The GDPR is regularly cited in some quarters as an example of unnecessarily bureaucratic EU law. Whether or not you agree with that assessment, it has been targeted for 'reform' since before the conclusion of Brexit by successive Conservative governments.
In the dying days of Boris Johnson's tenure as Prime Minister, the government slightly unexpectedly published its Data Protection and Digital Information Bill which many thought would be held back until a new Tory leader was in place.
In the run up to her election as Conservative Party leader, new Prime Minister Liz Truss, pledged that all EU retained law would be reviewed and amended or repealed by the end of 2023. How then should we interpret the fact that the second reading of the Bill was postponed to allow "ministers to further consider this legislation", and what does it mean for the future of data exports?
The government formally announced its plans to depart from the EU GDPR in August 2021. Agreeing new third country adequacy regimes for data exports, initially with the USA, Australia, Republic of Korea, Singapore, Dubai International Finance Centre and Columbia, was a central tenant of its ambitions. The government also published a mission statement on the UK's approach to international data transfers, and a UK Adequacy Manual, as well as plans for a Data Transfers Expert Council to support the facilitation of international data flows. These plans were set out in more detail in the accompanying consultation, Data, a new Direction. Proposals around data transfers included:
- a risk-based approach to data transfers with a four stage process to ensure confidence in future adequacy decisions
- updating the suite of authorised transfer mechanisms
- amending the international transfers regime to make it more flexible and suitable for specific circumstances
- exempting reverse transfers from the scope of the international transfers regime ie data originating outside the UK, sent to the UK and then sent back to the originating jurisdiction
- possibly allowing organisations to create or identify their own alternative transfer mechanisms
- considerable discretion for the Secretary of State to create new transfer mechanisms including adequacy decisions
- updating the certification regime
- allowing the derogations (other than legitimate interests) from the requirement to have a transfer mechanism to be used on a repetitive basis.
Response to the consultation
To some extent, these plans were uncontroversial – the EU had itself updated its Standard Contractual Clauses, so the UK's plans to overhaul its own, now out of date SCCs was not surprising (and has already taken place). More of an issue, however, was the possibility of organisations being allowed to create or identify their own alternative transfer mechanisms and, while the EU is also looking at finding a data transfer solution to facilitate US data transfers, there were concerns the UK might be less rigorous in its approach.
Respondents to the consultation voiced an overriding view that the government must do nothing to prejudice the EU-UK adequacy agreement which allows for the free flow of personal data from the EEA to the UK following Brexit. While half the respondents agreed with a risk-based approach to adequacy, and some thought a flexible approach to adequacy decisions was desirable, there were doubts expressed about proposals to allow the Secretary of State a high level of discretion on new data transfer mechanisms and adequacy agreements. In addition, voices from European Union, including the European Data Protection Supervisor, warned that the EU adequacy agreement would be at risk if the UK did anything to lower its data protection standards.
The Data Protection and Digital Information Bill
The Data Protection and Digital Information Bill was introduced to Parliament in July 2022. Schedule 5 of the Bill deals with amendments to Chapter 5 of the UK GDPR. Schedule 6 covers transfers to third countries for law enforcement processing and is outside the scope of this article.
When are international transfers permitted?
Under the Bill, transfers of personal data outside the UK will be allowed where:
- the Secretary of State has made regulations allowing the free flow of personal data to that country or international organisation, potentially as a whole or on a case by case basis.These regulations may only be made where a new data protection test (set out in new Article 45B) is met
- appropriate safeguards as set out in Article 46 are met, or
- the transfer is based on an Article 49 derogation.
The data protection test
The data protection test allowing the Secretary of State to make regulations approving transfers will be met if the standard for general processing of personal data in a country or international organisation "is not materially lower than the standard of protection under the UK GDPR and relevant parts of the 2018 Act". In deciding whether or not the test is met, the Secretary of State must consider, among other things:
- respect for the rule of law and human rights in the destination country or organisation
- the existence and powers of a local enforcement authority
- provisions for redress for data subjects and whether that is judicial or non-judicial
- data transfer rules governing the export of data from the destination country or by the organisation
- relevant international obligations to which the destination country or organisation is subject
- the constitution, traditions and culture of the destination country or organisation.
Monitoring obligations and restriction
The Secretary of State is required to monitor developments in the relevant country or organisation to ensure that anything which might affect decisions to make export regulations is taken into account and such decisions are amended or revoked accordingly where the data protection test is no longer met.
They also have the power to restrict transfers of categories of personal data to a third country or international organisation where there is no positive regulation allowing it and where the restriction is in the public interest under a new Article 49A.
Finally, the Secretary of State is required to publish a list of third countries and international organisations which benefit from transfer regulations, as well as a list of those that were but are no longer approved.
Transfers must be made only where appropriate safeguards are in place. This requires:
- an authorised transfer mechanism (Secretary of State or ICO Standard Contractual Clauses/IDTA, ICO-approved Binding Corporate Rules, under an approved code of conduct or authorised certification mechanism, a legally binding enforceable instrument between a public body and another relevant person) and
- that the controller or processor, acting reasonably and proportionately and taking into account all circumstances of the transfer, considers that the data protection test is met in relation to the transfer or that type of transfer. For these purposes, the data protection test is met where the standard of protection of the relevant personal data with use of the appropriate transfer mechanism, would not be materially lower than the standard of the protection provided under UK law.
The ICO may also authorise safeguards are provided for by clauses between the controller or processor, and the controller, processor or the recipient of the personal data in the third country or international organisation, or under provisions to be inserted into administrative agreements between a public body and other person(s) which include enforceable and effective data subject rights. by contractual clauses.
Article 49 derogations
Aside from the insertion of a new Article 49(A) mentioned above, the main change to Article 49 is a new Article 49(4)(A) which allows the Secretary of State to make regulations to specify situations in which a transfer is or is not (as the case may be) necessary for reasons of public interest.
Will there be fallout?
While many of the initial proposals on data transfers, notably the risk-based approach, and powers for the Secretary of State have made it into the Bill, the government decided not to legislate to exempt reverse transfers from data transfer rules. Nor did it include a more flexible approach to data transfer derogations (under current Article 49).
Nonetheless, the considerable discretion afforded to the Secretary of State, together with the government's stated ambition of widening the data adequacy net has rung alarm bells. The European Data Protection Supervisor reportedly expressed concerns about the UK's plans for potential adequacy arrangements between the UK and the USA, although appeared less worried about any impact of the Bill on data protection standards in the UK itself. The European Commission can suspend or revise the EU-UK adequacy arrangement if it feels there is sufficient threat to EU data so the UK will have to tread a careful line if it is to extend its adequacy agreements beyond the countries which benefit from equivalent EU decisions.
Will there be further changes to the Bill on transfers?
As ministers now appear to be re-considering the DPDI Bill, we wait to see whether there will be changes to the overall approach and, more specifically, to the data transfer regime. At the time of writing, the government's plans are opaque. It may be that the pause is just to allow a quick review by the new Secretary of State. On the other hand, is also possible that the Bill has been paused because the new incumbent, Michelle Donelan (and possibly also the Prime Minister) believe the Bill does not sufficiently reform current law. This puts the position in the UK back to one that is more uncertain. The EU will be watching developments closely, as will we.