International Data Transfers: New criteria

Oliver Willis Partner

Daisy Fulton Associate

Tancred Campbell Solicitor

This is the penultimate post in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This update examines the proposed changes to the rules on international transfers of personal data, which could be the most impactful in the Bill and potentially the most controversial.

The current rules on international data transfers were retained from the EU regime at the end of the Brexit transition period, with only very minor changes so that they continued to work in a UK context. Among other things, the rules provide that data transferred outside the UK will be a ‘restricted transfer’ and will be in breach of the UK GDPR unless the Secretary of State has put an ‘adequacy regulation’ in place or one of the other safeguards applies. Organisations will be relieved to see that this latest version of the Bill confirms that the existing safeguards will continue to apply.

The Bill creates a new framework for the Secretary of State to make regulations permitting data transfers to other countries. This idea exists in the current regime, but this new framework would grant the Secretary of State greater discretion in making those regulations.

At present, such regulations can only be made where the destination country provides an ‘essentially equivalent level of protection’. This standard is inherited from the EU regime and is based on EU case law. The Bill would permit the Secretary of State to make regulations where the protection provided to data subjects in the destination country is ‘not materially lower’ than the protection provided by UK data protection law.

The Bill sets out criteria that the Secretary of State must consider when deciding whether the standard of ‘not materially lower’ has been met. These include, in relation to the relevant country or organisation:

whether there is respect for the rule of law and human rights;
whether there is an authority responsible for enforcing the protection of data subjects and that authority’s powers;
arrangements for judicial or non-judicial redress for data subjects regarding the processing;
whether there are rules in place around the transfer of data;
relevant international obligations; and
the constitution, traditions, and culture.

The Bill also makes clear that the standard of protection is to be assessed using a ‘holistic and contextual’ approach (as described in the Explanatory Notes to the Bill), presumably with the intention that weaknesses in certain areas might be outweighed by strengths in others. The overall effect of the Bill is to enable the Secretary of State to permit transfers to other countries even if those countries’ data protection regimes offer a lower standard of protection in some respects.

In its response to the consultation ahead of this Bill, the Government described this new approach as more ‘agile’, and stated that it should make it easier for the UK to implement free transfers of data with other jurisdictions. In particular, it may pave the way for the UK to permit free transfers of data to the US, avoiding the hurdles created by certain EU case law. This approach will see the UK diverge from the EU and inevitably raises a question about whether the EU will continue to treat the UK as providing adequate protection for personal data transferred here from the EU.

Key takeaway

The Government has indicated it is keen to make it easier for UK entities to make international transfers of personal data; the introduction of the ‘not materially lower’ threshold may seem like a subtle change but is one that could enable the Secretary of State to introduce an adequacy regulation for the US, which would create a marked shift away from the EU position. An adequacy regulation for the US would undoubtedly make life easier for the large number of controllers with transatlantic interests, but at what cost? There would undoubtedly be a risk that the EU would respond by withdrawing its adequacy regulation in relation to the UK.

To access the full catalogue of articles in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers, visit our Data Reform: How could the upcoming changes affect your business? homepage.