPF.
- You must not transfer personal information used for journalism to a US business under the UK Extension.
- The UK Extension is only a transfer mechanism. You must also comply with all the UK data protection principles and all the other applicable requirements when you transfer personal information.
Checklists
Preparing for a restricted transfer of personal information to a US business using the UK Extension
☐ We check against the DPF list that the receiving US business is signed up to the UK Extension.
☐ We check that the certification is active.
☐ We check the US business’ registration for the types of personal information it can receive (ie HR data, non-HR data, or both) and we check that the US business has put in place the additional requirements for HR data.
☐ We identify and mark special category data and criminal offence data that falls outside the DPF definition for sensitive data. We make sure the receiving US business will treat it as sensitive data.
☐ We are not transferring personal information used for journalism.
☐ We check our compliance with all other UK data protection principles and applicable requirements.
-
- If the restricted transfer is not covered by the UK Extension, we understand that we must ensure it’s covered by appropriate safeguards or rely on an exception.
Conducting periodic checks of your recipient’s DPF self-certification, and steps to take if it becomes inactive
☐ We carry out periodic checks on the receiving US business’ self-certification under the DPF.
☐ If its DPF status becomes inactive, we take steps to make sure the receiving US business continues to protect personal information it has already received in line with the DPF.
☐ If the US business cannot continue to protect this information in line with the DPF, we make sure it returns or deletes all the information.
☐ If we continue to make restricted transfers to a US business with an inactive DPF status, we put in place appropriate safeguards or rely on an exception, if appropriate.
In brief
- What terminology do we need to understand?
- What is the UK Extension and the DPF?
- How does the UK Extension to the EU-US DPF work?
- What types of personal information can we transfer under the UK Extension?
- What are the additional requirements for special category and criminal offence data?
- What if the US business is not registered to receive personal information under the UK Extension?
What terminology do we need to understand?
You may see the following terminology used to describe the UK adequacy regulations:
- ‘The Data Protection (Adequacy) (United States of America) Regulations 2023’ is the formal title of the UK adequacy regulations.
- ‘The UK Extension to the EU-US Data Privacy Framework’ is how we refer to the adequacy regulations. This is often shortened to the ‘UK Extension’.
- ‘Data bridge’ is sometimes used to describe restricted transfers under the UK adequacy regulations, giving rise to the term ‘UK-US Data Bridge’.
- ‘Data Privacy Framework’ (DPF) is the US self-certification scheme and its requirements.
- ‘Data Privacy Framework Program’ is what the scheme is called in the US.
What is the UK Extension and the DPF?
The UK Extension refers to the adequacy regulations regarding the UK Extension to the EU-US Data Privacy Framework (DPF).
The DPF is an opt-in self-certification scheme that sets out specific principles, or requirements, that US businesses must comply with in order to participate.
The UK Extension allows UK organisations, as well those based in Gibraltar, to make restricted transfers to US businesses that participate in the DPF without needing appropriate safeguards or an exception.
Other reading – ICO guidance
Further resources
- The Data Protection (Adequacy) (United States of America) Regulations 2023 (the UK Extension)
- UK government published supporting documents about the adequacy regulations (referred to as the UK-US data bridge) and a UK-US data bridge factsheet for UK organisations
- US Department of Commerce’s Data Privacy Framework Program website
- EU’s adequacy decision for the USA: the EU-US Data Privacy Framework
How does the UK Extension to the EU-US DPF work?
Eligible US businesses can choose to participate in the DPF. They do this by self-certifying to the US Department of Commerce that they will comply with the DPF requirements. Participating US businesses need to self-certify annually to maintain an active status.
Only US businesses regulated by the US Federal Trade Commission (FTC) or US Department of Transportation (DoT) are eligible to join the DPF. This excludes some sectors such as:
- telecommunication companies;
- many financial institutions;
- certain non-profit organisations (not regulated by the FTC); and
- US government agencies and departments.
The DPF list on the DPF Program website is managed by the US Department of Commerce and contains details of all participating US businesses with an active and inactive status.
If you’re a UK organisation looking to make a restricted transfer to the US, you must only rely on the UK Extension if the receiving US business:
- has an active status on the DPF list;
- has self-certified to the UK Extension; and
- its certification covers the type of personal information you’re transferring ie HR data, non-HR data or both.
A US business may choose to withdraw from the DPF, including by deliberately letting their certification lapse, leading to an inactive status. In this situation, if the US business retains personal information transferred under the UK Extension, it needs to:
- complete an annual affirmation that it continues to comply with the DPF principles; or
- agree to protect the personal information by other authorised means; or
- return or delete all the personal information.
A participating US business can also be forcibly removed from the DPF by the US Department of Commerce. In this situation, the US business cannot continue to keep the personal information and needs to return or delete it.
You should undertake periodic checks to ensure the US business has maintained its active status on the DPF list.
If a US business becomes inactive after you’ve sent personal information, you should take the following actions to ensure the personal information remains protected:
- check the US business has made an annual affirmation to the US Department of Commerce and the personal information remains protected; or
- check the US business has another authorised means to appropriately protect the information.
You should make sure that the US business has returned or deleted all the personal information if it:
- has been forcibly removed from the DPF; or
- decides not to retain the personal information or cannot guarantee the protections when it has an inactive status.
What types of personal information can we transfer under the UK Extension?
The UK Extension only allows you to transfer certain types of personal information to a participating US business.
A US business can receive human resources information (referred to as HR data), non-HR data, or both. HR data is defined in the DPF as “personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider.”
A US business can only receive HR data if its self-certification covers this type of personal information. You should check this on its entry on the DPF list on the US Department of Commerce’s DPF Program website. The US business has to meet additional obligations for HR data transferred under the UK Extension and you should ensure these are in place.
As a UK organisation, you must also take additional steps if you’re transferring special category and criminal offence data. See What are the additional requirements for special category and criminal offence data?
You must not transfer personal information used for journalism to a US business under the UK Extension as there are journalistic exceptions under the DPF.
The DPF defines this as “personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, isn’t subject to the requirements of the principles.”
What are the additional requirements for special category and criminal offence data?
The DPF recognises that certain categories of sensitive personal information need an increased level of protection. However, the definition of sensitive data under the DPF is narrower than the definition of special category data under the UK GDPR. In addition, criminal offence data isn’t given specific protection under the DPF.
The following types of personal information are allowed to be treated as sensitive if the UK organisation identifies it as sensitive. However, they are not automatically protected as sensitive under the DPF:
- genetic data;
- biometric data used for unique identification;
- data about someone’s sexual orientation; and
- criminal offence data.
To ensure that such special category data and criminal offence data are protected as sensitive data before you transfer them to a US business under the UK Extension, you must:
- identify the relevant information as sensitive (genetic data; biometric data used for unique identification; information about someone’s sexual orientation; and criminal offence data); and
- ensure the US business is aware that it needs to treat the relevant information as sensitive.
You should also:
- assess data classification options for marking the information, ensuring the classification stays with the information during and after you transfer it;
- discuss and agree data classification with the US business so it knows the information is sensitive and that it needs to maintain it with appropriate protections, especially if the US business shares it further;
- mark the relevant information in accordance with the agreed classification before transferring it to the US business; and
- use a means of permanent marking that remains with the information, so the sensitive classification isn’t lost when the information is transferred by you or the US business.
You should consider the practicalities around data classification based on your own situation, including the available data classification tools.
A variety of tools may already be available to you. For example, many commonly used software packages feature data classification tools, including persistent labelling (such as watermarks) and the addition of metadata. Other technologies and approaches may also be appropriate depending on your particular situation.
What if the US business is not registered to receive personal information under the UK Extension?
You must put in place appropriate safeguards or rely on an exception before making a restricted transfer to a US business that:
- is not on the DPF list;
- has an inactive status under the DPF; or
- is not registered to receive the type of personal information you want to transfer.
If you plan to use one of the “safeguards” listed in article 46 of the UK GDPR, you must first complete a transfer risk assessment (TRA). We’ve published additional guidance on completing a TRA using the UK government analysis (US) . This guidance describes how a UK organisation can use the government’s analysis of the UK Extension to inform its TRA.
In more detail – ICO guidance