Guidance

International data transfers: building trust, delivering growth and firing up innovation

Published 26 August 2021

Ministerial foreword

The importance of international data transfers

Our hyper-connected world is reliant on data transfers. Everyday conveniences such as GPS navigation, wearable technology, smart home technologies, and content streaming services rely on data transfers. This enriches our lives, enables us to make informed choices, and helps us use our time more efficiently. International data transfers:

• drive international commerce, trade and development. International data transfers underpin modern day business transactions and financial institutions. They help streamline supply chain management and allow businesses to scale and trade globally. In 2018 the UK exported £190 billion in services delivered digitally and in 2019, investments in the UK tech sector soared to £10.1bn – a £3.1bn increase on 2018’s figures and the highest level in UK history.
• underpin innovation, research and development across multiple sectors. The health sector, universities, and other institutions use research data to fire up AI-powered systems that can cross-reference clinical queries with insights from millions of medical studies from around the world. This supports the delivery of better diagnoses, more cost-effective bio-pharmaceutical research, and the development of new life-saving treatments.
• support international cooperation, including for international trade, law enforcement, and national security. Real-time and collaborative data sharing supports cooperation at countries’ borders and helps keep the public safe. In the financial sector, service providers analyse data generated across the world to detect patterns, identify and stop fraudulent transactions, and help combat other criminal behaviour.
• enable us to stay emotionally and socially connected to one another. This was most keenly felt during the height of the COVID-19 pandemic. We were able to stay in touch with our friends and families and remain a part of our communities.

The UK has a unique opportunity – as a world leader in digital, and a champion of free trade and the rules-based international system – to be a global force for good when it comes to international data transfers.

The UK has a long and proud tradition of defending privacy rights. In the 1970s, the UK developed pioneering committees to explore the protection of personal data. In 1984 the UK passed the first Data Protection Act. More recently, the UK played an active role in developing the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED). The UK government remains committed to high standards of data protection, not just in the UK but also to when that data is transferred overseas.

There is a great opportunity for the UK to make use of its independent powers. As we have set out in our National Data Strategy, we are committed to championing international flows of data. We will make full use of our new powers, working globally to strike data adequacy agreements with our partners, to deliver innovative alternative mechanisms and remove unjustified barriers to international data transfers. In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity.

Our plans are ambitious and diverse. This is reflected in the UK’s flexible approach to adequacy, including our list of priority destinations for UK adequacy and, our creative approach to designing globally interoperable transfer mechanisms.

There is a huge opportunity to build data bridges with our partners by being collaborative and pursuing an outcomes-based approach to international data transfers. This is one important part of the government’s wider ambition for a thriving, fast-growing digital sector in the UK, underpinned by public trust. We want the UK to be a nation of digital entrepreneurs, innovators and investors - the best place in the world to start and grow a digital business, as well as the safest place in the world to go online.

This Mission Statement sets out actions this government will take to support international data transfers. We set out how we will seize the new opportunities and the work that we must prioritise now. As always, our door is open. To make this work a success, it is important that we hear from – and work with – national and international stakeholders.

The Rt. Hon. Oliver Dowden CBE MP
Secretary of State for Digital, Culture, Media and Sport

The Rt. Hon. John Whittingdale OBE MP
Minister of State (Minister for Media and Data)

UK adequacy

(i) Overview

Now the UK has left the EU, we are able to independently strike data adequacy decisions with our international partners.

Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of protection for personal data. An ‘adequacy’ determination means that personal data can be transferred from the UK to that country freely, in accordance with the terms of the relevant adequacy decision.

UK adequacy is granted by a Secretary of State. As well as designating a country to be adequate, the Secretary of State can also designate territories within a country, sectors of an economy, and international organisations as adequate.

UK adequacy is the most efficient way to freely transfer personal data as it removes the need for UK organisations to use alternative transfer mechanisms, which can be costly to implement. Adequacy can also provide consumers and organisations greater certainty and confidence in the regulatory landscape of another country.

The UK adequacy process and associated suite of documentation seeks to ensure that the UK can be robust and systematic, creating the conditions to deliver on a scale that matches HMG ambitions while ensuring high data protection standards are maintained.

The UK has designed and implemented independent policies and processes for striking UK adequacy agreements, and is progressing work to deliver UK adequacy arrangements in line with our global ambitions and commitment to high standards of data protection. Doing so will provide both UK organisations and our international partners with more straightforward and comprehensive mechanisms for international data transfers.

The UK is working in partnership with a number of priority destinations for adequacy. These priorities span the globe and reflect the scale of our ambitions. Data enabled services to these destinations are already worth more than £80 billion.

New partnerships will unlock more growth and allow us to share crucial information, such as life-saving research and cutting-edge technology innovation across our borders.

The UK’s list of priority destinations for adequacy

Australia	Brazil	Colombia
The Dubai International Financial Centre	India	Indonesia
Kenya	The Republic of Korea	Singapore
The United States of America

See detailed map of UK data partnerships.

Case study:

Data-fuelled technology is transforming important sectors of the economy and society and, in doing so, is providing tangible benefits for both people and businesses. In a globally-connected world, scientific endeavours are increasingly international and underpinned by the flow of data.

International data transfers enable researchers and organisations like Congenica to better understand and diagnose rare genetic diseases, and to identify links between health and lifestyle factors and the incidence of such diseases. Data transfers unlock access to vital datasets from laboratories and research institutions worldwide enhancing the speed and scope of Congenica’s life-saving innovation, and supporting collaboration and the exchange of ideas.

Secure and seamless personal data transfers are essential for running clinical trials like the Oxford AstraZeneca vaccine development. Patient data and test results need to be routinely transferred across international borders from trial sites to researchers conducting the analysis. International agreements on data will make it easier for UK scientists to conduct trials with diverse, global patient data sets. This is especially crucial for research into rare and childhood diseases, as due to the nature of these diseases, patient data is required from many different countries in order to have robust and scientifically sound sample sizes. As well as improving the quality of the scientific research and boosting the UK’s position as a scientific superpower, international data partnerships will make these vital clinical trials more cost effective, freeing up resources for the work that matters.

The UK’s adequacy list

The following are deemed adequate for the purposes of the UK GDPR (as at 01/01/21).

EU Member States and European Economic Area Members

Austria	Greece	Norway
Belgium	Hungary	Poland
Bulgaria	Iceland	Portugal
Croatia	Ireland	Romania
Cyprus	Italy	Slovakia
Czech Republic	Latvia	Slovenia
Denmark	Liechtenstein	Spain
The EU institutions	Lithuania	Sweden
Finland	Luxembourg
France	Malta
Germany	Netherlands

Other adequate countries, jurisdictions and territories

Andorra	Isle of Man	Gibraltar
Argentina	Japan	Switzerland
Canada (partial)	Jersey	Uruguay
Guernsey	Faroe Islands
Israel	New Zealand

Latest guidance on adequate countries from the Information Commissioner’s Office.

(ii) The ‘test’ for adequacy

The test for adequacy provided for in the UK GDPR is that when personal data is transferred internationally, the level of protection under the UK GDPR is not undermined. To determine this, we will consider the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision.

When understanding how a third country protects personal data we will - amongst other things - take into account the following factors:

• The rule of law, respect for human rights and fundamental freedoms;
• The existence and effective functioning of an independent regulator; and
• Relevant international commitments.

We understand the responsibility that governments have to keep their citizens safe. We will take a respectful and considerate approach, noting that necessary and proportionate interference with the right to privacy can be justified in order to protect the public and is compatible with high standards on privacy.

What does the law say?

When assessing the adequacy of the level of protection for the purposes of sections 17A (and 74A) and 17B(12) (and 74B) of the Data Protection Act 2018, the Secretary of State shall in particular, take account of the following elements:

a). The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

b). The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the [Information] Commissioner; and

c). The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

(iii) The procedure

There are four phases of work for UK adequacy: (1) Gatekeeping, (2) Assessment, (3) Recommendation, and (4) Procedural.

Gatekeeping: consideration of whether to commence an adequacy assessment in respect of a country, by reference to policy factors reflecting UK interests. Policy factors which will be considered include the trade and diplomatic relationship between the UK and the third country together with an initial, high-level overview of the data protection rules in the third country and the existence of bodies that independently oversee compliance.

Assessment: collection and analysis of information relating to the level of data protection in another country. The UK adequacy team will conduct this work systematically to collect information on a third country’s relevant data protection laws and practices, including working (where appropriate) with external in-country legal experts and third country partners.

(i) The Manual Template is a document containing questions that guide the collection of relevant information relating to a country’s data protection. The questions are based on key principles of the safeguards in the UK GDPR, while recognising that countries protect personal data in different ways. Answers to the questions - together with further information and analysis - provide relevant detail and evidence of how effectively personal data is protected in legislation and in practice.

(ii) The Manual Guidance provides users with a guide to filling out the Manual Template, supporting the identification and recording of relevant information.

Recommendation: the UK adequacy team make a recommendation to the Secretary of State who will, after consulting the Information Commissioner and any others considered appropriate, decide whether to make a determination of adequacy in respect of a specific country.

Procedural: making relevant regulations - and laying these in Parliament - to give legal effect to an adequacy determination of the Secretary of State.

The Role of the Information Commissioner’s Office. The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulator, and has responsibility - amongst other things - for advising UK data controllers on compliance with UK data protection law. This includes the provision of guidance on legal bases for international data transfers.

In making and laying UK adequacy regulations, the Secretary of State must consult the Information Commissioner. A Memorandum of Understanding has been agreed between the Secretary of State for Digital, Culture, Media and Sport and the Information Commissioner which sets out the agreed understanding of the ICO’s roles and responsibilities in relation to UK adequacy assessments.

DCMS - ICO memorandum of understanding

• The ICO’s role in relation to UK adequacy work – in line with its independent regulatory role and statutory responsibilities – includes, where appropriate:
  
  (i) During the Gatekeeping and Assessment phases , when engaged by officials in DCMS: providing comments and advice to DCMS officials, including via provision of relevant factual information that relate to a country’s data protection laws and practices (e.g. the role and effectiveness of the relevant country’s regulator);
  
  (ii) During the Recommendation phase : providing a response on the draft conclusions of a DCMS assessment so that the Commissioner’s view can be included in the recommendation to the Secretary of State and factored into their decision making. In forming its view, the ICO will consider, amongst other factors, the features of a country’s data protection laws and practices in the round, recognising that different countries have different ways of ensuring adequate levels of data protection; and
  
  (iii) During the Procedural phase : providing advice and/or an opinion to Parliament, including on the process followed and the factors taken into consideration by the DCMS adequacy assessment team and the Secretary of State.

More information on the ICO’s role in UK adequacy work.

The role of Parliament. To give legal effect to a decision to specify a country as ‘adequate’, the Secretary of State must make regulations and lay these in Parliament. Once laid in Parliament, these regulations will be subject to the ‘negative resolution’ procedure. Regulations laid under this procedure become law at the point the Minister signs them, and will come into force on the day specified in the regulations (typically at least 21 days after being laid in Parliament). Under this procedure, both Houses of Parliament have a period of 40 days,^{[footnote 1]} during which time they may consider a motion - or ‘prayer’ - to reject the Regulations.

(iv) Monitoring, reviewing, and challenging adequacy

Following the adoption of adequacy regulations in respect of a given country, they must be monitored and kept under periodic review, at intervals of not more than four years.^{[footnote 2]} During this time, the Secretary of State may also amend or revoke UK adequacy regulations. Adapting adequacy decisions to evolving business and legal realities through regular review can help ensure the durability of those decisions.

All UK adequacy regulations reflecting a decision taken by the UK government can be challenged in domestic courts by way of an application for judicial review. In the event that a challenge is successful, the adequacy regulations will be annulled.

Alternative transfer mechanisms

(i) Overview

Alternative transfer mechanisms, also referred to as international transfer tools (ITTs), help to provide appropriate safeguards for international transfers of personal data to other countries in a way that ensures that the level of protection of individuals guaranteed by the UK GDPR is not undermined. They are primarily used to transfer personal data to other countries where it is not possible to rely on UK adequacy. They typically place obligations on both the data exporter and data importer to ensure that personal data is protected when it is transferred outside the UK.^{[footnote 3]}

The UK government is working with the ICO to ensure that UK businesses, and third and public sector organisations, have effective and economical mechanisms that provide appropriate safeguards for transferring personal data internationally. These mechanisms are, and will continue to be, supported by clear and pragmatic guidance which enables UK data controllers of all sizes to implement them.

Transfer tools also provide the basis on which the UK government can develop interoperability with other international transfer frameworks. The UK government is working with international partners, including through the G7 and other fora, on global solutions to address the barriers to cross border data transfers.

Case study:

UK organisations of all sizes and across all sectors rely on various services like these from overseas, such as email marketing, online retail, and communication platforms like Zoom , and cloud storage in order to grow, collaborate, and innovate in a cost-effective manner. In an era of remote work, cross-border data transfers have enabled growth, productivity, innovation, and a strong and competitive market position for these companies. Data transfers are especially important for micro-, small-, and medium-sized businesses as it can open up overseas markets and supply chains, improve innovation and competitiveness, and build access to finance.

For individuals, data transfers underpin services that mean we can shop far and wide when buying a car via Cazoo, help us and our children sleep better and think mindfully via Moshi , open up the sharing economy for items small and large via Fat Llama. UK companies like Revolut and Babylon empower fingertip access to our bank accounts and to healthcare services, respectively.

Many of these services use cloud-based solutions. When UK consumers and businesses use their services, this is only possible because of data transfers from the UK. If we can remove barriers to these data flows, it means that such services can be provided faster, more reliably and securely, and cheaper.

Where businesses and organisations routinely transfer around the world, adequacy may not always be the right tool for the job. We have a number of alternative transfer mechanisms - or transfer ‘tools’ in our ‘toolkit’; - to ensure UK data is appropriately protected when it is transferred outside of the UK.

The international data transfers ‘toolkit’

There are several mechanisms provided by the UK GDPR for the private sector, these include:

• Standard and custom data protection clauses^{[footnote 4]}
• Binding Corporate Rules (BCRs)^{[footnote 5]}
• Codes of conduct^{[footnote 6]}
• Certification schemes^{[footnote 7]}

Options tailored to the specific needs of the public sector include:

• Legally binding instruments between public authorities/ bodies^{[footnote 8]}
• Administrative arrangements between public authorities/ bodies.^{[footnote 9]}

(ii) Standard and custom data protection clauses

Standard data protection clauses are ready-made contractual clauses designed to provide appropriate safeguards for transferring personal data to organisations in third countries. Both parties must sign up to these terms of use before data is transferred.

Standard data protection clauses adopted by the European Commission before 31 December 2020 continue to be effective for international transfers from the UK until they are replaced by new data protection clauses adopted by either the Secretary of State or the Information Commissioner.^{[footnote 10]}

Both the Information Commissioner and the Secretary of State have powers to issue new standard data protection clauses in accordance with Article 46(2)(c) and (d). S119A of DPA 2018 provides that the Information Commissioner may issue a document specifying a standard data protection clause which they consider to provide appropriate safeguards for the purposes of transferring personal data to a Third Country or an international organisation.^{[footnote 11]}

Before issuing this document, the Commissioner must consult appropriate persons, including with the Secretary of State, who is responsible for laying standard data protection clauses issued by the Information Commissioner before Parliament. There is then a 40-day period in which Parliament can bring a motion to debate the clauses. S17C of the Data Protection Act 2018 provides similar powers for the Secretary of State to directly specify, in regulations, standard data protection clauses. Such regulations will then need to be laid before Parliament and be subject to the negative resolution procedure.

The Information Commissioner recently launched a consultation on new standard data protection clauses and international data transfers guidance, which are expected to be adopted at the end of 2021.

UK data controllers are also able to develop and use their own custom data protection clauses, subject to approval by the ICO.

(iii) Binding Corporate Rules (BCRs)

BCRs are a set of rules providing adequate safeguards that UK companies may use in order to lawfully transfer personal data to other companies outside the UK within the same group structure. They must be approved by the ICO. For further guidance on how to develop a BCR, please see the ICO’s website.

Companies who held an EU approved BCR on 31 December 2020 are eligible for a UK BCR if relevant conditions are met by the end of June 2021, subject to the Information Commissioner’s approval.^{[footnote 12]}

(iv) Codes of conduct

Data protection codes of conduct are sector-specific guidelines approved by the ICO that may be drawn up by trade associations and other representative bodies. These guidelines can address the specific data protection challenges shared by a certain sector or industry and better reflect the processing activities of the organisations signed up to the code.

Codes of conduct can help both controllers and processors understand how to comply with the UK GDPR, and set a standard for good practice shared by all those adhering to the code. If a code of conduct provides for appropriate safeguards, then it is possible to rely on these to transfer personal data to controllers and processors established in other countries who have made binding and enforceable commitments to adhere to the code and to apply the appropriate safeguards.

This mechanism is currently underutilised. We strongly encourage industry bodies to develop their own international codes of conduct and make full use of the mechanisms available in the UK GDPR. We are keen to speak to organisations that are considering the development of an ICO approved code of conduct for data sharing, that will also act as a safeguard for international transfers, or who are considering developing a new international code of conduct. Detailed guidance on how to develop an international code of conduct.

(v) Certification schemes

Certification schemes can help controllers or processors to demonstrate compliance with the UK GDPR. Certification schemes must be approved by the ICO and adhere to the criteria set out in ICO guidance on certification. Certification schemes may also be used to help with international transfers.

As with codes of conduct, certification schemes are not currently widely used to support international transfers. We recognise the potential offered by this underutilised mechanism and are working to understand how the UK government can support the development of certification schemes for international transfers purposes.

1. This 40-day period does not include any time during which Parliament is dissolved or prorogued, or during which both Houses are adjourned for more than four days. ↩

2. Section 17B makes provision for regulations made using the powers in section 17A to be reviewed. This reflects the review requirement currently found in Article 45(3)-45(4) with which the EU Commission must comply when making adequacy decisions. ↩

3. Transfers on the basis of appropriate safeguards are also possible under Part 3 of the DPA2018 for international transfers by UK competent authorities. ↩

4. Article 46 (2)(c) and (d), Article 46(3)(a) ↩

5. Article 46 (2)(b), Article 47 ↩

6. Article 40, Article 41 and Article 46(2)(e) ↩

7. Article 46 (2)(f), Article 42, Article 43 and s17 of the Data Protection Act 2018 ↩

8. Article 46(2)(a) ↩

9. Article 46(3)(b) ↩

10. Under powers set out in section 17C and section 119A of the Data Protection Act 2018 ↩

11. Article 46 of UK GDPR ↩

12. Directive 95/46/EC. Further guidance is available form the ICO ↩