On Aug. 26, the United Kingdom announced big new plans for international data transfers. As one of the world’s largest economies, a long-time leader in multilateral privacy fora, and a frequent interpreter between European and U.S. approaches to data protection, the U.K. is well-positioned to innovate in this endlessly challenging and integral policy arena.
Last week, I had the opportunity to discuss the U.K.’s plans with Joe Jones, Deputy Director of International Data Transfers at the U.K. Department for Digital, Culture, Media and Sport. Joe and his colleagues at DCMS have crafted the U.K.’s new data transfers strategy, consulting closely with the Information Commissioner’s Office.
The Privacy Advisor: Can you offer a broad-brush overview of your current plans around data transfers to advance the U.K.’s national data strategy?
Joe Jones: The U.K. has an exciting and unique opportunity — as a world leader in digital, and a champion of free trade and the rules-based international system — to be a global force for good when it comes to international data transfers. Now that the U.K. is an independent, sovereign nation, we intend to make creative and pragmatic use of our new powers on international data transfers.
There are great opportunities to be seized on data, and there are also great challenges that need addressing, too. International data transfers have never been more important to our collective global interests, but, as the IAPP community well knows, recent trends have made it more complex and challenging than ever for organizations and individuals to seize the benefits associated with the free and secure exchange of personal data across borders.
As part of our ambitious, pro-growth National Data Strategy, the U.K. will work globally to remove unnecessary barriers to cross-border data flows, as detailed under Mission 5. This is so important because data transfers have revolutionized our way of life and global economies. Data transfers underpin exciting opportunities for innovation, collaboration and trade, especially in scientific research, financial services and artificial intelligence. The unrestricted flow of data will therefore be integral to global recovery and future growth and prosperity.
Over the past two to three years, we’ve been listening to and learning from stakeholders around the world on these issues. This has been — and will continue to be — incredibly important to the design and future delivery of our capabilities on international data transfers. For example, respondents to the National Data Strategy Consultation asked for more transparency and openness as the U.K. government goes about this work. They and partners around the world called for more clarity on the process and methodology that informs the delivery of adequacy. There was also a call for a more globally scalable approach to international data transfers, an approach that reflects the breadth and depth of opportunity.
Just last week, we announced our ambitions and plans on the U.K. program of work in our mission statement on international data transfers. This includes scaling up our work to secure data adequacy arrangements with priority partners worldwide (see our map on current priority partners) and our investment in opportunities to design globally interoperable transfer mechanisms.
We also launched a call for experts from across the globe to join the new International Data Transfers Expert Council. This panel will consist of leading individuals from academia, industry and civil society, and its members will provide the government with independent and expert insights and advice of both a technical and tactical nature.
As the IAPP has reported, there is also a live consultation underway launched by the U.K. ICO on proposed updates to international data transfer tools and guidance (more on this later!).
Our work doesn’t end with all of the summer’s announcements — far from it. There’ll be much more to come, so stay tuned, contribute to the discussion and let’s deliver on the opportunities!
The Privacy Advisor: We understand the U.K. plans to issue its own adequacy determinations. Can you share an update on your priorities in that regard?
Jones: Data “adequacy” is a status granted by the U.K. to countries, territories, sectors and international organizations that provide high standards of protection for personal data. An “adequacy” determination means that personal data can be transferred from the U.K. to that country freely, in accordance with the terms of the relevant adequacy decision.
For sure, U.K. adequacy is the most straightforward way for U.K. organizations to freely and securely transfer personal data. Adequacy can boost trust by providing businesses and consumers more confidence in the laws of the jurisdiction that the data is being transferred to. Adequacy also removes the compliance burden and cost for U.K. organizations to use alternative transfer mechanisms. That last point is important in the context and aftermath of “Schrems II” — we’ve heard how challenging it is for organizations to be doing case-by-case assessments of countries they’re sending data to.
We’ve published more detail on the process and methodology for U.K. adequacy (see our Adequacy Manual Guidance). These materials not only inform how we assess adequacy, but they are designed to ensure that we’re assessing high standards of data protection in a systematic and scalable way, creating the conditions to deliver on our global ambitions.
Earlier this year, we made our intentions very clear: to expand the list of adequate destinations in line with our global ambitions and commitment to high standards of data protection. We recently announced priority partners for data adequacy arrangements; these are the United States, Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre and Colombia. Future partnerships with India, Brazil, Kenya and Indonesia are also being prioritized for the longer term.
We are working collaboratively with our partners for new data adequacy arrangements. Data-enabled services to these destinations are already worth more than £80 billion to the U.K. economy. New partnerships will unlock more growth and allow us to share crucial information, such as life-saving research and cutting-edge technology innovation across our borders.
The U.K. has a long, rich and proud history of high data protection standards. That continues today and we remain steadfast in our commitment to high data protection standards. We have to recognize and better understand the cultural context of privacy and the global variety in exactly how countries regulate privacy. No two countries will have the same data protection framework and adequacy does not require that symmetry in form. We need to focus on the outcomes of protection.
The Privacy Advisor: How does the U.K. plan to conduct its adequacy assessments and how soon might we see new adequacy determinations?
Jones: In a nutshell, there are four stages to the U.K. adequacy assessment process: gatekeeping, assessment, recommendation and procedural.
During the gatekeeping stage, we consider whether and how to prioritize an adequacy assessment of an international partner. We consider a range of factors in this assessment, one of the most important being our high-level understanding of the data protection rules in the third country and the existence of bodies that independently oversee compliance. Our legislation empowers the assessment of countries (in part or in full), territories or sectors within countries, or international organizations. Sectoral adequacy decisions may be important if country-wide adequacy is not yet appropriate.
At the assessment stage, we work in partnership with our international counterparts and expert delivery partners to collect and analyze information on the level of data protection in another country. We recently published our “Manual Template,” which is the tool we will be using to gather information (see "Manual Guidance" for how we use the template). We’ve done this because we want to be very transparent about our assessment and to earn that trust that is so important for data protection.
Officials in DCMS then make a recommendation on adequacy to the secretary of state, who will, after consulting the information commissioner and any others considered appropriate, decide whether and how to make a determination of adequacy in respect of a specific partner.
If we get the go-ahead, then the final stage of the U.K. adequacy process is to make and lay legislation in the U.K. Parliament. This legislation gives legal effect to the U.K. adequacy decision.
While we have outlined our near-term and longer-term priorities, we cannot prejudge the outcomes of the process by assigning specific dates as to when we expect these assessments to be concluded. However, work with our partners is progressing positively and at pace, with our assessment of high standards of data protection taking precedence. What’s important is that our work instills trust and confidence. That said, the IAPP community should expect updates and announcements on this work over the coming weeks and months.
The Privacy Advisor: The U.K. recently issued its own set of standard contractual clauses for public consultation. What was the impetus for issuing U.K.-specific SCCs and will they be interoperable with EU SCCs?
Jones: The ICO has launched their much-anticipated consultation on the new U.K. SCCs, now known as international data transfer agreements. The IDTAs will replace the current SCCs used for protecting personal data sent to organizations based outside of the U.K. This consultation has been driven in part by the need to update the current, outdated SCCs inherited from the EU and to provide legal certainty in the wake of the “Schrems II” judgment.
In line with this, the ICO is also consulting on a new transfer risk assessment tool, which aims to help organizations assess the level of protection provided by the IDTA in the destination country and provide additional safeguards where necessary. This assessment is required by the “Schrems II” ruling, and primarily focuses on the enforceability of the contract in the importing country and appropriate protection from third party access.
Although based on similar standards, the ICO’s draft IDTA looks fairly different than the EU versions. It introduces more flexibility and is designed to be easy to use and more accessible to small organizations. The feedback so far has been really positive. Interoperability with other legal frameworks around the world is so important and so I am pleased that the ICO has considered interoperable solutions as part of their consultation. The consultation will be live for eight weeks, closing Oct. 7, and you can find the link to the consultation, the draft IDTA and transfer risk assessment here.
The Privacy Advisor: Is the U.K. considering alternative mechanisms, like the APEC Cross Border Privacy Rules, codes of conduct or other certification regimes to facilitate international transfers?
Jones: More globally interoperable data transfer solutions are so important. We’ve got to invest in discussions and work that can design and deliver on global interoperability. Policies and mechanisms being developed around the world should “speak to” one another and so it is important that we — and governments around the world — learn from and work with one another. Strides have already been taken on a number of initiatives worldwide, which we take an interest in and look forward to learning more about and exploring how to “globalize” data transfers.
We have a number of alternative transfer mechanisms — or transfer “tools” in our “toolkit” — to ensure U.K. data is appropriately protected when transferred outside of the U.K. We are working to develop our toolkit to improve the use of underutilized mechanisms, such as certifications and codes of conduct. We believe there is flexibility within this toolkit to facilitate transfers for organizations in the private and public sectors, and we want to remove unnecessary bureaucracy in the system by focusing on getting the right outcomes for data protection.
The Privacy Advisor: Does the U.K. plan to incorporate data flow-related provisions in trade agreements?
Jones: Traditionally, regulatory arrangements that cover transfers of personal data are separate from provisions in trade agreements. Building on our most recent agreements with Japan, the European Union and European Economic Area, the U.K. will seek provisions in free trade agreements that remove barriers to the free flow of data, including unjustified data localization measures, while not lowering the standard of protection afforded to the personal data of U.K. individuals.
Our focus on securing robust data clauses in any FTAs will reduce barriers to trade and unlock significant benefits for the U.K. economy. This is an opportunity for the U.K. to display global leadership and show that removing unjustified barriers to cross-border data flows and upholding data protection standards are mutually reinforcing and beneficial for trade and trust.
Arrangements that cover transfers of personal data, such as adequacy decisions, facilitate the free flow of personal data, and can help unlock the benefits and potential market-liberalizing provisions in trade agreements. We work closely with colleagues at the Department for International Trade on these issues.
The Privacy Advisor: The U.K. is participating in the Organisation for Economic Co-operation and Development initiative to develop trusted principles for government access to private sector data, work which recently seemed to stall. Is there any update you can offer on that work?
Jones: The U.K. is actively involved in the OECD initiative to create an instrument that sets out high level principles for government access to personal data for law enforcement and national security purposes, reflecting best practice and commonalities amongst OECD countries. While achieving consensus among all OECD members on such a complicated issue is challenging, we are determined to find and agree on a way forward that works for all.
A successful outcome to the project will have considerable benefits for the OECD community and the U.K. in the longer term, helping to remove barriers to commercial cross-border data flows and increasing trust in the legitimate government access to data for law enforcement and national security purposes. Over the coming months there will be further opportunities for the Committee on Digital Economy Policy to agree on a path forward and we are looking to collaborate with our international counterparts to ensure the progress made at the OECD drafting group is utilized.
The Privacy Advisor: Does the U.K. plan to support any data transfer-related work in the G-7 or G-20?
Jones: Absolutely; we are using our international influence and role in multilateral fora like the G-7 and G-20 to drive forward global solutions to the challenges and barriers impeding cross-border data flows.
During our G-7 presidency this year we were pleased to be able to achieve agreement on a roadmap for cooperation on “Data Free Flow with Trust” under the Digital & Technology track. This program was endorsed by Australia, the Republic of Korea and G-7 members.
It includes a number of concrete joint commitments to progress our agenda of championing the safe international flow of data. These are split across four areas: data localization, regulatory cooperation, data sharing for priority sectors and trusted government access to data. Deliverables encompass evidence gathering from among the G-7 economies, government and industry workshops, and expert discussions. Through these initiatives we hope to identify areas to continue the meaningful progress that has been made internationally on data.
We are currently working closely with our partners to implement that which has been agreed this year under our G-7 presidency, and we are also pleased to actively contribute to cross-border data flow discussions at the G-20 under the Italian presidency. The U.K. will continue to be committed to progressing the Data Free Flow with Trust agenda through these multilateral forums and as we look forward to future presidencies.
Photo by Juliana Kozoski on Unsplash
If you want to comment on this post, you need to login.