6 Steps to Manage International Data Transfers from the UK UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas. Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few. In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take. BALANCING THE RISKS Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk? STEP 1: IDENTIFY PERSONAL DATA TRANSFERS First you need to check if what you’re planning to do constitutes a restricted international data transfer. 🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with. 🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees? The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples: Suppliers based outside the UK Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world. Partner organisations based outside the UK Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems. Group entities based outside the UK Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems. Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World. STEP 2: CHECK IF AN EXCEPTION APPLIES There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’. To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here. 📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks. 📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps. 📌 Public Interests – the transfer is necessary for important reasons of public interest. 📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims. 📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy is awarded to specific countries who have been judged to have a similar level of data protection standards as those within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country. Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards. European Economic Area / UK  The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states. Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan. See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK. United States The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has: self-certified and meets the principles of the DPF, and signed up to the UK ‘data bridge’ extension. For a list of self-certified organisations see US Department of Commerce DPF STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY) If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR. 📌 UK International Data Transfer Agreement (IDTA) This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK. 📌 EU Standard Contractual Clauses (SCCs) with UK Addendum The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts. 📌 Binding Corporate Rules (BCRs) BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA. 📌 Other safeguards Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies. STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY) If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, or BCRs there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place The ICO has published TRA Guidance and we’ve written a summary here: STEP 6: KEEP UNDER REVIEW The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned. An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.

International Data Transfers Guide A top-level overview of international data transfers There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU. The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’. This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world. As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor. Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise. However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised. What is an international data transfer? An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas. There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation. EU GDPR Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR. UK GDPR A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful. The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country. Examples of restricted transfers would be: Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country Giving a supplier based in another country access to personal data Giving access to UK/EU employee data to another entity in the same corporate group, based in another country. There are some notable exceptions: Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries. Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer. What are the safeguards for restricted transfers? A. Adequacy Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures. Transfers from the EEA The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions. Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision. EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website. Transfers from the UK There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here. UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge B. EU Standard Contractual Clauses In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’. SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer: controller-to-controller controller-to-processor processor-to-processor processor-to-controller There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses Two points worth noting: The deadline to update contracts which use the old SCCs has passed – 27th December 2022. Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum. C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers. The International Data Transfer Agreement, or The Addendum to the new EU SCCs ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context. In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens. It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance The additional requirement for a risk assessment The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries. As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA). The ICO has published TRA Guidance and we’ve written a TRA guide. D. Binding Corporate Rules (BCR) BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs. BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route. E. Other safeguards Other safeguards measures include; Approved codes of conduct Approved certification mechanisms Legally binding and enforcement instruments between public authorities or bodies. What are the exemptions for restricted transfers? It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include: Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks. Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps. Public interests – the transfer is necessary for important reasons of public interest. Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims. Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent. The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way. The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer. The above is not an exhaustive list of the exemptions, further details can be found here. There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks. Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

International Data Transfers and UK-US Data Bridge What is it and what does it mean for UK businesses? The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023. The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards. The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained. The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements. Background on data transfers to the United States In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place. For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US. This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs. (Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!) Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment. In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs. Complex, isn’t it? Are you still with me? EU-US Data Privacy Framework The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU. This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles. UK-US data bridge Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to. What steps can businesses take? Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking; 1) whether US businesses are participating in the scheme, or intend to 2) the US businesses’ privacy policies 3) whether the caterogies of data being transferred are covered Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures. There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search. Legal challenges As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge. Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum. See our International Data Transfer Guide for an overview of the rules and requirements.