Expert council to advise UK government on post-Brexit international data transfer deals

The UK has launched a new government council that will advise national leaders on the nation’s international data transfers post-Brexit. The International Data Transfer Expert Council consists of some of the world’s leading data experts and comes as part of the UK government’s ambition to unlock the benefits of free and secure data flows after leaving the EU. However, whilst the opportunities of new cross-border data transfer agreements are plentiful, there are key data security, protection, and privacy implications to consider.

Data transfer expert council members a diverse group

The newly formed council includes global experts from civil society, academia, and industry with experience in a range of areas including healthcare, scientific research, artificial intelligence, and finance. Representatives from Google, Mastercard and Microsoft are among 20 experts attending the council’s first meeting January 25. They will discuss the global opportunities and challenges for international transfers and how the UK can be a global leader in removing barriers to cross-border data flows. The council will then meet quarterly to discuss issues such as future data adequacy partnerships, the development of new data transfer tools, and how governments can work together to promote greater trust in sharing personal data for law enforcement and national security purposes.

UK targets advantages of new international data transfer deals

The UK government intends to strike new deals on personal data transfers with some of its key trading partners around the world as part of its National Data Strategy. Whilst organisations can use a range of mechanisms under current UK data protection law to transfer personal data to other countries, the council aims to better harness the power of data to boost economic growth, create jobs, and deliver new innovations for people and public services.

The removal of barriers to international data flows will be key in here, providing more reliable, cheaper, and secure services, the government stated, adding that new data transfer agreements will build significantly on the annual £83 billion of data-enabled UK service exports. “Realizing the benefits of international data flows has never been more important,” commented data minister Julia Lopez. “We want the UK to drive forward cutting-edge policies at home and overseas to ensure people, businesses, and economies benefit from safe and secure data flows.”

The government has a list of countries it will prioritize for new data adequacy partnerships to ensure data protection standards mirror the UK’s. These currently include the United States, Australia, the Republic of Korea, and Singapore.

Kevin Tunison, data protection officer at Egress, tells CSO that more open international data sharing could unlock the potential of many businesses in the UK and abroad, encouraging innovation and lowering barriers to entry for startups. “Fledgling businesses have limited resources for gathering, or purchasing access to, data. Better data sharing would enable businesses to access and make use of global information lawfully, effectively lowering one of the barriers for young businesses, particularly in tech, that need access to information. Similarly, by providing access to UK data, it would level the playing field for entrepreneurs and businesses abroad who want to enter the UK market.”

Security and privacy implications of UK’s international data transfer ambitions

The advantages of new cross-border data transfer deals offer the potential of advancement and growth in several areas, but there will be important data security/protection and privacy implications as a result, experts say. “One of the most serious security implications will be understanding the impact on the supply chain,” says Tunison.

The Department for Digital, Culture, Media and Sport (DCMS) recently proposed that the UK move to a purely risk-based framework for data transfers. “This would include the requirement for data transfers to be lawful based on security accreditations, such as IS027001. It would mean the risk assessments may focus on the technical function rather than, in GDPR terms, the impact on everyday citizens,” says Tunison.

As for privacy implications, there is a need to consider the overall risk appetite for businesses, Tunison adds. “GDPR is now well-established, and businesses are used to working to this framework. Some businesses will be wary of any changes and the reaction they might generate from data subjects. The council should provide guidance to businesses and help them communicate the benefits of changes to data subjects.”

For Tash Whitaker, global data compliance director at Whitaker Solutions Ltd, an important data protection implication is that UK data subjects will find that their data could be transferred to countries with less protection than is currently afforded to them in Europe and the UK. “If the UK starts brokering agreements to send data to countries with a lower level of protection, then data subjects will lose control of their data and the way it is used, and it is likely that the European Economic Area will withdraw the UK’s own GDPR adequacy agreement.”

Indeed, opening up data sharing between countries risks an influx of lower quality data, agrees Tunison. “The council will need to consider this impact, and the measures to address information gathered via questionable or unlawful means, or data gathered with an obvious bias. Doing so will help guarantee the quality of data shared internationally,” he says.