A new era for international data transfers?
Data is widely acknowledged as a valuable global commodity and ensuring its free flow around the world is essential for organisations to capitalise on this valuable asset. Different countries have different data protections laws, culture and approaches to international data transfers and this often results in questions around the practicalities such as: What is happening now? Which countries have been found adequate by whom? What has Brexit changed? Where can I transfer this data to? Is it easier to store our data locally and minimise transfers? What are the consequences of getting this wrong? How can we comply with 10 different data transfer laws?
While the ideological battle rages between protecting data subjects, which is first and foremost in the minds of EU privacy activists, and big tech and international organisations who rely on international data flows to be able to offer their products and services to a global audience, data deals are being done. October saw the long-awaited announcement from the US and the EU and Joe Biden’s Presidential Executive Order putting the substance behind the Trans-Atlantic Data Privacy Framework announced back in March 2022 (see our article here), as well the UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy setting out the UK’s plans to find the US an adequate country for data transfers, with the US reciprocating in working towards designating the UK as a qualifying state under the redress mechanism in the Executive Order. In November, the UK’s first (post-Brexit) adequacy decision for the Republic of Korea was announced (see our article here), which is expected to come into force on 19 December 2022.
A fragmanted landscape
This patchwork of adequacy decisions can be difficult to keep track of but in the UK the Department for Digital, Culture, Media and Sport’s (DCMS) data partnership map sets out the priority countries so the direction of travel is clear. Unlike the EU’s linear adequacy process, the UK is negotiating in parallel with the priority countries identified and therefore we expect to see quicker decisions on adequacy by the UK. The UK’s rigorous but streamlined adequacy process, coupled with the innovative approach between the Information Commissioner’s Office (ICO) and the DCMS will also assist in getting these adequacy decisions over the line more efficiently.
We can’t talk data adequacy without mentioning the infamous sunset clause in the EU adequacy decision for the UK. This clause was included to address the potential for ‘too much divergence’ between the UK’s approach to data adequacy and that of the EU. That said, it is worth remembering that the UK is ‘more adequate’ than any other country with an adequacy decision, given it is an ex-Member State, implemented the GDPR and now the UK GDPR, and has the Investigatory Powers Act 2016 (IPA) governing and “limiting” governmental surveillance power. The ongoing dialogue between DCMS and the EU Commission is important to keep both sides up to date on developments and approaches to data adequacy.
Alternatives on the horizon
Other global data transfer initiatives shouldn’t be forgotten. Work is taking place within the OECD, the Council of Europe, the Global Cross-Border Privacy Rules Forum and Association of Southeast Asian Nations. The importance of international data transfers to the global economy is widely recognised and a (post-Covid) pragmatic desire to find a way to make international data flows work raises hopes that we will see more data adequacy decisions in the coming months and/or, fingers crossed, more multilateral agreements on international transfers.