What to expect from the ICO when making a complaint under the UK Extension to the EU-US Data Privacy Framework or about US Government entities

About the UK Extension to the EU-US Data Privacy Framework
Complaints about the US business under the UK Extension
Complaints about US Government entities access (signals intelligence activities)
What can’t the ICO do?

About the UK Extension to the EU-US Data Privacy Framework

The UK Extension to the EU-US Data Privacy Framework (UK Extension) became operational on 12 October 2023, after the United Kingdom adequacy regulations came into force. The regulations confirm that the UK Extension ensures an adequate level of protection for personal information transferred from a controller or processor in the UK to a business based in the USA.

The EU-US Data Privacy Framework includes a set of Principles and other requirements. US business wishing to join the Framework must self-certify that they meet and comply with these standards to protect personal information. The UK Extension allows certified US companies to opt into receiving UK personal information through the Framework. If an individual is concerned about the way their information is handled, there are a number of different redress mechanisms that can be used.

In addition, the US President’s Executive Order 14086 sets further protections to make sure that US Government entities (including the US Intelligence Community) can only access transferred personal information through signals intelligence activities where it is necessary and proportionate to protect national security. It also introduces an independent and binding mechanism for individuals to seek redress if they believe their personal information was accessed by a US Government entity in breach of applicable US law.

Please note that the redress mechanism for complaints against the US business is entirely separate and distinct from the mechanism for handling concerns about access to transferred personal information by US Government entities through signals intelligence activities. The ICO has different roles in respect of each mechanism.

Complaints about the US business under the UK Extension

The US Department of Commerce oversee the UK Extension, including the registration applications, monitoring that the participating businesses continue to comply with their obligations and handle complaints about those businesses which falsely claim to be part of the scheme. It has a dedicated website that offers advice and publishes the register of all participating US businesses. It is important to remember that if the US business receiving transferred personal information is not registered, the protections of the UK Extension will not apply.

Enforcement of the Framework is carried out by the US Federal Trade Commission or the US Department of Transportation.

The ICO support you with your complaint, but we will only be able to handle your complaint if it relates to human resources personal information transferred in relation to an employment relationship (past or present) or where the US business has voluntarily agreed to cooperate with us in resolving the complaint.

Depending on the nature of the complaint, you may be able to take your complaint further if you are dissatisfied with the outcome.

You can use our complaints tool to find out what to do next and raise a complaint if you are concerned about how your information has been used by a US business that is signed up to the UK Extension, or falsely claiming to be signed up to it.

If you have specific questions, please call our helpline on 0303 123 1113.

What do I need to do before I can complain to the ICO?

You can complain to the ICO about the way a US business that is, or falsely claiming to be registered, to the UK Extension.

Before you complain to us about a US business registered to the UK Extension, you need to have:

complained directly to the business;
asked for clarification from the business if you received a response you don’t understand; and
followed up with the business if you have not received a response after 45 days.

If you have followed all these steps or have not received a response from the US business, you can submit your complaint.

You can only use this service if the ICO is listed as a competent authority for the US business you are complaining about, or if the business is transferring human resources personal information (known as "HR data" under the Framework). You can find out if the ICO is the competent authority on the Data Privacy Framework website.

If you wish to request advice on how to raise a complaint about a UK organisation sending personal data to a US business under the UK Extension, you can submit a request for advice.

This includes requests for advice on using a registered organisation’s in-house complaint process, the ICO’s complaint process or the Binding Arbitration Mechanism process.

What happens when I submit my complaint to the ICO?

When you complain to us, if it is something we can consider under the UK Extension to the EU-US Data Privacy Framework, one of our case officers will look into it.

The case officer will:

weigh up the facts of what’s happened, fairly and impartially;
raise it with the US business; and
tell you the outcome.

If we think the US business has infringed the Data Protection Framework Principles, we will give advice so the business can put things right and improve their information rights practices. We may also inform the relevant US authorities responsible as it may be appropriate for them to consider the complaint dependent upon the nature of the request.

When you complain about a US business falsely claiming to the registered on the UK Extension to the EU-US Data Privacy Framework, one of our case officers will:

make some checks; and
refer it on to the US Department of Commerce.

How long will it take to deal with my complaint?

We aim to deal with complaints as soon as we can. Some complaints can be dealt with quickly but some may require more work and take longer.

What are the possible outcomes of my complaint?

The UK Extension sets out a process for us to consider complaints and to inform you of the outcome. There are a number of potential outcomes for a complaint under the UK Extension:

We may tell you the US business has done nothing wrong and there hasn't been an infringement of the UK Extension to the EU-US Data Privacy Framework.
We may provide advice to a US business that they have not complied with the Data Privacy Framework Principles and ask that they take steps to put things right.
We may also make referrals to relevant US authorities such as the Department of Commerce, the Federal Trade Commission and the Department of Transportation. They will consider your complaint and take any action needed against that US business.

Can the ICO award compensation?

No. The ICO can't award compensation, even when we give our opinion that a business has infringed the UK Extension to the EU-US Data Privacy Framework.

Complaints about US Government entities access (signals intelligence activities)

The US Government has made sure that US Government entities (including the US Intelligence Community) put in place safeguards and limitations, as well as have a complaints process, in relation to their collection and access to information of people in the UK (signals intelligence activities).

This means that people in the UK are able to complain if they reasonably believe that their personal information, which has been transferred from the UK to a US organisation (either using the UK Extension or any other transfer mechanism), was accessed by a US Government entity as part of their signals intelligence activities in a way which adversely affects the person's rights or privacy or civil liberties interests. However, you do not need to raise your complaint with the US Government entity first.

The ICO does not investigate and determine the outcome of this type of complaint, but we will check that your complaint meets requirements to be considered by the relevant US authority, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence at the first stage. We will check that you have included the following information as part of your complaint:

who you are, or details about the person you are acting on behalf of;
the specific means by which, or reasons why you believe, the personal information about you or the person you represent was transmitted to the USA (such as an email address, phone number or other details provided as part of another transaction, online or not);
why you believe the information about you or the person you represent has been subject to signals intelligence activities (as defined in the USA) after it has been sent from the UK to the USA;
when this transfer and subsequent access by US Government entities may have taken place (must be after 12 October 2023);
the names of the US Government entities believed to have accessed this information (if known);
whether you believe this access violated the US Constitution or other relevant US laws, orders, policies or procedures relating to US signals intelligence activities and privacy and civil liberties safeguards ;
whether you believe this access adversely affects either your rights or privacy and civil liberty interests or those of the person you represent;
any other attempts you have made to resolve the matter and the response you received; and
the outcome you are looking for.

If your complaint is passed on to the Civil Liberties Protection Officer of the Office of the Director of National Intelligence, we will then inform you of the outcome of their decision.

If you are unhappy with this decision, you can tell us you wish to challenge it and we will pass it on to the US Data Protection Review Court. It will review your request and the decision before giving a final and binding outcome.

You can use our complaint tool to find out what to do next and raise a complaint if you are concerned that your information has been accessed by US Government entities.

If you have specific questions, please call our helpline on 0303 123 1113.

What can't the ICO do in this context?

In relation to both of the redress mechanisms:

We can't award compensation.
We can't look at complaints about processing of personal information by UK organisations or US businesses not signed up to the UK Extension other than US Government entities. These would need to be considered under our standard complaints process.
We can't consider complaints that do not involve the processing of personal information. The information has to relate to a natural person.
We can't make an organisation apologise to you if things have gone wrong.