The UK approach to international data transfers
Published 26 August 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation
UK adequacy
The UK is able to independently strike data adequacy decisions with international partners.
Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of protection for personal data. An ‘adequacy’ determination means that personal data can be transferred from the UK to that country freely, in accordance with the terms of the relevant adequacy decision.
UK adequacy is granted by a Secretary of State. As well as designating a country to be adequate, the Secretary of State can also designate territories within a country, sectors of an economy, and international organisations as adequate.
UK adequacy is the most efficient way to freely transfer personal data as it removes the need for UK organisations to use alternative transfer mechanisms, which can be costly to implement. Adequacy can also provide consumers and organisations greater certainty and confidence in the regulatory landscape of another country.
The UK adequacy process and associated suite of documentation seeks to ensure that the UK can be robust and systematic, creating the conditions to deliver on a scale that matches HMG ambitions while ensuring high data protection standards are maintained.
The UK has designed and implemented independent policies and processes for striking UK adequacy agreements, and is progressing work to deliver UK adequacy arrangements in line with our global ambitions and commitment to high standards of data protection. Doing so will provide both UK organisations and our international partners with more straightforward and comprehensive mechanisms for international data transfers.
The ‘test’ for adequacy
The test for adequacy provided for in the UK GDPR is that when personal data is transferred internationally, the level of protection under the UK GDPR is not undermined. To determine this, we will consider the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision.
When understanding how a third country protects personal data we will - amongst other things – take into account the following factors:
-
the rule of law, respect for human rights and fundamental freedoms;
-
the existence and effective functioning of an independent regulator; and
-
relevant international commitments.
We understand the responsibility that governments have to keep their citizens safe. We will take a respectful and considerate approach, noting that necessary and proportionate interference with the right to privacy can be justified in order to protect the public and is compatible with high standards on privacy.
What does the law say?
When assessing the adequacy of the level of protection for the purposes of sections 17A (and 74A) and 17B(12) (and 74B) of the Data Protection Act 2018, the Secretary of State shall in particular, take account of the following elements:
a) The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred
b) The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the [Information] Commissioner
c) The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data
The procedure
There are 4 phases of work for UK adequacy:
1. Gatekeeping: consideration of whether to commence an adequacy assessment in respect of a country, by reference to policy factors reflecting UK interests. Policy factors which will be considered include the trade and diplomatic relationship between the UK and the third country together with an initial, high-level overview of the data protection rules in the third country and the existence of bodies that independently oversee compliance.
2. Assessment: collection and analysis of information relating to the level of data protection in another country. The UK adequacy team will conduct this work systematically to collect information on a third country’s relevant data protection laws and practices, including working (where appropriate) with external in-country legal experts and third country partners.
(i) The Manual Template is a document containing questions that guide the collection of relevant information relating to a country’s data protection. The questions are based on key principles of the safeguards in the UK GDPR, while recognising that countries protect personal data in different ways. Answers to the questions – together with further information and analysis – provide relevant detail and evidence of how effectively personal data is protected in legislation and in practice.
(ii) The Manual Guidance provides users with a guide to filling out the Manual Template, supporting the identification and recording of relevant information.
3. Recommendation: the UK adequacy team make a recommendation to the Secretary of State who will, after consulting the Information Commissioner and any others considered appropriate, decide whether to make a determination of adequacy in respect of a specific country.
4. Procedural: making relevant regulations – and laying these in Parliament – to give legal effect to an adequacy determination of the Secretary of State.
The Role of the Information Commissioner’s Office. The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulator, and has responsibility – amongst other things – for advising UK data controllers on compliance with UK data protection law. This includes the provision of guidance on legal bases for international data transfers.
In making and laying UK adequacy regulations, the Secretary of State must consult the Information Commissioner. A Memorandum of Understanding with the Information Commissioner sets out the agreed understanding of the ICO’s roles and responsibilities in relation to UK adequacy assessments.
DSIT – ICO Memorandum of Understanding
The ICO’s role in relation to UK adequacy work – in line with its independent regulatory role and statutory responsibilities – includes, where appropriate:
(i) During the Gatekeeping and Assessment phases , when engaged by officials in DSIT: providing comments and advice to DSIT officials, including via provision of relevant factual information that relate to a country’s data protection laws and practices (e.g. the role and effectiveness of the relevant country’s regulator)
(ii) During the Recommendation phase: providing a response on the draft conclusions of a DSIT assessment so that the Commissioner’s view can be included in the recommendation to the Secretary of State and factored into their decision making. In forming its view, the ICO will consider, amongst other factors, the features of a country’s data protection laws and practices in the round, recognising that different countries have different ways of ensuring adequate levels of data protection
(iii) During the Procedural phase: providing advice and/or an opinion to Parliament, including on the process followed and the factors taken into consideration by the DSIT adequacy assessment team and the Secretary of State.
See more information on the ICO’s role in UK adequacy work.
The role of Parliament. To give legal effect to a decision to specify a country as ‘adequate’, the Secretary of State must make regulations and lay these in Parliament. Once laid in Parliament, these regulations will be subject to the ‘negative resolution’ procedure. Regulations laid under this procedure become law at the point the Minister signs them, and will come into force on the day specified in the regulations (typically at least 21 days after being laid in Parliament). Under this procedure, both Houses of Parliament have a period of 40 days,[footnote 1] during which time they may consider a motion –or ‘prayer’ – to reject the Regulations.
Monitoring, reviewing, and challenging adequacy
Following the adoption of adequacy regulations in respect of a given country, they must be monitored and kept under periodic review, at intervals of not more than 4 years.[footnote 2]
During this time, the Secretary of State may also amend or revoke UK adequacy regulations. Adapting adequacy decisions to evolving business and legal realities through regular review can help ensure the durability of those decisions.
All UK adequacy regulations reflecting a decision taken by the UK government can be challenged in domestic courts by way of an application for judicial review. In the event that a challenge is successful, the adequacy regulations will be annulled.
Existing UK Adequate Countries, Jurisdictions and Territories
| EU Member States | Commencement of Adequacy |
| Austria | December 2020 |
| Belgium | December 2020 |
| Bulgaria | December 2020 |
| Croatia | December 2020 |
| Cyprus | December 2020 |
| Czechia | December 2020 |
| Denmark | December 2020 |
| Estonia | December 2020 |
| Finland | December 2020 |
| France | December 2020 |
| Germany | December 2020 |
| Greece | December 2020 |
| Hungary | December 2020 |
| Ireland | December 2020 |
| Italy | December 2020 |
| Latvia | December 2020 |
| Lithuania | December 2020 |
| Luxembourg | December 2020 |
| Malta | December 2020 |
| Netherlands | December 2020 |
| Poland | December 2020 |
| Portugal | December 2020 |
| Romania | December 2020 |
| Slovakia | December 2020 |
| Slovenia | December 2020 |
| Spain | December 2020 |
| Sweden | December 2020 |
| EEA Member States | Commencement of Adequacy |
| Iceland | December 2020 |
| Liechtenstein | December 2020 |
| Norway | December 2020 |
| Countries, Jurisdictions and Territories | Commencement of Adequacy |
| Andorra | December 2020 |
| Argentina | December 2020 |
| Canada (partial) | December 2020 |
| Faroe Islands | December 2020 |
| Gibraltar | December 2020 |
| Guernsey | December 2020 |
| Isle of Man | December 2020 |
| Israel | December 2020 |
| Japan (partial) | December 2020 |
| Jersey | December 2020 |
| New Zealand | December 2020 |
| Republic of Korea | December 2022 |
| Switzerland | December 2020 |
| United States (Data Privacy Framework) | September 2023 |
| Uruguay | December 2020 |
The UK is currently undertaking a robust monitoring and review process of adequate countries to ensure that UK personal data continues to be well protected when it is sent overseas. Reviews for countries where adequacy commenced in 2020 are anticipated to exceed the deadline of December 31st 2024. The outcome will be published upon completion of the reviews.
All UK adequate countries are currently in receipt of an EU adequacy decision, and periodically reviewed by the EU.
See latest guidance on adequate countries from the Information Commissioner’s Office.
Alternative transfer mechanisms
Alternative transfer mechanisms, also referred to as international transfer tools (ITTs), help to provide appropriate safeguards for international transfers of personal data to other countries in a way that ensures that the level of protection of individuals guaranteed by the UK GDPR is not undermined. They are primarily used to transfer personal data to other countries where it is not possible to rely on UK adequacy. They typically place obligations on both the data exporter and data importer to ensure that personal data is protected when it is transferred outside the UK.[footnote 3]
The UK government is working with the ICO to ensure that UK businesses, and third and public sector organisations, have effective and economical mechanisms that provide appropriate safeguards for transferring personal data internationally. These mechanisms are, and will continue to be, supported by clear and pragmatic guidance which enables UK data controllers of all sizes to implement them.
Transfer tools also provide the basis on which the UK government can develop interoperability with other international transfer frameworks. The UK government is working with international partners, including through the G7 and other fora, on global solutions to address the barriers to cross border data transfers.
The international data transfers ‘toolkit’
There are several mechanisms provided by the UK GDPR for the private sector, these include:
Options tailored to the specific needs of the public sector include:
-
legally binding instruments between public authorities/ bodies[footnote 8]
-
administrative arrangements between public authorities/ bodies.[footnote 9]
Standard and custom data protection clauses
Standard data protection clauses are ready-made contractual clauses designed to provide appropriate safeguards for transferring personal data to organisations in third countries. Both parties must sign up to these terms of use before data is transferred.
Both the Information Commissioner and the Secretary of State have powers to issue new standard data protection clauses in accordance with Article 46(2)(c) and (d). S119A of DPA 2018 provides that the Information Commissioner may issue a document specifying a standard data protection clause which they consider to provide appropriate safeguards for the purposes of transferring personal data to a Third Country or an international organisation.[footnote 10]
Before issuing this document, the Commissioner must consult appropriate persons, including with the Secretary of State, who is responsible for laying standard data protection clauses issued by the Information Commissioner before Parliament. There is then a 40-day period in which Parliament can bring a motion to debate the clauses. S17C of the Data Protection Act 2018 provides similar powers for the Secretary of State to directly specify, in regulations, standard data protection clauses. Such regulations will then need to be laid before Parliament and be subject to the negative resolution procedure.
On 2 February 2022, the Secretary of State laid the new UK International Data Transfer Agreement (IDTA) and international data transfer addendum to the European Commission’s Standard Contractual Clauses for international transfers (“the Addendum”) before Parliament. Data exporters can make use of the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making transfers to non-adequate countries. Visit the ICO’s website for further information and guidance on the international data transfer agreement.
UK data controllers are also able to develop and use their own custom data protection clauses, subject to approval by the ICO.
Binding Corporate Rules (BCRs)
BCRs are a set of rules providing adequate safeguards that UK companies may use in order to lawfully transfer personal data to other companies outside the UK within the same group structure. They must be approved by the ICO.
Codes of conduct
Data protection codes of conduct are sector-specific guidelines approved by the ICO that may be drawn up by trade associations and other representative bodies. These guidelines can address the specific data protection challenges shared by a certain sector or industry and better reflect the processing activities of the organisations signed up to the code.
Codes of conduct can help both controllers and processors understand how to comply with the UK GDPR, and set a standard for good practice shared by all those adhering to the code. If a code of conduct provides for appropriate safeguards, then it is possible to rely on these to transfer personal data to controllers and processors established in other countries who have made binding and enforceable commitments to adhere to the code and to apply the appropriate safeguards.
See detailed guidance on how to develop an international code of conduct.
Certification schemes
Certification schemes can help controllers or processors to demonstrate compliance with the UK GDPR. Certification schemes must be approved by the ICO and adhere to the criteria set out in ICO guidance on certification. Certification schemes may also be used to help with international transfers.
-
This 40-day period does not include any time during which Parliament is dissolved or prorogued, or during which both Houses are adjourned for more than 4 days. ↩
-
Section 17B makes provision for regulations made using the powers in section 17A to be reviewed. This reflects the review requirement currently found in Article 45(3)-45(4) with which the EU Commission must comply when making adequacy decisions. ↩
-
Transfers on the basis of appropriate safeguards are also possible under Part 3 of the DPA2018 for international transfers by UK competent authorities. ↩
-
Article 46 (2)(c) and (d), Article 46(3)(a) ↩
-
Article 46 (2)(b), Article 47 ↩
-
Article 40, Article 41 and Article 46(2)(e) ↩
-
Article 46 (2)(f), Article 42, Article 43 and s17 of the Data Protection Act 2018 ↩
-
Article 46(2)(a) ↩
-
Article 46(3)(b) ↩
-
Article 46 of UK GDPR ↩