UK Government Publishes UK Approach to International Transfers, Including Data Adequacy
On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner.
In its mission statement which sets out the UK Government’s approach to international data transfers under the UK GDPR, the UK Government outlines the first territories with which it will prioritise striking “data adequacy” partnerships, taking a “flexible approach” to adequacy. The priority territories are: Australia, Colombia, the Dubai International Finance Centre (DIFC), the Republic of Korea, Singapore, and the United States. Brazil, Kenya, India, and Indonesia are also listed as “longer term priorities.” The UK will also retain its current adequacy list (based on the European Commission’s adequacy decisions).
The UK adequacy decision will follow four phases: (1) Gatekeeping; (2) Assessment; (3) Recommendation; and (4) Procedural:
- In the first Gatekeeping stage, determining whether to commence an adequacy assessment will be made by reference to policy factors relevant to UK interests e.g., the trade and diplomatic relationship with that country or territory.
- The Assessment stage will involve the collection and analysis relating to the level of data protection in another country. This assessment will involve using the newly published Manual Template and Manual Guidance (discussed further below).
- At the Recommendation stage, the UK adequacy team will make a recommendation to the Secretary of State who will, after consultation with the UK Information Commissioner’s Office (“ICO”) and other relevant parties, decide whether to make a determination of adequacy.
- This will be followed by the Procedural stage, which involves making the relevant regulations and laying these before UK Parliament to give legal effect to the Secretary of State’s adequacy determination. Adequacy decisions will be reviewed at intervals of not more than four years.
The mission statement also reminds organisations of the alternative available data transfer mechanisms, including the current Standard Contractual Clauses (SCCs) on which the ICO has just launched a consultation for the new UK International Data Transfer Agreement (IDTA) to replace the SCCs, and which are expected to be adopted at the end of 2021 (for further information, please see our blog post here). The mission statement also strongly encourages industry bodies to develop codes of conduct, which DCMS considers to be currently underutilized.
As noted above, to assist with the making of adequacy decisions, the UK Government has published its Data Adequacy Manual (both Manual Guidance and a Manual Template) which provides the DCMS with a framework to inform the technical assessment of data protection standards in other countries. The Manual Template contains questions to guide the collection of information relevant to a country’s data protection (both the content of relevant laws and the effectiveness of relevant protections), based on the safeguards in the UK GDPR. At a high-level, the assessment will consider:
- the domestic and international context in which the country operates (e.g., its legal and political structure and its participation in any international conventions relating to privacy and data protection);
- domestic laws and rules related to protecting personal data (recognizing that certain countries will take different approaches to the UK), including: (i) to whom/what data such laws and rules apply; (ii) what protections are in place during processing; (iii) the security, sanction and redress measures in place to enforce such laws; and (iv) what international transfer restrictions and obligations are in place; and
- what functions are in place to allow for supervision and enforcement, together with evidence of that enforcement.
The Manual Guidance provides users (i.e., the adequacy team at the DCMS) with a guide to filling out the Manual Template, supporting the identification and recording of such decisions.
Copies of the relevant documentation can be found in full on the UK Government website here.