In November 2022, the UK Government announced that it had put in place UK GDPR ‘adequacy regulations’ in respect of South Korea (the Republic of Korea (“ROK”)). These new regulations will allow UK based organisations to transfer personal data to ROK without restrictions.
ROK is the first country with which the UK has agreed adequacy regulations since it left the EU in January 2020. The EU put in place adequacy regulations (known as an adequacy decision in the EU) in respect of ROK in December 2021. Although the UK’s decision has come later, it goes further than the EU, as it allows UK organisations to share personal data that includes credit information.
Notably, neither the UK nor the EU have yet agreed adequacy regulations with the USA. As we discussed in a previous blog post, attempts to put such regulations in place are ongoing.
Transferring personal data
Personal data is data from which natural persons are identifiable. It can include, for example, names, home addresses, location data or IP addresses.
This type of data can only be transferred from the UK to other jurisdictions if adequacy regulations are in place, or if there are other ‘appropriate safeguards’. Under UK GDPR, appropriate safeguards are mechanisms to ensure that both the transferor and receiver of personal data are legally obligated to protect individual’s rights in respect of their personal data. In cases where the appropriate safeguards route is pursued, a risk assessment also must be undertaken before the transfer is made.
The impact of unrestricted transfers
It is significantly less burdensome to transfer data from the UK to jurisdictions with which adequacy regulations are agreed. The economic implications of adequacy regulations being introduced can therefore be significant. As a result of adequacy regulations being introduced for ROK, UK businesses are expected to save £11 million a year and to increase exports to ROK by £3.8 million annually.
Adequacy regulations are also significant for companies undertaking international investigations and their legal advisors. The collection of personal data (for example employees’ emails) is often a key part of internal investigations. Where the investigation is cross-jurisdictional, this data may need to be transferred to lawyers or regulators in other jurisdictions. Undertaking a risk assessment and putting in place appropriate safeguards before transfer can slow down the investigation and create significant costs for companies.
A UK-US data transfer deal in 2023?
Although the introduction of adequacy regulations for ROK is welcome, adequacy regulations for the USA remain particularly desirable. It seems that the reintroduction of a partial adequacy decision is now on the horizon with the EU: in October 2022, President Biden signed an Executive Order implementing the EU-US data privacy framework that was announced in March 2022.
Although any agreement with the EU will not affect UK data transfers, the UK is unlikely to want to be disadvantaged in its dealings with the USA compared to the EU. Any adequacy decision reached by the EU in respect of the USA will therefore probably be closely followed by an agreement of adequacy regulations between the USA and the UK.