The UK government has unveiled plans for a new global data transfer regime, suggesting deviations will occur from the current EU-aligned practices. UK Digital Secretary, Oliver Dowden, has stated that “it means reforming our own data laws so that they’re based on common sense, not box-ticking.” We explore the key proposed changes below.
Adequacy Decisions
The UK plans to prioritise granting data ‘adequacy’ decisions to various countries to enable organisations to transfer personal data to these countries more simply and without having to implement additional safeguards. These territories will include the United States, Colombia, Australia, Singapore, the Republic of Korea and Dubai International Finance Centre (DIFC). India, Brazil, Kenya and Indonesia will also be considered. Under current laws, documentation such as Standard Contractual Clauses must be in place before sharing data with these countries and a risk assessment in relation to the transfer must be carried out.
42 territories have already been granted ‘adequacy’ status by the UK, matching those of the EU. These include all 30 EEA territories, Jersey, Canada and New Zealand, among others.
Following Brexit, the EU Commission (EC) granted an ‘adequacy decision’ in the UK’s favour on the basis that UK laws and practices would remain aligned with EU data privacy laws, including the EU General Data Protection Regulation (GDPR). They made it clear that the decision could be revoked at any time. The EU does not currently view any of the above-mentioned 10 territories as having sufficient ‘adequate’ data protection laws and indeed has recently made it more difficult to transfer data to the US, with the invalidation of the EU-US Privacy Shield. It is possible they may not like the UK’s plans.
It therefore remains to be seen whether our EC-granted adequacy decision will be at risk as things develop. These new plans may make it simpler to do business with companies based further afield but sharing data easily with companies in the EU could become more complex.
New Transfer Mechanisms where no Adequacy is Granted
Where data is transferred to entities based abroad, certain mechanisms must first be implemented and risk assessments carried out to ensure the rights of the individuals concerned are protected. This includes adopting Standard Contractual Clauses (SCCs), a set of EC- (and in turn UK-) approved clauses.
The UK has revealed it is currently consulting on a new UK International Data Transfer Agreement (IDTA) which will replace the current SCCs (approved under the EU GDPR). This is expected to be adopted at the end of 2021. Interestingly an IDTA addendum to model data transfer agreements from other jurisdictions, including the EU’s new SCCs, is also being considered. This would be a welcome move, particularly for businesses engaged in transfers of personal data from both the EU and the UK to other countries, as only one document would be required.
In addition, a Transfer Risk Assessment should be carried out. This can be used to determine the level of risk involved to the personal data concerned in the transfer. This is intended for use with routine international transfers.
When this change occurs, organisations sharing personal data with entities or businesses in other countries without an adequacy decision, must ensure the new IDTAs are implemented as soon as possible in the place of the existing SCCs. There is likely to be a window of implementation in order for this to be completed.
If you would like further advice on the above or to discuss data privacy alignment generally, please get in touch.
Madeleine Rhodes email: mrhodes@redfernlegal.com