The Future of Transatlantic Data Flows: The UK Perspective
On 17 October, techUK hosted an event sponsored by Meta, to examine the recent publication of the US Executive Order, which will implement the data sharing agreement made in principle by the EU and US earlier this year. This announcement marks a definitive step in the formal legal process required to give businesses and public authorities the certainty they need to transfer data across the Atlantic – to innovate, enter new markets and deliver basic business services.
The Executive Order seeks to address the legal concerns raised about US laws in the CJEU court decision Schrems II made in 2020, by including new proportionately requirements for US Intelligence Services’ collection of personal data belonging to individuals outside of the US, as well as introducing a two-tier redress mechanism for individuals to trigger when they feel they may have been improperly surveilled.
The recent developments will also be key in supporting the UK Government to determine its own data sharing agreement with the US, as recently announced in a Joint Statement made by Secretary of State, Michelle Donelan, Department for Digital, Culture, Media and Sport (DCMS), and US Secretary of Commerce, Gina Raimondo.
The event included a fireside chat with the UK’s data protection regulator, the Information Commissioner’s Office (ICO), and expert panel to discuss these recent developments against the current landscape for international data transfers:
- Emma Bate, Legal Director, Information Commissioner’s Office (ICO)
- Joe Jones, Deputy Director for International Data Transfers (DCMS)
- Bojana Bellamy, President, Centre for Information Policy Leadership (CIPL)
- Janine McKelvey, General Counsel - Group Data, Privacy and Ethics Officer, BT
- Katie Hewson, Partner, Stephenson Harwood LLP
- Sue Daley, Director of Tech & Innovation, techUK
In conversation with the Information Commissioner’s Office
Emma Bate, ICO opened the discussion by reflecting on her team’s journey writing the new IDTA and the addendum for UK international data transfers, which aims to resolve the complexities around transfer risk assessments. Having reflected on its existing guidance, the ICO decided it needed to start with a blank piece of paper, and develop something all businesses could make sense of, including SMEs. “It will take a different approach to the European Data Protection Board, going up a level to think about impacts on human rights, rather than the data and surveillance in detail”.
She then stressed the need for a risk-based approach to international data transfers, to ensure that lower risk transfers can flow in a much more straightforward way, compared to scenarios where the data is more sensitive. “Organisations have to make some kind of assessment, which is why it’s so difficult for them. The days are gone when you can just transfer data without really thinking it. That’s not a bad thing.”
On the recent Executive Order, Emma commented that it contains lots of positive provisions that show the US has taken huge steps forward to change its laws, which the UK and Europe must acknowledge. While there are commentators who are sceptical of it, “we must remember that we do not require identical systems of protection; we require that data protection has high standards. If this is not it, I’m not sure what else it will be.”
Finally, several attendees asked Emma about the Government’s Data Protection and Digital Information Bill, and provisions related to international data transfers. There was a sense of disappointment from techUK members in widely supported proposals being dropped from the Data: a new direction consultation, such as ones to enable the repetitive use of derogations and exemptions for reverse transfers. Emma said that the challenges these proposals were seeking to address could be tackled through regulatory guidance alone, rather than in legislation.
The fireside chat came to a close and was followed with a panel to explore the key themes raised in this conversation.
The Executive Order: a quick fix for a broken system?
This panel session aimed to set the Executive Order against an increasingly complex environment for international data transfers. Panellists reflected on the current state of cross-border data flows and considered solutions on the horizon such as the Cross Border Privacy Rules Forum (CBPR), and efforts driven by the OECD to set new standards for data transfers.
Joe Jones, DCMS opened the panel by reflecting on the publication of the Executive Order: “These recent initiatives pursued by the US are not just in the UK and EU’s interest, they are in the global interest.” Joe had dialled into the event from the OECD offices, where he was discussing this very topic, including what good looks like when it comes to law enforcement, national security, and Government access to data. “It’s important to bring global certainty on data flows, and the US doing this in their own domestic framework is an incredibly important part of that. But we have got to do this at scale.”
This was echoed by Janine McKelvey, BT, who said that the Executive Order has in fact gone further than a lot of other countries who also have intelligence agencies and adequacy with the EU. “As a global company, international data transfers are so important so we cannot give advice to our Board that will not last longer than six to twelve months, especially when this legal advice underpins our data governance programmes”.
Bojana Bellamy, CIPL added that the Executive Order is an incredibly bold moment, “I think the US has done as much as it could have constitutionally done to appease the European requirements, and upgrade what exists today. I don’t know what else they could actually do”.
On reflecting how this uncertainty impacts business outcomes, Janine noted that it chokes the ability for UK businesses to put proper data governance and compliance in place. Bojana agreed, adding that organisations are conducting thousands of data transfers a day, while working on technologies of the future such as the Metaverse, web 3.0 and AI. “Innovation should be the focus, underpinned by a flexible, risk-based approach. We need to move on from where we are right now, which is why multilateral solutions are exciting.”
Where does this leave the UK?
The discussion then moved onto the UK Government’s own plans for a data sharing agreement with the US, which will include an assessment of the Executive Order. While the ICO will not conduct its own assessment, it will act as a check and balance by ensuring the UK Government is asking the right questions when making its decision. After this period of consultation with the ICO, the UK Secretary of State for DCMS, will lay out legislation for a US adequacy decision in Parliament for adoption via a negative resolution.
When asked by the audience, if a UK-US agreement could impact the EU’s adeqaucy decision for the UK, there was consensus across panellists that the UK, US, and EU must create an environment where all three territories can find a solution that works for everyone. However, Janine caveated this, “there is a role for the UK to be a leader here and help change the negative narrative for international data transfers. If the UK genuinely believes that the Executive Order meets certain standards and criteria, the UK should be bold enough to be a leader in this space.”
Katie Hewson, Stephenson Harwood LLP agreed and added that there does not need to be a standoff between the US and EU, “we need to have constructive conversation and the UK has got a really important part to play in that. The UK has a data protection regime that mostly closely aligns with the EU’s, which gives it the agility to look at and consider new innovative models for transferring data.
Towards multilateral solutions
As the panel ended, speakers noted that US data flows are only one part of the puzzle when it comes to international data transfers. Organisations such as BT operate in almost 180 countries, all with different technological offerings and compliance obligations. While a solution for EU-US data flows is welcomed, speakers agreed that this is by far not the end of the story.
“It feels to me like this could be a steppingstone towards greater international cooperation, or perhaps a form of international baseline to progress towards the federal privacy legislation that we are seeing stopping and starting in the US,” Katie noted.
Joe also mentioned that other countries such as Japan are at the same table as the UK, talking about these issues constructively and coming up with solutions, such as interoperable, global certification schemes (CBPR). All industry panellists welcomed the progress being made towards reaching multilateral solutions and urged Government to seize the moment to drive this agenda.
The event rounded off with a clear and overwhelming sense of optimism from the room that the Executive Order could mark a turning point for future international data transfers.
On 30 November, techUK will be hosting its inaugural International Data Transfer Summit, where we will be unpicking these issues with the UK Government, the regulator, industry, and data protection and privacy experts. Register to attend here.