International Data Transfers: what are they and why are they so important?
Demystifying international data transfers and what reform to the data protection regime means for them.
The free flow of data is a cornerstone of UK international trade. The Department for International Trade estimates the UK exported £190.3 billion digitally delivered services (representing 67.1% of total UK services exports).
Any business which operates digital products and services internationally will almost certainly depend on transferring data across borders, likely including the movement of personal and non-personal data.
There is a whole range of reasons why organisations need to transfer data including for performing internal business functions, and sharing or accessing data with suppliers, collaborators, government, and customers.
Disruptions or changes to the process for transferring data across borders can significantly impact organisations, as they often come with new and complex legal frameworks to comply with, which can be resource-intensive and burdensome.
For example, when the UK withdrew from the European Union (EU), there was a period of uncertainty for businesses on how they could continue to lawfully transfer personal data between the UK and the EU. Although the UK received a positive adequacy decision from the European Commission in 2021, this decision is not permanent and is subject to regular review and unpredictable change. Larger organisations can mitigate this ongoing risk by implementing alternative transfer mechanisms (such as standard contractual clauses), however these can be complex and demanding for smaller firms.
If organisations are restricted in their ability to lawfully transfer data across borders, they may be unable to enter new markets, reach potential customers and deliver their offerings to consumers, which can hold back innovation and consumers' access to new technologies and services.
Concerns around future approaches to international data transfers are not unique to the UK. In 2020, a significant ruling by the Court of Justice of the EU (CJEU), known as the Schrems II case, invalidated the Privacy Shield, an agreement to facilitate the movement of personal data between the EU and US. As a result, businesses have had to identify an alternative legal basis to transfer this data and are still awaiting a new agreement to this date. Even the world’s largest tech firms have struggled to weather the impact of this court ruling.
International data flows are high up the international agenda, not just because of their business importance, but because they interrelate with other policy areas such as privacy rights, national security, and law enforcement.
Governments around the world govern these aspects differently, such as through their own data protection regimes, covering what safeguards should be in place to protect that data. Data protection rules are also often extra territorial, meaning the rules one country applies to its citizens need to be followed by companies even if the data is being handled elsewhere.
This has meant that current global debates on cross-border data flows are complex. Countries are taking diverging approaches to data protection and how international data transfers are governed. As a result, organisations must often seek to comply with several legal frameworks and must keep at pace with constantly changing legislation. This puts looming uncertainty over businesses who may end up taking more risk averse decisions when it comes to entering new markets or developing new products and services.
Data: a new direction for adequacy decisions?
In September 2021, the UK Government launched a significant consultation which proposes a set of reforms to its data protection regime. This includes a rethinking of approaches to international data transfers, which would move towards a more proportionate and risk-based approach to its adequacy decisions.
This shift in attitude could offer businesses with a more predictable regulatory environment for international data transfers, and more reliable means to conduct business. It could also be significant in resetting global debates on international data transfers by demonstrating that more flexible systems can be implemented without challenging high standards of data protection.
To ensure that data protection rights are not challenged, it is vital that that Government addresses the risk of onward transfers from jurisdictions with an adequacy determination, onto those who do not. This will be significant in protecting UK citizens’ data as well as the data of any partner countries the UK has an adequacy determination with. There is a large role for guidance and assessment criteria to play here in order mitigate any risk of unsecure transfers.
For example, techUK has welcomed the approach taken by the regulator in setting out the International Data Transfer Agreement and International Data Transfer Risk Assessments which offers clear and understandable risk assessments as well as standardised addendums to align contracts for third parties which do not have an adequacy determination.
techUK also supports many of the practical steps outlined in the consultation, such as allowing adequacy regulations for groups of countries, regions, and multilateral frameworks, and the relaxing of the current requirement to review adequacy agreements every four years, provided these changes come with adequate safeguards.
techUK's full response to the Data: a new direction consultation can be found here.
Latest News from
Be part of the techUK Local Digital Capital Index Working Group!30/01/2023 10:15:00
We are inviting techUK members to apply for a position to sit on the Local Digital Capital Index Working Group and get involved in the creation of the third edition of the Index which we will publish later in this year.
Digital skills scheme for veterans backed by 6 techUK members30/01/2023 09:15:00
Tech sector firms including Capita, Northrop Grumman, Atos, Leonardo UK, Fujitsu and Leidos are supporting the 15,000 Futures initiative created by WithYouWithMe to support veterans into tech sector jobs
Quantum Computing in Energy & Utilities Day27/01/2023 09:20:00
This campaign day will be focusing on the opportunities for quantum computing applications in the energy and utilities sector. We will uncover its potential, viability, and challenges.
Voting Open: techUK Digital Twin Steering Group Chair and Vice Chair25/01/2023 16:05:00
Voting is now open for the techUK Digital Twin Steering Group Chair and Vice Chair positions. The elections will be open until 14 February 2022.
A UK Plan for Chips25/01/2023 15:05:00
The UK needs a plan for 'chips' if we are to fulfil the aim to become a science and tech superpower
Financial Services Policy Explainer | Payment Services Regulations (PSR) Review and Call for Evidence23/01/2023 11:20:00
Helping to map the UK’s Joint Regulatory Oversight Committee’s (JROC) upcoming strategic work, HM Treasury’s latest Review, and Call for Evidence of the UK’s payments regulatory environment will shape the following stages of determining digital technology suppliers’ contributions to building the payments infrastructure of UK Open Banking
How UK tech companies are playing their part to tackle the rise of online fraud20/01/2023 13:10:00
Fraud is now the most commonly experienced crime in the UK, costing over a hundred billion pounds every year, with online fraud making up an increasing proportion of incidents.
Made in the UK, Sold to the World Awards 202317/01/2023 16:10:00
Celebrating UK business success around the world, The Department for International Trade’s Made in the UK, Sold to the World Awards are launching in January 2023