Survey highlights need for business action on data transfers

Out-Law News | 20 May 2022 | 3:46 pm | 2 min. read

Businesses should not wait for the UK government to set out its plans for reform to data protection law to update legacy contracts that make provision for the transfer of personal data outside of the EU or UK, an information law expert has said.

Rosie Nance of Pinsent Masons said that a recent survey commissioned by the UK government highlighted the potential scale of contract remediation exercises that might need to be undertaken by UK businesses.

According to the results of the UK business data survey 2021, 10% of all UK businesses send or received digitised data, whether personal data or non-personal data, to or from organisations based outside of the UK. Of those businesses, 70% engage in personal data transfers.

UK data protection law, like its EU equivalent, places restrictions on the transfer of personal data outside of the jurisdiction, reflecting the fact that data protection standards vary globally. The legislation requires exporters to ensure, via the legal tools available to them, that the transferred data is governed in accordance with the data protection standards that apply in the UK.

The UK business data survey 2021 found that, of the UK businesses that transfer data overseas, 40% make use of standard contractual clauses (SCCs) as a legal safeguard. A fifth use binding corporate rules (BCRs), which are rules businesses can draw up and have signed-off by regulators that govern intra-group data transfers.

According to the survey, 54% of large businesses engaged in data transfers rely on so-called ‘adequacy’ decisions – decisions made by the European Commission that recognise data protection standards in certain countries or territories as essentially equivalent to those that apply in the EU. The Commission has issued several adequacy decisions – including one in respect of the UK – and the UK government intends to issue adequacy decisions of its own in due course.

UK data protection law was last substantially updated in 2018 when the General Data Protection Regulation (GDPR) took effect, though the EU legislation was subsequently converted into UK law with some minor amendments at the point that Brexit took effect. Despite the relatively recent overhaul and the fact many businesses surveyed reported seeing benefits from the GDPR, the UK government consulted on possible reforms to data protection law last year. It recently signalled its plans to introduce a Data Reform Bill into parliament over the next year. Further details of its policy intentions are expected to be outlined shortly in its consultation response.

The government has expressly stated its desire for the UK’s data protection regime to have fewer administrative burdens and be pro-innovation, however too great a divergence away from the EU GDPR could risk the UK’s adequacy decision – a designation that supports the free flow of personal data, and the trade that underpins, between the EU and UK. In the survey summary report, the government recognised that adequacy “is an important mechanism”, since it “enables the free-flow of personal data without needing additional measures such as SCCs and Binding Corporate Rules”.

Nance said that while businesses will be eagerly anticipating the government’s announcement on data protection law reform, clear deadlines in relation to data transfers have been set by both UK and EU regulators and require action before any new UK legislation is finalised.

Nance said: “Until the Schrems II decision and the guidance from the European Data Protection Board (EDPB) for businesses to ‘know your transfers’, businesses may not have been aware of the requirement to have data protection compliance processes in place every time they transferred personal data internationally. The EDPB acknowledges that this can be a difficult exercise.”

“Further clarity around the approach the proposed Data Reform Bill will take and any new adequacy decisions DCMS will publish will be welcome, as will the ICO’s final guidance on international transfer risk assessments. However, as things stand, we do have a degree of certainty: both UK and EU businesses need to carry out a risk assessment whenever they transfer personal data to a third country and rely on SCCs or another legal tool for transfers. This requirement already applies for new and existing transfers. They also need to ensure they use the new SCCs going forward and put the new SCCs in place for existing contracts by the relevant deadline – 27 December 2022 for the EU clauses and 21 March 2024 for the UK clauses,” she said.