Survey highlights need for business action on data transfers

Rosie Nance of Pinsent Masons said that a recent survey commissioned by the UK government highlighted the potential scale of contract remediation exercises that might need to be undertaken by UK businesses.

According to the results of the UK business data survey 2021, 10% of all UK businesses send or received digitised data, whether personal data or non-personal data, to or from organisations based outside of the UK. Of those businesses, 70% engage in personal data transfers.

UK data protection law, like its EU equivalent, places restrictions on the transfer of personal data outside of the jurisdiction, reflecting the fact that data protection standards vary globally. The legislation requires exporters to ensure, via the legal tools available to them, that the transferred data is governed in accordance with the data protection standards that apply in the UK.

The UK business data survey 2021 found that, of the UK businesses that transfer data overseas, 40% make use of standard contractual clauses (SCCs) as a legal safeguard. A fifth use binding corporate rules (BCRs), which are rules businesses can draw up and have signed-off by regulators that govern intra-group data transfers.

According to the survey, 54% of large businesses engaged in data transfers rely on so-called ‘adequacy’ decisions – decisions made by the European Commission that recognise data protection standards in certain countries or territories as essentially equivalent to those that apply in the EU. The Commission has issued several adequacy decisions – including one in respect of the UK – and the UK government intends to issue adequacy decisions of its own in due course.

UK data protection law was last substantially updated in 2018 when the General Data Protection Regulation (GDPR) took effect, though the EU legislation was subsequently converted into UK law with some minor amendments at the point that Brexit took effect. Despite the relatively recent overhaul and the fact many businesses surveyed reported seeing benefits from the GDPR, the UK government consulted on possible reforms to data protection law last year. It recently signalled its plans to introduce a Data Reform Bill into parliament over the next year. Further details of its policy intentions are expected to be outlined shortly in its consultation response.

The government has expressly stated its desire for the UK’s data protection regime to have fewer administrative burdens and be pro-innovation, however too great a divergence away from the EU GDPR could risk the UK’s adequacy decision – a designation that supports the free flow of personal data, and the trade that underpins, between the EU and UK. In the survey summary report, the government recognised that adequacy “is an important mechanism”, since it “enables the free-flow of personal data without needing additional measures such as SCCs and Binding Corporate Rules”.

Nance said that while businesses will be eagerly anticipating the government’s announcement on data protection law reform, clear deadlines in relation to data transfers have been set by both UK and EU regulators and require action before any new UK legislation is finalised.