On 23 October 2024, the UK government introduced the Data (Use and Access) Bill to Parliament (the DUAB). Our previous blog summarised the changes to the UK’s data protection framework that it will introduce.
One area of change is the international transfer regime, where the DUAB may make it easier for businesses to transfer personal data outside of the UK. While expected guidance from the newly structured Information Commission, and case law, will determine the full extent of these changes, this blog summarises what businesses need to know now about the new approach.
Current approach to international transfers under the UK GDPR
Controllers can currently only transfer personal data outside of the UK if (i) the third country is covered by a UK adequacy decision; or (ii) the transfer is covered by appropriate safeguards, such as the entry into an International Data Transfer Agreement. Transfers can also be made in limited circumstances when an exception applies.
If the UK government decides that a third country’s data protection regime has adequate protections, also known as an adequacy decision, data can be transferred there without appropriate safeguards. Currently, when deciding if a third country is adequate for the purposes of an international transfer, the UK government must have regard to consideration of, among other factors, the impact on human rights and fundamental freedoms and the existence of supervisory institutions in that country.
When relying on appropriate safeguards, UK controllers must conduct transfer risk assessments. One element of those risk assessments is ensuring that, post-transfer, the personal data will be protected in a way that is ‘essentially equivalent’ to the level of protection under the UK GDPR. This standard arose from the Schrems II decision, which we covered in a previous article.
A new threshold for assessing international transfers
The DUAB introduces a new ‘data protection test’ into the UK’s international transfers regime. This replaces the previous test and must be applied in the following two primary circumstances:
- when the UK government is making an adequacy decision about the data protection regime of a third country; and
- when a business is undertaking a transfer risk assessment and must assess the risks of the data protection regime of the third country it is transferring data to.
In both circumstances, the DUAB requires the replacement data protection test to be applied. This test will be met when the standard of protection provided for data subjects in the third country is ‘not materially lower’ than the standard of the protection provided under the UK GDPR.
It is not yet clear how ‘not materially lower’ differs from ‘essentially equivalent’ under the current regime. It will be up to the Information Commission and the UK courts to provide guidance on this point. The intention of the DUAB, however, appears to be to introduce a different, likely slightly lower, standard for making international transfers under the UK GDPR than currently exists under the EU GDPR. The Explanatory Notes to the DUAB state that, making an assessment of the data protection test, the Secretary of State should recognise that “other countries' data protection regimes will not be identical to the UK's in form and differences may exist given the cultural context of privacy". The Secretary of State must, ”in a holistic and contextual manner, decide whether or not the overall standard of protection is lower than the UK’s standard in a way which is material.” The effect of this new test is likely to make it easier for both the UK government to designate certain third countries as adequate, and for businesses to carry out risk assessments when relying on appropriate safeguards. These changes may, in the aggregate, make it easier for businesses to transfer personal data outside of the UK.
A business’s existing transfer mechanism can still be compliant and provide appropriate protection if:
- it was entered into before the commencement of DUAB; and
- it otherwise satisfies the requirements of the UK GDPR international transfer regime prior to the commence of DUAB.
A business will need to apply the new data protection test when it enters into a new transfer mechanism after commencement of the DUAB.
Introduction of transfer blacklists
The DUAB also allows the UK government to place certain countries on a transfer ‘blacklist’, banning businesses and other organisations from transferring personal data there, where the restriction is in the public interest. This approach differs from many other jurisdictions (including the EU), and will allow the UK government to wholesale restrict transfers of personal data to certain countries.
Implications and next steps
The DUAB must complete its passage through Parliament before it can enter into force. Businesses should be aware of the following before its entry into force:
- If you have international transfer mechanisms in place already, you do not need to update this as a result of DUAB (assuming they are already compliant with UK GDPR). When you enter into new transfer mechanisms post-commencement of the DUAB, you will need to apply the new transfer mechanism at that stage.
- It is possible that the UK government could use the DUAB to designate as adequate a greater number of third countries, making it easier for businesses to transfer personal data without the need for additional safeguards.
- Where you are conducting transfer risk assessments, you should consider whether your processes will need to be updated to reflect the new ‘data protection test’.
- Businesses should proactively monitor additions to the ‘blacklist’. When jurisdictions are added to the ‘blacklist’, consider what impact that will have on your business if you are transferring personal data to those jurisdictions and what mitigations may need to be implemented.