We have also seen huge shifts in the ways that we work as a result of the Covid-19 pandemic. Remote working during the pandemic has demonstrated that location does not need to be a barrier to recruitment and is enabling businesses to tap into a much larger talent pool, with many businesses now boasting a remote, global workforce.
Both international trade and cross-jurisdiction recruitment require the transfer of personal data overseas, which creates new challenges for businesses to grapple with.
Businesses that are expanding internationally will need to navigate the varying privacy laws that apply within the jurisdictions that they plan to operate. Additionally, many of these privacy laws will set out specific rules for the transfer of personal data between countries. These rules limit the free flow of personal data between different jurisdictions to protect individuals’ privacy rights. Properly navigating these transfer rules is key for international expansion.
Understanding UK requirements for international transfers
Under UK data protection law, businesses can only transfer personal data to another legal entity outside of the UK in the following scenarios:
- Adequacy decision. Where the recipient is located in a country that has been deemed to provide adequate protection for personal data, for example countries within the European Economic Area (EEA), New Zealand and the Republic of Korea.
- Appropriate safeguards. If appropriate safeguards are implemented, for example standard data transfer clauses, and the data exporter has completed a transfer risk assessment to conclude that the chosen safeguards do provide an appropriate level of protection in the context.
- Exceptions. If a specific exception applies, for example in an emergency situation or where the data exporter has the data subject’s explicit consent. These exceptions operate on a particularly narrow basis though and are unlikely to apply to routine transfers in the ordinary course of business.
The UK government is alive to the difficulties faced by businesses trying to implement appropriate safeguards and complete necessary transfer risk assessments and is utilising its post-Brexit freedom to progress independent adequacy talks with new jurisdictions. Once a country is granted an adequacy decision, businesses are free to transfer personal data to that location without implementing appropriate safeguards and completing transfer risk assessments. There is a strategic focus on adequacy talks with locations that represent good trade opportunities, where the free flow of personal data would be especially desirable. Australia, Brazil, India, Singapore and the USA are all priority locations.
Top tips when scaling internationally
Strategic location decisions
It is crucial that businesses make informed decisions about the locations they want to expand into. There will be a large number of drivers for this, much wider than just privacy considerations. However from a privacy perspective, factors such as the political stability of the country, whether it has a robust legal system and the surveillance rights of law enforcement agencies, will all be important.
Additionally, it may be prudent to focus expansion efforts on countries that have achieved adequacy decisions and also ensure that data centres are located within adequate jurisdictions. Many of the technology giants now provide their customers with control over data residency and allow customers to opt for their data to be hosted just within the UK or EEA. Where a business is scaling globally, being able to offer the same data residency commitments to its own customers will be an attractive proposition.
Local law advice
As part of the process for deciding on new locations, the business should seek professional advice on local privacy laws, as well as the legal requirements for transferring personal data to the new jurisdictions.
If the international expansion involves setting up new group entities overseas, it will be important to implement an intra-group data transfer agreement to set out central group standards for the processing of shared personal data across different jurisdictions. If the new group entities will be located in countries without an adequacy decision, the UK entity exporting personal data to them will need to carryout transfer risk assessments and incorporate standard data transfer clauses into the intra-group agreement.
Engaging personnel overseas
Under UK data protection law, if a UK company is transferring personal data to its own overseas employees this is not considered a restricted international transfer. This is because the employee is part of the UK organisation and so the data is not deemed to leave that UK organisation.However, the business will still need to implement robust security measures which properly account for the remote overseas data access.
In comparison, if engaging overseas employees through group entities that are established in other jurisdictions, sending personal data to those employees will be a restricted international transfer outside of the UK entity and international data transfer rules will apply.
Additionally, engaging contractors located in other jurisdictions may (depending on the factual circumstances) be a restricted international transfer, as the contractor is a distinct entity and so any personal data transferred to them would be leaving the UK organisation.
Finally, businesses will also need to consider local privacy laws (as well as other employment laws) that apply when engaging personnel in other jurisdictions. This is another reason why local law advice is essential and why many businesses hiring internationally are doing so via an “employer of record” that streamlines and simplifies global employment.
Although navigating applicable privacy laws and the rules governing the international transfer of personal data is a challenge for any business scaling internationally, doing so successfully creates opportunities. It enables a business to demonstrate to its customer base and workforce that it has scaled responsibly and that protection of privacy rights is high on its agenda. In turn this will build trust and confidence in the business and improve its global reputation.