International data transfers – where are we now?
Between different applicable laws (which might apply to different types of processing), case law and regulatory guidance (or lack of it), businesses in the UK now have a difficult task when considering and identifying their data protection obligations.
There are currently several different laws that could apply to UK businesses, depending on their business operations and data flows, including:
- UK GDPR: applying to personal data collected and processed from 1 January 2021 onwards. The UK GDPR was established by the European Union (Withdrawal) Act 2018, which incorporated the body of EU law (including the EU GDPR) as it existed on exit-day into UK law. There is scope for divergence of UK GDPR, as under the EU-UK Trade and Cooperation Agreement the UK retains the domestic right to determine its own data protection and privacy laws, but both sides have given cooperation-style commitments meaning that any significant divergence in the short-term is unlikely.
- Data Protection Act 2018 (“DPA 2018”): The UK GDPR dovetails with an amended version of the DPA 2018. There are some obligations over and above EU GDPR, such as the additional conditions for the processing of special category (or sensitive) personal data.
The Government has published the very useful Keeling Schedules, which show the amendments to the DPA 2018 and UK GDPR under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/485 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020/1586) (“EU Exit Regulations”).
- EU GDPR: might still apply to UK businesses depending on their activities. It applies to those UK businesses with an establishment in the EEA and those which offer goods or services to customers in the EEA, or monitor individuals in the EEA.
- Frozen GDPR: this is the EU GDPR as it stood on 31 December 2020. It applies to ‘legacy data’ collected before the end of the transition period about people who were located outside the UK at the end of 2020, and to personal data acquired since 1 January 2021 that is processed on the basis of the Withdrawal Agreement (for example, if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement). UK GDPR is currently aligned with Frozen GDPR. If the EU gives the UK an adequacy decision, the Frozen GDPR will no longer apply and the UK GDPR will then apply to all personal data in the UK.
- Schrems II: This decision of the European Court of Justice (CJEU) was in relation to international data transfers (see our article here). It was handed down in July 2020, during the transition period and so is binding on UK businesses. The decision could be overturned by the UK Supreme Court, but there does not seem to be any indication of that happening at present.
Almost all businesses rely on some form of international data flows, it now being common to have service providers and/or data centres located in another jurisdiction. Establishing the legal requirements for those international data transfers has become particularly challenging. We are expecting guidance from the ICO on this soon. In the meantime, we have summarised below the current legal position.
Data Transfers to the UK
Inbound from EEA
As part of the new trade deal, the EU has agreed to delay transfer restrictions for six months (extended from the original four-month period). This is known as the bridge and means that the UK’s third country status will not apply until 1 July 2021.
In the meantime, the European Commission has published its draft adequacy decision for the UK under EU GDPR. The draft decision will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member States.
If the draft decision is approved, then data transfers from the EEA to the UK can continue without any further measures needing to be in place. If the adequacy decision is not adopted before the end of the bridge, alternative safeguards will need to be put in place to ensure that data transfers from the EEA to the UK remain lawful. As such if your business receives business-critical or high-risk personal data from the EEA, we recommend you put alternative safeguards in place before the end of June 2021, if you haven’t done so already.
Inbound from other jurisdictions
As before, you will need to consider any restrictions or requirements applying under local laws on international data transfers in the jurisdiction from which you receive the data.
Depending on the flow of data, you may also need to consider whether any additional safeguards are required to send the data back from the UK – see below.
Data Transfers from the UK
Outbound to EEA
The EU Exit Regulations effectively grant interim adequacy decisions in favour of all the EEA member states. Therefore, UK businesses can continue to make transfers of data from the UK to organisations in the EEA as before. These arrangements are intended to be temporary measures, and in time the UK is expected to conduct its own adequacy assessments of all EU member states.
You might of course need to consider the position further if that data also then comes back to the UK.
Outbound to other jurisdictions (including the US)
You will be able to make the restricted transfer if it is covered by the UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018. The UK adequacy regulations allow UK organisations to continue to rely on the 13 existing adequacy decisions adopted by the EU. Specific UK arrangements have been confirmed regarding the recent EU adequacy decision for Japan, which secures the necessary protections so that data can continue to flow from the UK to Japan.
If there is no adequacy decision covering the transfer, an appropriate safeguard will be needed unless one of the ‘exceptions’ set out in Article 49 of the UK GDPR applies, which is rare.
Multinational corporate groups can use existing EEA-approved binding corporate rules (“BCR”) as an appropriate safeguard if these were approved before the end of 2020, although certain requirements will need to be met for a UK BCR to be confirmed. The UK Government has not given mutual recognition to EU BCR so these are no longer an option going forwards.
Usually, the appropriate safeguard put in place for a restricted transfer is entering into standard contractual clauses (“SCCs”) with the recipient of the personal data. The current EU GDPR SCCs automatically became valid for restricted transfers under the UK GDPR on 31 December 2020. The European Commission are consulting on new draft EU SCCs, but these will not automatically apply in the UK, even if formally issued in the EU, and we understand that the ICO is not intending to adopt these. We expect that the ICO will at some point issue its own version of SCCs. In the meantime, we recommend that the UK templates of the current EU SCCs are used, available at ico.org.uk.
However, following the Schrems II decision, in addition to SCCs a risk assessment of the recipient jurisdiction should be carried out as to whether or not additional contractual measures (such as obliging the recipient to inform you of any changes to their local laws with supporting termination rights) or technical measures to improve the security of the transfer (such as anonymisation or pseudonymisation) are needed to safeguard the personal data being transferred.
The EDPB has published draft guidance on what those additional measures might be (see our article here), but these set a high bar effectively requiring the data exporter to review and assess the legal systems of the recipient country. As the draft guidance was not adopted before the end of the transition period it will require formal adoption by the ICO if it is to apply in the UK. The ICO has not given any indication yet on whether or not it will adopt the EDPB guidance, nor has the ICO published any guidance of its own. This leaves many UK businesses in a difficult position if they are transferring data to other countries, particularly those countries that are known to have wide-reaching state surveillance.
The most important thing for all UK businesses to do is to understand their data flows, distinguishing between data acquired before 31 December 2020 and after to select the applicable law. Key transfers to identify will be those from the EEA to the UK and from the UK to other jurisdictions which aren’t covered by a UK adequacy decision. While all transfers will need to be reviewed, we recommend that you prioritise your business-critical transfers and higher risk transfers (such as large volumes of data and special category data) and keep an eye out for further ICO announcements and guidance in the coming months.