Restricted transfers
Transfers of personal data to recipients outside of the UK (ie recipients in a 'third country') are prohibited under data protection law unless certain safeguards are in place. Such transfers to third countries are known as ‘restricted transfers’.
This affects all organisations that engage in international data transfers, for example, by using cloud-based services. Such organisations need to implement lawful data transfer mechanisms (eg by putting safeguards in place) in order to be compliant.
Businesses should also ensure that they are clear about transfers of personal data in their Privacy policies.
'Adequate' third countries
International transfers to recipients in third countries may take place without the need to obtain any further authorisation (ie without further safeguards needing to be put in place) if the UK has issued an adequacy regulation for the country (or international organisation) that the data is being transferred into. An adequacy regulation indicates that the UK Government has decided that the third country (or organisation) ensures adequate levels of data protection.
The UK currently has 2 key adequacy regulations in place:
The EEA adequacy regulation
An adequacy regulation is in place for the whole of the European Economic Area (EEA). This means that the data protection regimes of all EEA countries are currently considered adequate
The UK-US data bridge
On 12 October 2023, an adequacy regulation came into force for the United States of America. The regulation works in conjunction with the EU-US adequacy that was introduced earlier in 2023.
To be covered by the this adequacy, a transfer of personal data from the UK to the US must be to a US organisation that:
-
is listed in the EU-US Data Privacy Framework (DPF), and
-
which participates in the UK extension to the DPF (ie an additional standard that a US business can certify its adherence to in order to use this data bridge)
Using the UK-US data bridge may make international data transfers between the UK and the US significantly easier. Organisations relying on other safeguards (eg the IDTA or the new EU SCCS with the UK International Data Transfer Addendum, covered below) may want to consider switching to reliance on the UK-US data bridge.
The current list of countries considered 'adequate' can be found on the Information Commissioner's Office (ICO)'s website.
Safeguards
You may transfer personal data when the organisation receiving the personal data has provided appropriate safeguards. Appropriate safeguards may be put in place via:
Binding corporate rules (BCRs)
International data transfers between organisations within a corporate group (eg multinational companies or companies involved in a joint venture) may take place based on Binding Corporate Rules (BCRs). BCRs require approval from data protection authorities (eg the ICO). However, once such approval is obtained, individual transfers can be made under a BCR without requiring further approval. A BCR may be created for a particular corporate group and can be tailored to meet its businesses’ specific data protection needs.
BCRs are like a code of conduct that organisations within the group must follow when making international data transfers. They allow organisations to transfer personal data internationally within the same corporate group to countries that do not provide adequate levels of protection.
For more information on BCRs, read the ICO’s guidance.
Model clauses
International data transfers may occur based on standard data protection clauses known as ‘standard contractual clauses’ (SCCs) or ‘model clauses’. Model clauses are contractual clauses used when you incorporate them into (ie legally include them in) a contract with the party receiving the data you’re transferring.
The clauses must be used (essentially) as they stand. Any additional contractual language added to them should not contradict them in any way.
Model clauses for data transfers out of the UK must be approved or issued by the UK Government. Before Brexit, the UK used the EU’s model clauses. Since 1 January 2021, the UK has had the power to produce its own model clauses. This has occurred, and in March 2022 2 new options for data protection model clauses came into effect in the UK:
-
International Data Transfer Agreements (IDTAs) - this is effectively the UK’s new equivalent to the EU’s new SCCs. The IDTA is a comprehensive contract covering data protection measures (eg security requirements). It can be used on its own to safeguard transfers of personal data out of the UK
-
the International Data Transfer Addendum to the new EU SCCs (the Addendum) - the Addendum is used in conjunction with, and consequently incorporated into, the new EU SCCs. It is designed to be used when transferring data outside of both the UK and the EU. It provides a time-saving option if you’re transferring data out of the EU anyway, as it doesn’t require aspects of the new EU SCCs to be repeated for the UK part of the transfer
As of 21 September 2022, the IDTA or the Addendum must be used for all new data processing contracts that require model clauses.
Contracts concluded before 21 September 2022 using the old EU SCCs count as adequately safeguarded for UK GDPR purposes until 21 March 2024, assuming that the processing carried out under a contract doesn’t significantly change during this time. After this date, these existing contracts must ensure they have an IDTA or Addendum in place. Note that, on 4 June 2021, the European Commission published new SCCs under the EU’s GDPR (the ‘new EU SCCs’). These are not valid for restricted transfers from the UK.
Certifications
International data transfers may take place based on certifications. Certification schemes must be approved by the ICO and must include safeguards for protecting individuals’ data protection rights during restricted transfers. Certifications provide organisations with a formally recognised confirmation of compliance with UK data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.
For more information about this complex area of law, Ask a lawyer for advice and read the ICO’s guidance.
Transfer risk assessments
If you are relying on one of the safeguards above (ie BCRs, model clauses, or certifications) to make a restricted transfer, you must first complete a transfer risk assessment (TRA).
What is a transfer risk assessment?
This is a reasonable and proportionate risk assessment that considers the protections contained within your chosen safeguarding mechanism and the protections granted to data subjects in the destination country of the transfer.
How can you carry out a TRA?
There are 3 options to consider if you are planning to undertake a TRA. Which is suitable for you depends on the reason for the proposed restricted transfer and the safeguarding mechanism you’ve chosen. These are:
1. Using the ICO’s TRA tool
This method focuses on comparing the risk to people’s fundamental and privacy rights depending on whether their personal data
-
remains in the UK; or
-
is transferred to the proposed destination country
If there is no significant increase in risk of infringing on the data subjects’ rights by transferring their data to the destination country, then you may proceed with the transfer.
You should also account for the risks involved when enforcing your chosen safeguarding method in your TRA.
For more information on the ICO’s TRA tool, read the ICO guidance on TRAs.
2. Comparing the data laws and practices of the transferring and destination countries
This method compares the data laws and practices of the destination country with those of the UK, in relation to the risks of:
-
third parties (ie parties not bound by your safeguarding mechanism) accessing the data, and
-
the data being compromised, when such risks are associated with enforcing your chosen safeguarding mechanism
To proceed with the proposed transfer, the destination country’s level of safeguarding should be sufficiently similar to the UK’s.
This is the approach relied upon by the European Data Protection Board.
3. Relying on an adequacy assessment published by the UK government
Sometimes the UK government may make an adequacy regulation applicable to a particular sector or certification scheme in a third country. If the assessment that the government used to make such an adequacy regulation covers protections for the data protection rights of people in the UK in this context, you may be able to rely upon this assessment for your own TRA.
International transfers from the EU to the UK
On 1 January 2021, the UK became a ‘third country’ (ie a country outside of the EU) for the purposes of personal data transfers from the EU.
On 28 June 2021, the European Commission adopted an ‘adequacy decision’ (the EU equivalent of a UK adequacy regulation) concerning transfers of personal data from the EU and EEA to the UK.
This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional safeguards via contractual paperwork, measures, or assessments. The adequacy decision will be reviewed every 4 years and, provided the UK continues to ensure an adequate level of data protection, likely renewed.
For more information, read the ICO’s guidance on adequacy.