Completing a TRA using the UK government’s analysis (US)

In detail

• When do we need to complete a TRA for restricted transfers to the US?
• What is the UK government’s analysis?
• Why can we rely on the UK government’s analysis to streamline our TRA process for restricted transfers to the US?
• How can we rely on the UK government’s analysis to complete our TRA?

When do we need to complete a TRA for restricted transfers to the US?

If you’re relying on appropriate safeguards to make a restricted transfer to an organisation located in the US, you must complete a TRA to make sure that the standard of protection for people’s information is not materially lower after you transfer it.

There are various reasons why you may want to rely on one of the safeguards to transfer personal information to the US. These include, for example, that:

• your US recipient is not certified to the Data Privacy Framework (DPF) scheme, or the restricted transfer is not covered under the recipient’s certification;
• none of the exceptions under the UK GDPR apply to your restricted transfer;
• you’re making the restricted transfer under a UK BCR; or
• you or the US recipient uses the Addendum or the IDTA as your preferred transfer mechanism.

The UK Extension to the EU-US DPF (the ‘UK Extension’) is an addition to the EU’s adequacy decision for the US. The UK government has made adequacy regulations for the UK Extension. This means that the UK Extension allows UK organisations, as well those based in Gibraltar, to transfer personal information to US businesses that take part in the DPF without needing to use appropriate safeguards or an exception.

The DPF is an opt-in self-certification scheme that allows eligible US businesses to receive personal information from a UK organisation. The DPF sets out specific principles, or requirements, that these US businesses must comply with to take part. 

You should base your decision to use appropriate safeguards on:

• the circumstances of each restricted transfer;
• the extent to which other options are available; and
• your commercial practices and those of the recipient.

You must complete a TRA before transferring personal information using a safeguard, regardless of which safeguard you use or why.

We encourage you to rely on the UK government’s published analysis of the UK Extension to streamline your TRA process for restricted transfers to the US.

What is the UK government’s analysis?

In October 2023, the UK government introduced adequacy regulations for the US in the form of the UK Extension. These regulations allow the free flow of personal information to organisations located in the US that are appropriately certified under the DPF scheme, without needing to rely on appropriate safeguards or an exception.

The work to establish the UK Extension included a detailed analysis by the Department of Science, Information & Technology (DSIT) of the level of protection that the US gives people in the UK (the ‘DSIT analysis’). DSIT’s review considered:

• the rule of law;
• respect for fundamental rights and freedoms;
• the existence of an effective and independent supervisory authority; and
• relevant international commitments.

DSIT concluded that the UK Extension and other relevant US laws and practices provide an adequate level of protection for personal information. The standard of protection for people in the UK is not undermined after their personal information is transferred to certified US organisations.

The DSIT analysis has been published in full.

Why can we rely on the UK government’s analysis to streamline our TRA process for restricted transfers to the US?

Some of the DSIT analysis is specific to restricted transfers under the UK Extension. However, a significant part of the analysis relates to broader issues not specific to the UK Extension, including:

• analysis of the application of relevant US laws and practices more generally; and
• consideration of US laws related to access and use of personal information by US agencies for the purposes of national security and law enforcement.

So, it’s equally relevant to personal information transferred using appropriate safeguards.

First, in the section “Legislative Framework and Commitment to Data Protection”, the DSIT analysis considers:

• respect for the rule of law;
• respect for fundamental rights and freedoms;
• the existence of an effective and independent supervisory authority; and
• relevant international commitments.

It concludes that:

“On the basis of this analysis, DSIT considers that the US respects and maintains the rule of law in its constitutional and legislative framework, and that the US respects human rights and fundamental freedoms.”

Second, in the section “Government Access to Personal Data – An Overview”, DSIT considers the framework under which US government entities can access personal information after it’s been transferred to the US for matters in the public interest, in particular for national security and law enforcement and purposes.

DSIT concludes that:

“… DSIT is satisfied that when the US authorities access data for the purposes of national security, they do so in a manner provided for by law, and in accordance with a framework that ensures sufficient limitations and safeguards that ensure that interferences are necessary and proportionate, and conducted in the pursuit of legitimate aims. These safeguards and limitations sufficiently mitigate the potential for abuse. There is effective redress to rectify unlawful interferences. In addition, the specific requirements under the US legislative instruments highlights the importance of privacy and civil liberties considerations throughout the US signals intelligence procedure.”

DSIT concludes about law enforcement that:

“…the US system is underpinned by robust limitations, safeguards, oversight and redress mechanisms in relation to law enforcement access to personal data. Based on the totality of this assessment, DSIT is content that the protections available for UK data subjects are not undermined when their personal data is transferred to the US under the UK Extension.”

This conclusion refers to the UK Extension, but the analysis applies more widely.

These broader issues analysed by DSIT mirror the issues that you need to address in your TRA.

As such, you could incorporate the DSIT analysis into your own TRA by reference, rather than repeating the analysis process yourself.

We consider that it’s reasonable and proportionate for you to rely on this analysis in your TRA, regardless of whether the personal information you’re transferring is categorised as low, medium or high risk.

How can we rely on the UK government’s analysis to complete our TRA?

You should note and document that:

• the DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal information is transferred to the US, for the risks to people’s rights:
  • arising in the destination country from third parties that are not bound by the safeguard accessing the information (including government and public bodies); and
  • arising from difficulties enforcing the safeguard (eg because of the laws in the destination country); and
• it’s reasonable and proportionate for you to rely on the DSIT analysis for your TRA because the scope of this assessment is as required under UK legislation. In addition, one of the following applies, depending on the purpose for which the assessment was conducted:
  • for adequacy regulations, the enactment of those adequacy regulations by the UK government and Parliament, based on that assessment; or
  • to review adequacy regulations, the UK government’s decision based on that assessment.

You must regularly review any published updates to the DSIT analysis. If DSIT changes the conclusions you referred to in your TRA, you must review and update your TRA accordingly.