International transfers of personal data under the UK GDPR are set to continue to be a key topic in 2023, in particular, regarding new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA).
While 2022 saw the Department for Digital, Culture, Media & Sport (DCMS) and ICO comment on imminent updates on these issues, very little has actually materialised, leaving businesses and commentators alike hopeful that 2023 will be a year of increased certainty when undertaking restricted international transfers subject to the UK GDPR.
Throughout 2022, the DCMS made it clear that facilitating and providing more stability around international data flows was a key priority. Accordingly, the DCMS confirmed that the UK Government intended to make full use of its powers to grant adequacy regulations, simplifying the process through an outcomes/risk-based approach focusing on commonality rather than the more formal, prescriptive process used in the EU to determine adequacy through essential equivalence.
As early as April 2022, representatives from the DCMS confirmed that the UK was prioritising adequacy regulations with various third countries before year end, including the U.S. (see below), Australia, Brazil, Colombia, Dubai, Singapore, India, Indonesia, Kenya, and South Korea and that it was already in progressed discussions with close partners. Although this all sounded great in practice, so far, only an adequacy regulation with South Korea has been brought before Parliament (though this is expected to come into force before 2023).
Keeping in mind that the UK was able to build on the European Commission’s existing adequacy assessment for South Korea, this suggests that the UK Government may have been somewhat overly optimistic in its strategy in this regard. The European Commission has historically only undertaken adequacy decision assessments one at a time, whereas the UK’s approach to attempt multiple assessments at the same time may have spread its resources too thin. In addition, we would query whether tensions with trade deal negotiations may have caused some delays—for instance, can the UK really ensure its high data protection standards will be met by India following the withdrawal of India’s Personal Data Protection Bill in August 2022?
Like the UK Government’s progress on other adequacy regulations, 2022 has seen little in the way of updates regarding the UK’s version of the replacement to the EU-US Privacy Shield. Following the US-UK Joint Statement published on 7 October 2022 (which reinforced the UK’s commitment to improving data flows between the UK and U.S. and confirmed that significant progress had been made on adequacy regulation discussions), hopes were renewed that we may see a formal announcement of an agreement in principle before the end of the year.
However, it now looks like it won’t be until 2023 that we see any significant updates on this front. In addition, many questions still remain. In particular, whether the UK Government intends to negotiate a restrictive UK version of the (EU-U.S.) Trans-Atlantic Data Privacy Framework or whether (in line with comments from the DCMS) we might see a broader multilateral framework that could also be used for transfers to other certifying businesses in other jurisdictions. While the latter approach would clearly be preferable, it seems more likely, however, that transfers from the UK to the U.S. will (at least, initially) be the priority.
Following approval of the IDTA for use under the UK GDPR from 21 March 2022, the ICO promised guidance on conducting transfers risk assessments, how to use the IDTA, and on each clause of the IDTA. However, while the ICO updated its TRA guidance in November 2022 (which, in particular, confirmed that the ICO endorses a more risk- and circumstance-based approach to conducting TRAs instead of having to undertake a detailed assessment of the laws applicable to data importers as recommended by the European Data Protection Board), we are still awaiting guidance on the IDTA.
This guidance, which we expect to see in the first half of 2023, will undoubtably be welcomed by UK and third-country businesses alike. For what was intended to be a flexible and business-friendly agreement, there are aspects of the IDTA for which guidance is desperately needed – in particular, regarding reverse transfers from UK processors and third country controllers.
For example, as it currently stands, if a U.S. or other third-country controller (which is caught by the extra-territorial scope of the EU GDPR) engages an EU processor, when the EU processor returns the personal data to their U.S. client, the EU Standard Contractual Clauses (SCCs) cannot be used by the processor as an exporter. This arguably puts UK processors at a competitive disadvantage, as they would still be required to enter into an IDTA with the third-country controller in such circumstances, even if the UK GDPR applies to the third-country controller’s processing of the relevant personal data. In addition, in the scenario above, the current version of the IDTA requires the third-country controller, as importer, to delete all the transferred personal data on termination of the IDTA. We anticipate that this may have been an unintended oversight in the drafting of the IDTA, but coupled with the above, if third-country controllers have a choice between substantially identical processors in the EU and UK, the EU processor is clearly a more attractive choice at present.