International data transfers: one step forwards, two steps back?

International data transfers: one step forwards, two steps back?'s Tags

Tags related to this article

International data transfers: one step forwards, two steps back?

Published 15 May 2023

UK applies to join the Global Cross-Border Rules Privacy Forum

The UK has recently applied to join the Global Cross-Border Rules Privacy Forum as an associate. The UK will be the first jurisdiction to participate in the Global CBPR after it was established last year. The Forum was established last year to ‘promote interoperability and help bridge different regulatory approaches to data protection and privacy’.

The Forum aims to establish an international certification system based on the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems, which themselves aim to support the free flow of data and effective data protection.

Those countries which are members of the CBPR systems with whom the UK does not have an adequacy agreement include the United States, Australia, Mexico and Mexico.

The CBPR was highlighted in the parliamentary discussions on the DPDI (No.2) Bill as “one of the few existing operational mechanisms that, by design, aims to facilitate data flows on a global scale.”  It is possible that the power which will rest with the Secretary of State to make regulations could result in frameworks such as the CBPR being recognised as capable of securing the data protection test necessary for an alternative transfer mechanism.

With the web of jurisdictional requirements regarding international transfers of data growing ever more complex, global arrangements of this nature are now being considered as the solution. Of course, the success of such arrangements relies on their take up.

EU - US Data Privacy Framework

As the future of the EU-US Data Privacy Framework is considered, all eyes will be on the expected decision of the Irish Data Protection Commissioner in relation to data transfers by Meta, the parent company of Instagram and Facebook.

By way of reminder, in December 2022, the European Commission launched the process to adopt an adequacy decision for the new EU-US Data Privacy Framework. The adoption process involves obtaining an opinion from the European Data Protection Board ( EDPB”) and the approval of a committee composed of representatives of EU Member States.

In February, the EDPB adopted its opinion on the draft Framework. The EDPB welcomed “substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects.” However, clarification on various issues was been sought and issues referred back to the Commission for consideration when the final text of the adequacy decision is being prepared. These issues relate to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the new redress mechanism for EU data subjects. In addition, it was recommended that following the first review of the adequacy decision, that subsequent review of the decision should be undertaken every three years, with EPDB contributions if necessary.

The EPDB are not the only EU body with concerns about the current iteration of the Framework. The Civil Liberties Committee of the European Parliament issued a non-binding resolution on 13 April requesting that the Commission not grant the adequacy decision due to concerns that the current form would not survive a challenge similar to Schrems II.

Once the final text is prepared, it will be referred to the committee of EU Member States Representatives for approval. 


Jade Kowalski

Jade Kowalski

London - Walbrook

+44(0)20 7894 6744

Stuart Hunt

Stuart Hunt

London - Walbrook

0161 934 3216

< Back to articles