Author: Hannah Pettit, Associate at Ashfords LLP
In our digital era, globalisation is an inevitable phenomenon. This is due to the internet playing an increasingly crucial role in our daily lives, enabling easy access to global content and services from across the world. As a result, expanding internationally has become a vital aspect of many businesses’ growth strategies, allowing them to capitalise on larger global markets. Additionally, the Covid-19 pandemic has led to a significant transformation in our work patterns. The adoption of remote working during this period has proven that physical location no longer hinders recruitment. Businesses are now empowered to consider the vast worldwide talent pool, with many companies’ operations now taking place across the globe.
Expanding internationally and engaging in cross-jurisdiction recruitment presents businesses with fresh challenges, due to the transfer of personal data across borders. Such transfers require careful consideration. Businesses venturing into new markets must navigate new privacy regulations governing the processing of personal data in relevant jurisdictions. On top of this, many privacy laws dictate rules for transferring personal data between countries, aiming to safeguard individuals’ privacy rights. Effectively managing compliance with these transfer rules is crucial for successful global expansion.
Under UK data protection law, businesses are restricted from transferring personal data to entities outside of the UK. Such transfers are allowed only (a) to countries that offer adequate protection for personal data (such as those within the European Economic Area (EEA)); (b) where appropriate safeguards have been implemented; or (c) where a specific exception exists.
Examples of appropriate safeguards are standard data transfer clauses. Before proceeding with an international transfer on this basis, the data exporter is required to conduct a transfer risk assessment to ensure the chosen safeguard provides a suitable level of protection.
There are also specific exceptions to the transfer rules, such as if transferring personal data in emergency situations or with the explicit consent of the data subject. However, these exceptions have limited scope and are unlikely to help businesses with their routine daily processing activities.
The UK government is aware of the challenges businesses encounter while attempting to establish suitable safeguards and conduct necessary transfer risk assessments. To take advantage of its post-Brexit independence, the UK is actively engaging in adequacy talks with new jurisdictions. When a country receives an adequacy decision, businesses gain the freedom to transfer personal data to that location without the need for additional safeguards or transfer risk assessments.
A strategic emphasis is placed on adequacy talks with locations that offer promising trade opportunities and where unrestricted personal data flows are highly desirable. There is a particular focus on discussions with emerging economies such as Brazil, India and Singapore.
When scaling internationally, businesses must make careful decisions about target locations. A wide range of factors, beyond just privacy considerations, should contribute to this decision-making process. But from a privacy perspective, certain aspects are paramount, for example the country’s political stability, the independence of its judiciary, and the surveillance rights granted to law enforcement agencies. It may be prudent to prioritise expansion efforts in countries that have already obtained adequacy decisions or ensure that data centres are situated, and data is ring-fenced, within adequate locations. Many prominent technology companies now empower their customers to control data residency, allowing them to choose data hosting exclusively within the UK or EEA. If a business is scaling globally, offering similar data residency commitments to its own customers is an attractive offering.
When deciding on locations for expansion, it is essential for the business to obtain professional advice on local privacy laws and the requirements for transferring personal data to the desired jurisdictions. In cases where international expansion involves establishing new group entities abroad, it is important to put in place an intra-group data transfer agreement. This agreement will define centralised group standards for processing shared personal data across jurisdictions. If the new group entities are situated in non-adequate countries, any entities exporting UK (or EEA) personal data to that country must conduct transfer risk assessments and incorporate standard data transfer clauses into the intra-group agreement.
Transferring personal data to overseas employees within the same UK company does not qualify as a restricted international transfer under UK data protection law. Since the employee remains part of the UK organisation, the data is not considered to leave the confines of the firm. However, the business should still implement robust security measures to appropriately manage remote overseas data access. On the other hand, when engaging overseas employees through group entities established in foreign jurisdictions, sending personal data to these employees will constitute a restricted international transfer, falling outside the purview of the UK entity. In such cases, international data transfer rules will apply.
Lastly, when hiring overseas personnel, businesses must also take into account local privacy laws that apply, along with local employment regulations. This highlights the importance of seeking local legal advice and explains why many international hirings are now facilitated through an “employer of record”, to streamline global employment.
Navigating applicable privacy laws and international data transfer rules presents challenges for any business expanding internationally, but a successful approach creates real opportunity. It allows a business to showcase responsible growth to its customers and employees, emphasising its commitment to prioritising privacy rights. This will foster trust and confidence in the business, ultimately enhancing its global reputation.