24 Nov 2022
by Alexander Milner-Smith

A new era for international data transfers?

Alexander Milner-Smith of Lewis Silkin LLP explores the current landscape for international data transfers, ahead of techUK's first ever International Data Transfers Summit taking place in person & virtually on 30 November.

Data is widely acknowledged as a valuable global commodity and ensuring its free flow around the world is essential for organisations to capitalise on this valuable asset. Different countries have different data protections laws, culture and approaches to international data transfers and this often results in questions around the practicalities such as: What is happening now? Which countries have been found adequate by whom? What has Brexit changed? Where can I transfer this data to? Is it easier to store our data locally and minimise transfers? What are the consequences of getting this wrong? How can we comply with 10 different data transfer laws?

While the ideological battle rages between protecting data subjects, which is first and foremost in the minds of EU privacy activists, and big tech and international organisations who rely on international data flows to be able to offer their products and services to a global audience, data deals are being done. October saw the long-awaited announcement from the US and the EU and Joe Biden’s Presidential Executive Order putting the substance behind the Trans-Atlantic Data Privacy Framework announced back in March 2022 (see our article here), as well the UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy setting out the UK’s plans to find the US an adequate country for data transfers, with the US reciprocating in working towards designating the UK as a qualifying state under the redress mechanism in the Executive Order. In November, the UK’s first (post-Brexit) adequacy decision for the Republic of Korea was announced (see our article here), which is expected to come into force on 19 December 2022.


A fragmanted landscape

This patchwork of adequacy decisions can be difficult to keep track of but in the UK the Department for Digital, Culture, Media and Sport’s (DCMS) data partnership map sets out the priority countries so the direction of travel is clear. Unlike the EU’s linear adequacy process, the UK is negotiating in parallel with the priority countries identified and therefore we expect to see quicker decisions on adequacy by the UK. The UK’s rigorous but streamlined adequacy process, coupled with the innovative approach between the Information Commissioner’s Office (ICO) and the DCMS will also assist in getting these adequacy decisions over the line more efficiently.

We can’t talk data adequacy without mentioning the infamous sunset clause in the EU adequacy decision for the UK. This clause was included to address the potential for ‘too much divergence’ between the UK’s approach to data adequacy and that of the EU. That said, it is worth remembering that the UK is ‘more adequate’ than any other country with an adequacy decision, given it is an ex-Member State, implemented the GDPR and now the UK GDPR, and has the Investigatory Powers Act 2016 (IPA) governing and “limiting” governmental surveillance power. The ongoing dialogue between DCMS and the EU Commission is important to keep both sides up to date on developments and approaches to data adequacy.


Alternatives on the horizon

Other global data transfer initiatives shouldn’t be forgotten. Work is taking place within the OECD, the Council of Europe, the Global Cross-Border Privacy Rules Forum and Association of Southeast Asian Nations. The importance of international data transfers to the global economy is widely recognised and a (post-Covid) pragmatic desire to find a way to make international data flows work raises hopes that we will see more data adequacy decisions in the coming months and/or, fingers crossed, more multilateral agreements on international transfers.



Alexander Milner-Smith

Alexander Milner-Smith

Partner, Lewis Silkin LLP

Alexander is Co-Head of Lewis Silkin's Data & Privacy Group. He works in three main areas: data & privacy, general employment law, and sports law.

Alexander has advised some of the world's leading companies on the adoption of global privacy strategies and on the full range of data protection/privacy issues including: data protection/privacy audits; data subject rights requests management; dealing with data breaches; extra-EEA data transfers; advising generally on data privacy policies/notices; handling Information Commissioner’s Office, and other regulatory queries/investigations; marketing/cookie issues; and, helping clients update their data protection/privacy practices in light of Brexit. He holds the CIPP/E data protection/privacy accreditation from the IAPP and have spoken all over the world on data protection/privacy issues.

Examples of his recent work includes:

  • conducting audits of all personal data flows and related privacy practices for a number of well-known organizations

  • assisting various companies with ICO and international regulatory investigations

  • advising various multi-national companies on extra-EEA transfer issues, the safe harbor<>Privacy Shield changes and the potential impact of Brexit

  • in the last year speaking about data protection in the UK, Brussels, Milan, Hong Kong, Singapore and the United States.


Read lessmore