Transfers of personal data to recipients outside of the UK (ie recipients in a 'third country') are prohibited under data protection law unless certain safeguards are in place. Such transfers to third countries are known as ‘restricted transfers’.
This affects all organisations that engage in international data transfers, for example, by using cloud-based services. Such organisations need to implement lawful data transfer mechanisms (eg by putting safeguards in place) in order to be compliant.
Businesses should also ensure that they are clear about transfers of personal data in their Privacy policies.
'Adequate' third countries
International transfers to recipients in third countries may take place without the need to obtain any further authorisation (ie without further safeguards needing to be put in place) if the UK has issued an adequacy regulation for the country (or international organisation) that the data is being transferred into. An adequacy regulation indicates that the UK Government has decided that the third country (or organisation) ensures adequate levels of data protection.
The UK currently has an adequacy regulation in place for the whole of the European Economic Area (EEA). This means that the data protection regimes of all of the countries within the EEA are currently considered adequate. The current list of countries considered 'adequate' can be found on the Information Commissioner's Office (ICO)'s website.
You may transfer personal data when the organisation receiving the personal data has provided appropriate safeguards. Appropriate safeguards may be put in place via:
Binding corporate rules (BCRs)
International data transfers between organisations within a corporate group (eg multinational companies or companies involved in a joint venture) may take place on the basis of Binding Corporate Rules (BCRs). BCRs require approval from data protection authorities (eg the ICO). However, once such approval is obtained, individual transfers can be made under a BCR without requiring further approval. A BCR may be created for a particular corporate group and may be tailored to meet its businesses’ specific data protection needs.
BCRs are like a code of conduct that organisations within the group must follow when making international data transfers. They allow organisations to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
For more information on BCRs, read the ICO’s guidance.
International data transfers may take place on the basis of standard data protection clauses known as ‘standard contractual clauses’ (SCCs) or ‘model clauses’. Model clauses are contractual clauses that are used when you incorporate them into (ie legally include them in) a contract with the party receiving the data that you’re transferring.
The clauses must be used (essentially) as they stand. Any additional contractual language added to them should not contradict them in any way.
Model clauses for data transfers out of the UK need to be approved or issued by the UK Government. Before Brexit, the UK used the EU’s model clauses. Since 1 January 2021, the UK has had the power to produce its own model clauses. This has occurred, and in March 2022 two new options for data protection model clauses came into effect in the UK:
International Data Transfer Agreements (IDTAs) - this is effectively the UK’s new equivalent to the EU’s new SCCs. The IDTA is a comprehensive contract covering data protection measures (eg security requirements). It can be used on its own to safeguard transfers of personal data out of the UK
the International Data Transfer Addendum to the new EU SCCs (the Addendum) - the Addendum is used in conjunction with, and consequently incorporated into, the new EU SCCs. It is designed to be used when transferring data outside of both the UK and the EU. It provides a time-saving option if you’re transferring data out of the EU anyway, as it doesn’t require aspects of the new EU SCCs to be repeated for the UK part of the transfer
As of 21 September 2022, the IDTA or the Addendum must be used for all new data processing contracts that require model clauses.
For more information, read Standard contractual clauses.
Contracts concluded before 21 September 2022 using the old EU SCCs count as adequately safeguarded for UK GDPR purposes until 21 March 2024, assuming that the processing carried out under a contract doesn’t significantly change during this time. After this date, these existing contracts must ensure they have an IDTA or Addendum in place.
The EU SCCs
Note that, on 4 June 2021, the European Commission published new SCCs under the EU’s GDPR (the ‘new EU SCCs’). These are not valid for restricted transfers from the UK.
International data transfers may take place on the basis of certifications. Certification schemes must be approved by the ICO and must include safeguards for protecting individuals’ data protection rights during restricted transfers. Certifications provide organisations with a formally recognised confirmation of compliance with UK data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.
International transfers from the EU to the UK
On 1 January 2021, the UK became a ‘third country’ (ie a country outside of the EU) for the purposes of personal data transfers from the EU.
On 28 June 2021, the European Commission adopted an ‘adequacy decision’ (the EU equivalent of a UK adequacy regulation) in relation to transfers of personal data from the EU and EEA to the UK.
This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional safeguards via contractual paperwork, measures, or assessments. The adequacy decision will be reviewed every 4 years and, provided the UK continues to ensure an adequate level of data protection, likely renewed.
For more information, read the ICO’s guidance on adequacy.