Protecting Data Transferred Overseas in a Post-Brexit World

Data protection law prohibits personal data being transferred out of the European Economic Area (EEA) unless certain safeguards are in place. One of these is where the European Commission has made an adequacy decision in relation to the destination country (or “third country”) on behalf of the European Union’s member states. Following the end of the Brexit transition period, the UK is responsible for making its own adequacy assessments of third countries and this responsibility falls to the Secretary of State for the Department for Digital, Culture, Media & Sport (DCMS).

The DCMS has now signed a Memorandum of Understanding with the Information Commissioner’s Office (ICO), setting out the roles and responsibilities of the two organisations in conducting adequacy assessments on third countries.

The DCMS’ role has been categorised into four distinct phases:

• Gatekeeping – reaching a decision as to whether to start an assessment of a third country.
• Assessment – analysing information relating to the level of that country’s data protection.
• Recommendation – making a recommendation to the Secretary of State, who will then decide whether to make a finding of adequacy and introduce UK Adequacy Regulations in respect of the third country.
• Procedure – making the relevant UK Adequacy Regulations, introducing them in Parliament, and publishing the ICO’s opinion.

Throughout these stages, the ICO will provide its comments and advice. However, the DCMS is not bound by the ICO’s opinion.

When carrying out its assessment of the adequacy of data protection offered by a third country, the DCMS must consider the following:

• Legal Framework – The third country government’s respect for the rule of law, human rights, and fundamental freedoms, along with any relevant legislation, including that which concerns public security, defence, national security, criminal law, and the access to personal data granted to public authorities. Also includes data protection rules, particularly those relating to the transfer of personal data to other third countries or parties, and effective and enforceable rights for data subjects, along with administrative and judicial redress, all of which should be supported by case law.
• Enforcement – The existence and efficacy of independent supervisory bodies, which have responsibility for ensuring and enforcing compliance with data protection rules. These bodies should have adequate enforcement powers, allowing them to assist and advise data subjects in exercising their rights.
• International Obligations – Any international commitments that the third country has entered into, or any other obligations arising from legally binding conventions, instruments, or participation in regional systems, particularly in the context of personal data.

For the time being, the UK has adopted the European Commission’s existing adequacy decisions for third countries. However, the UK government has made clear that it is looking to expand the list of adequate third countries. This intention, coupled with the planned overhaul of the UK General Data Protection Regulation announced by Oliver Dowden, forms part of a wider government move towards providing organisations with greater regulatory leeway for international data transfers. Whether this new approach to data protection, and the administrative benefits it may bring UK businesses, will have adverse impacts for the privacy of UK citizens, and create hurdles to the continued free flow of data between the UK and the EEA, remains to be seen.