Guest post by Kim Walker
The Government is aiming to make the UK GDPR work better for businesses. At present, it views the legislation as a blocker to innovation and global data flows, with data transfers outside of the UK or the EEA requiring an ‘adequacy decision’ for the destination country’s laws.
To date, this has only been granted by the EU to 14 countries including the UK and, with the UK Government impatient post-Brexit for more, plans to accelerate its own programme for granting UK adequacy decisions have been announced.
‘Adequacy’ describes countries whose data protection laws provide individuals’ personal data with a level of protection which is equivalent to the UK’s or EU’s. Post-Brexit, the UK Government has granted adequacy to the EEA member countries and adopted all of the EU’s own adequacy decisions, but this means only a select few countries are covered outside the EEA.
As a result, the Government plans to launch its own adequacy programme to ease data flows from the UK to a wider range of countries, prioritising the US, Australia, South Korea, Singapore, Dubai and Columbia.
Only recently did the EU grant adequacy to the UK’s data protection laws, even though they are essentially the EU’s own GDPR transcribed into UK law. The EU was concerned about some of the UK’s investigatory powers and mass surveillance laws, as well as its membership of the ‘Five Eyes’ intelligence network with the US and Australia, among others.
As a result, adequacy has only been cautiously granted to the UK for four years, after which the EU will review the decision. Without an adequacy decision, further bureaucratic formalities such as Standard Contractual Clauses (SCCs) must be implemented.
The exporter must now also carry out a ‘transfer risk assessment’ of the data protection laws of the importing country
Transfers of personal data to non-adequate countries currently require the exporter and importer to enter into SCCs, which impose GDPR data protection standards on the foreign importer by contract. Adopted in the early 2000’s, they have become outdated, covering only basic data transfer scenarios, for example controller to processor and controller to controller. Therefore, more complex transfers such as onward transfers to sub-processors, can only be covered by bending the SCCs awkwardly to fit.
The EU has recently updated its SCCs to try to make them more usable, but they are still legalistic and difficult to understand. As well as this, the European Court’s decision in July 2020 concerning Facebook data transfers (known as Schrems 2), means that businesses can no longer rely on SCCs alone to make their overseas data transfers lawful.
The exporter must now also carry out a ‘transfer risk assessment’ of the data protection laws of the importing country, and if necessary, put in place supplementary measures to mitigate any risks. As well as being a considerable administrative task, this assessment also comes with potentially substantial legal and other costs for businesses. For SMEs in particular, the process takes up time and resources that they might not have to spare.
As an example of the UK’s new attitude to the GDPR, the Government has recently published its own SCCs for consultation, now called ‘international data transfer agreements’ to distinguish them from the EU’s version. A guide on how to carry out a transfer risk assessment has also been made available to help businesses to navigate their way through the transfer risk assessment process.
The UK’s documents are written in a highly accessible, user-friendly way and address up front some of the legal and practical issues which the SCCs have raised in the past, contrasting the EU’s legalistic and wordy revisions.
The proposed data transfer agreement also provides a way that businesses can, by signing a short addendum, apply any existing EU SCCs they may already have in place to UK transfers, without starting all over again.
These proposals, and the UK’s expressed intention to expand the number of adequacy decisions, will be welcomed by British businesses. However, if the UK loosens its data protection standards under UK GDPR and grants adequacy more freely to other territories, there is a risk that the EU will withdraw or not renew the UK’s adequacy decision.
businesses should not underestimate the time and effort required to put all the necessary arrangements in place
The EU’s concern is that data which flows from the EEA to the UK can then be transferred freely to other countries approved by the UK, but not the EU. A major concern is that EU personal data will be able to flow onwards from the UK to the US, where data protection laws are currently non-existent, or patchy at best.
Withdrawal by the EU of the UK’s adequacy decision would create a host of challenges for UK businesses, as it would result in them needing to use SCCs once again, making it more difficult for data to flow from the EEA to the UK in future.
A report by the New Economics Foundation thinktank and University College London estimates that the additional compliance cost for firms wanting to continue transferring data would range from an average of £3,000 to almost £163,000, depending on the size of the company. In total, the cost to UK businesses would likely be between £1 billion and £1.6 billion.
If the UK can speedily negotiate more adequacy decisions with a wider range of countries – particularly the US – then the bureaucracy and cost involved with SCCs and transfer risk assessments will be avoided. In the meantime, the efforts to simplify the data transfer process will be welcomed, although it will remain by no means straightforward.
Neither the Information Commissioner’s Office nor the Government are seemingly planning on providing businesses with a standard summary of the applicable national security and mass surveillance laws of the major jurisdictions involved, so businesses will need to obtain this information themselves for their transfer risk assessments, which most likely means instructing overseas lawyers.
While having a more accessible form of data transfer agreement is undoubtedly to be welcomed, businesses should not underestimate the time and effort required to put all the necessary arrangements in place.
Businesses will be hoping that the UK Government can fulfil its aim to simplify data flows to a wider range of countries by granting adequacy decisions, without forfeiting the important adequacy decision the UK has obtained from the EU.
Kim Walker, partner and data protection expert at law firm Shakespeare Martineau