
2023 No. 1028 
DATA PROTECTION
 The Data Protection (Adequacy) (United States of America) Regulations 2023
Made 20th September 2023
Laid before Parliament 21st September 2023
Coming into force 12th October 2023

The Secretary of State makes these Regulations in exercise of the powers conferred by section 17A(1), (3), (5) and (6) of the Data Protection Act 2018 (“the 2018 Act”).
In accordance with section 17A(1) and (3) of the 2018 Act, the Secretary of State considers that the United States of America ensures an adequate level of protection of personal data for certain transfers.

In accordance with section 182(2) of the 2018 Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.
Citation, commencement and extent
1 

(1) These Regulations may be cited as the Data Protection (Adequacy) (United States of America) Regulations 2023.
(2) These Regulations come into force on 12th October 2023.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
Interpretation
2 
In these Regulations—
 “Data Privacy Framework List” means the list of that name, as it has effect from time to time, which is maintained and made publicly available by the United States Department of Commerce;
 “EU-US Data Privacy Framework” means the programme of that name administered by the United States Department of Commerce;
 “EU-US Data Privacy Framework Principles” means the principles and supplemental principles issued by the United States Department of Commerce under the EU-US Data Privacy Framework as they apply to transfers of personal data from the United Kingdom under the UK Extension to the EU-US Data Privacy Framework;
 “UK Extension to the EU-US Data Privacy Framework” means the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom.
Adequate level of protection
3 

(1) For the purposes of Part 2 of the Data Protection Act 2018 and the UK GDPR, the Secretary of State specifies the United States of America as ensuring an adequate level of protection of personal data for a transfer described in paragraph (2).
(2) A transfer described by this paragraph is a transfer of personal data which—
(a) is to a person in the United States of America who is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework; and
(b) will be subject to the EU-US Data Privacy Framework Principles on receipt by that person.
Independent supervisory authorities
4 
The independent supervisory authorities for the UK Extension to the EU-US Data Privacy Framework are—
(a) the United States Federal Trade Commission; and
(b) the United States Department of Transportation.
John Whittingdale
Minister of State
Department for Science, Innovation and Technology
20th September 2023