With its exit from the EU, the UK finds itself facing new challenges in terms of data transfers. Not only with restricted countries such as the US or China, but now also with the EU and EEA, data transfers are only possible if certain safeguards and measures are observed.
In the following, we would like to give you an update on how data transfers are now structured and how you establish the right transfer tools for yourself.
First step of every transfer of data is to map its flows in
- the company itself,
- the group,
- to external service providers.
After mapping these data flows, you need to consider where the data importer is located. If the data importer is also located in the UK, meaning England, Scotland, Wales and Northern Ireland, no additional safeguards as stated in Chapter V of the UK GDPR are required. If, however, data is transferred to Crown dependencies or UK overseas territories, including Gibraltar, additional safeguards need to be implemented as shown below.
The first transmission tool to be checked should always be an adequacy regulation. The UK has adopted several such adequacy decisions, e.g. for the EEA states, which include Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Norway and Liechtenstein.
Other adequacy regulations exist for Gibraltar and those countries and territories which were covered by the EU Commission’s adequacy decisions adopted prior the 31 December 2020. Those decisions include Andorra, Argentina Guernsey, Ilse of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and partly Japan and Canada.
The UK has also adopted an adequacy decision with the Republic of Kores (South Korea) and is currently working in partnership to with other destinations to reach an adequacy decision under the UK GDPR. Those destinations include Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, Singapore, and the US.
If an adequacy regulation is adopted, companies and bodies may send personal data to partners and service providers in such countries without taking any more measures to ensure safety of the data.
As long as no such regulation is given, additional safeguards are a must.
Art. 46 UK GDPR specifies further safeguards to be taken if there is no adequacy regulation for the restricted countries and personal data are to be transferred to these countries. Such measures are:
You may only rely on such safeguard when public bodies or authorities have a legal instrument in place which ensure enforceable rights and effective remedies for the data subjects concerned. The data exporter does not necessarily be a part of that legal instrument, provided that the enforceability of data protection rights is granted for the specific data transfer.
This tool is set out in Art. 47 UK GDPR and is only applicable to multi- or international groups and groups of undertakings which carry out joint economic activities. The UK BCRs are therefore only a possible safeguards for transferring data within the group. If you wish to send data to external partners, other safeguards are to be taken.
UK BCRs have to be approved by the ICO.
Standard data protection clauses, such as the International Data Transfer Agreement (IDTA) or the Addendum
The most common safeguard you may use are the IDTA or the International Data Transfer Addendum. The latter is a addendum to the EU Standard Contractual Clauses 2021. Whenever those may be already in place by adding the addendum the UK transfer is also secured.
To find out more about the IDTA and the Addendum please see our article on this topic.
If the data importer, therefore the receiver of the data, has signed up to a code of conduct approved by the ICO, you can also rely on this safeguard for your data transfer to that receiver. Such a code of conduct also needs to emphasise the protection pf data subject’s rights. For now, no such codes of conduct are yet approved.
Similar to the code of conduct, a data importer can apply for a certification, approved by the ICO. The necessary content is the same as within a code of conduct. Also, for now, no certifications have been adopted.
Contractual clauses which emphasise the obligations of the UK GDPR and especially those regarding data subject’s rights can be taken as safeguard. However, those clauses have to be approved by the ICO, which can be a long process.
If a restricted transfer is covered by an administrative arrangement between public authorities or bodies, you may also rely upon them as a safeguard. Necessary content is here as well the enforcement of data subject’s rights. Those administrative arrangement however also need to be approved by the ICO.
Before you may rely on such a safeguard, you have to undertake a transfer risk assessment to establish whether relevant protections in the UK GDPR are not undermined. When satisfied that you may rely upon the chosen safeguard, you need to fulfil its requirements and ensure compliance.
If you are not satisfied that the safeguards ensure the necessary appropriate security and safety of the data in the restricted country, you may not send data there and, if you wish to commission a service provider, look for an alternative.
Basically, the UK and the EU/EEA became each other’s third or restricted country, which requires certain safeguards under both the UK GDPR and the EU GDPR under Chapter V in order to conduct data transfers.
In this case, an adequacy decision under Art. 45 UK GDPR and Art. 45 EU GDPR was adopted. According to this adequacy decision, which states that the respective level of data protection in the recipient country corresponds to the national level, data may be transferred without further measures. Thus, as long as this adequacy decision can be relied upon, no further hurdle has arisen per se, even after Brexit.
However, the adequacy decision contains a so-called sunset clause, which states that this decision, if not renewed, will expire after a period of 4 years, i.e. by July 2025, and further measures for data transfers would have to be taken.
Before the Schrems II judgment, the UK had hoped that, post-Brexit, it could continue to be part of the Privacy Shield and rely on it for data transfers to participating US companies, thereby fulfilling the necessary GDPR requirements for US data transfers. UK companies only would have needed to update agreements with US companies to include “UK” in the EU-U.S. Privacy Shield. However, with the CJEU’s decision against the Privacy Shield, the UK is facing a situation with limited legal options for data flows to the US.
Whenever a UK company wishes to transfer data to the US, it needs to rely upon additional safeguards as for now, an adequacy regulation for the US is not adopted. Therefore, a transfer risk assessment is necessary to examine if the safeguard in mind will ensure the necessary level of data protection as set out in the UK GDPR. Only when you are satisfied, you may use those safeguards.
You also need to check on your current safeguards regularly to ensure all laws, measures and other steps are still up to date and state of the art.
Necessary steps for UK companies
UK companies should, if not already done so, start mapping their data flows within the company, the group and with externals to be up to date on national and international data transfers.
After mapping the data flows, UK companies need to ensure to pick the best safeguard in place, conducting transfer risk assessments to examine their enforceability prior using them. For instance, US data importers could be asked to ensure that technical safeguards, such as encryption or anonymisation, are in place to avoid exposure of UK citizens’ data to the US surveillance regime.
It is also crucial to stay up-to-date about new developments to ensure to keep data transfer mechanisms up to date.