International Data Transfer Fundamentals – Transfers from the UK

You may have seen headlines last year about Meta, the owner of Facebook, being fined €1.2bn in relation to a data issue. The fine relates to the transfer of personal data by Meta to the United States of America (US). According to EU regulators, Meta failed to adequately protect the personal data which it sent to the US, resulting in the largest data protection fine ever issued and a ban on sending personal data to the US. This fine preceded the EU/US and UK/US adequacy decisions.

So how do you make sure that you are not risking a large fine when you send personal data from the UK to another country?

There are some countries that are considered to provide an adequate level of protection for personal data. For transfers from the UK these are:

The EEA countries, Andorra, Argentina, United States of America (limitations apply), Canada (limitations apply), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (limitations apply), Jersey, New Zealand, Republic of Korea (limitations apply), Switzerland, Gibraltar, and Uruguay.

However, if you are sending personal data elsewhere (or to a country named above but outside of the adequacy regime), you will need to take extra steps to ensure the data is adequately protected.

The most commonly used starting point is a set of standard contractual clauses approved by the UK, but you will also need to do a risk assessment to check whether there is any risk that the protections contained in the standard clauses might be ineffective, especially the risk that personal data might be accessed by public authorities. It is likely that you will need to take additional measures (e.g., increasing security by methods such as encryption or by putting additional obligations on the company you transfer the data to) to protect the personal data.

This is the hurdle on which Meta stumbled. They had put in place a significant number of additional measures to protect the personal data, but the data protection regulators considered they had not done enough to adequately protect the personal data they were transferring.

Meta is a high-profile company and so is at particular risk of being targeted by public entities looking for information about individuals who are of interest to them. However, all companies sending personal data to other countries must be alive to, and take action to mitigate, risks to personal data.

You might not think that you send personal data outside of the UK but consider your third-party suppliers. If, for example, they are sending personal data to one of their group companies in another country, this will be considered a transfer of personal data and so you will be responsible for ensuring that the data is adequately protected.

If you need any assistance with navigating the rules relating to international data transfers, our team would be happy to help. You can get in touch by [ ].

If you would like help with transferring personal data internationally in a compliant way then don’t hesitate to get in touch.


Don't just take our word for it