Demystifying international data transfers and what reform to the data protection regime means for them.
The free flow of data is a cornerstone of UK international trade. The Department for International Trade estimates the UK exported 190.3 billion digitally delivered services (representing 67.1% of total UK services exports).
Any business which operates digital products and services internationally will almost certainly depend on transferring data across borders, likely including the movement of personal and non-personal data.
There is a whole range of reasons why organisations need to transfer data including for performing internal business functions, and sharing or accessing data with suppliers, collaborators, government, and customers.
Disruptions or changes to the process for transferring data across borders can significantly impact organisations, as they often come with new and complex legal frameworks to comply with, which can be resource-intensive and burdensome.
For example, when the UK withdrew from the European Union (EU), there was a period of uncertainty for businesses on how they could continue to lawfully transfer personal data between the UK and the EU. Although the UK received a positive adequacy decision from the European Commission in 2021, this decision is not permanent and is subject to regular review and unpredictable change. Larger organisations can mitigate this ongoing risk by implementing alternative transfer mechanisms (such as standard contractual clauses), however these can be complex and demanding for smaller firms.
If organisations are restricted in their ability to lawfully transfer data across borders, they may be unable to enter new markets, reach potential customers and deliver their offerings to consumers, which can hold back innovation and consumers' access to new technologies and services.
Concerns around future approaches to international data transfers are not unique to the UK. In 2020, a significant ruling by the Court of Justice of the EU (CJEU), known as the Schrems II case, invalidated the Privacy Shield, an agreement to facilitate the movement of personal data between the EU and US. As a result, businesses have had to identify an alternative legal basis to transfer this data and are still awaiting a new agreement to this date. Even the world's largest tech firms have struggled to weather the impact of this court ruling.
International data flows are high up the international agenda, not just because of their business importance, but because they interrelate with other policy areas such as privacy rights, national security, and law enforcement.
Governments around the world govern these aspects differently, such as through their own data protection regimes, covering what safeguards should be in place to protect that data. Data protection rules are also often extra territorial, meaning the rules one country applies to its citizens need to be followed by companies even if the data is being handled elsewhere.
This has meant that current global debates on cross-border data flows are complex. Countries are taking diverging approaches to data protection and how international data transfers are governed. As a result, organisations must often seek to comply with several legal frameworks and must keep at pace with constantly changing legislation. This puts looming uncertainty over businesses who may end up taking more risk averse decisions when it comes to entering new markets or developing new products and services.
Data: a new direction for adequacy decisions?
In September 2021, the UK Government launched a significant consultation which proposes a set of reforms to its data protection regime. This includes a rethinking of approaches to international data transfers, which would move towards a more proportionate and risk-based approach to its adequacy decisions.
This shift in attitude could offer businesses with a more predictable regulatory environment for international data transfers, and more reliable means to conduct business. It could also be significant in resetting global debates on international data transfers by demonstrating that more flexible systems can be implemented without challenging high standards of data protection.
To ensure that data protection rights are not challenged, it is vital that that Government addresses the risk of onward transfers from jurisdictions with an adequacy determination, onto those who do not. This will be significant in protecting UK citizens' data as well as the data of any partner countries the UK has an adequacy determination with. There is a large role for guidance and assessment criteria to play here in order mitigate any risk of unsecure transfers.
For example, techUK has welcomed the approach taken by the regulator in setting out the International Data Transfer Agreement and International Data Transfer Risk Assessments which offers clear and understandable risk assessments as well as standardised addendums to align contracts for third parties which do not have an adequacy determination.
techUK also supports many of the practical steps outlined in the consultation, such as allowing adequacy regulations for groups of countries, regions, and multilateral frameworks, and the relaxing of the current requirement to review adequacy agreements every four years, provided these changes come with adequate safeguards.
techUK's full response to the Data: a new direction consultation can be found here.