ICO Consultation on new International Data Transfer process
The UK Information Commissioner’s Office (ICO) recently opened consultation on its new post-Brexit documentation for restricted transfers of personal data to countries outside the UK.
Currently the ICO defines data transfers as "restricted" if:
the UK GDPR applies to the personal data you are transferring;
you are sending data to or making it accessible by a receiver (to whom the UK GDPR does not apply) OR (located in a country outside the UK); and
the receiver is a separate company or individual (including another company in the same corporate group).
Under the UK GDPR, you cannot make a restricted transfer unless:
it is to a country covered by UK adequacy regulations or;
an exception covers the transfer or;
you make it with appropriate safeguards.
The new proposed documentation represents one of the appropriate safeguards referred to above and will be the tool used by most companies.
The European Union recently adopted new Standard Contractual Clauses (SCCs) and the ICO, rather than adopting these and adapting them for the UK, has decided to do its own thing and produce what they are calling International Data Transfer Agreements (IDTA’s). In common with the EU approach following last year’s Schrems 2 ruling, the ICO are also proposing that a Transfer Risk Assessment (TRA) be carried out to ensure that importing country’s laws and practices don’t impinge on the IDTA clauses. Both the IDTA and the TRA differ in several respects from the EU documents meaning that many companies will need to grapple with 2 different sets of documents, and to an extent 2 different processes, although if you read on you will see that there may be a simpler route.
Transfer Risk Assessment
Under the new proposals the ICO are requiring organisations to conduct what they term a Transfer Risk Assessment. This must be carried out before entering into a IDTA and is very similar to the exercise required by the EU following the Schrems 2 ruling. Essentially the aim of the TRA is to see whether the IDTA will be sufficient on its own or whether additional safeguards need to be put in place. The Schrems 2 ruling invalidated the Privacy Shield as a mechanism for the transfer of personal data to the US from the EU. The ruling further said that whilst SCCs are still valid, they are required to provide a level of protection that is “essentially equivalent” to the protection offered by the GDPR. As assessment must therefore be carried out in order to ensure this is the case, with particular reference to the laws of the importing country, especially in respect of government access to the personal data of overseas individuals. The two fundamental points in doing the assessment are to determine whether the IDTA will be enforceable in the importing country, and to establish whether the regime allows for third parties to have access to the data being transferred.
The ICO seems to be taking a pragmatic view. Indeed, the EU had some concerns when determining the UK’s adequacy, about our own government agencies’ surveillance laws, and possibly for this reason the ICO go to great lengths to stress that such a regime is no bad thing, given that, for example, UK security forces being able to access such data helps to keep us safe. Rather, the ICO focusses not on whether such laws exist, but more on whether there are safeguards in place in that country “which are sufficiently similar in their objectives to the principles which underpin UK laws”. They also state that you only need to look at the parts of the regime that directly relate to your specific transfers.
The kinds of elements we are required to consider include amongst others, the type of personal data transferred; categories of data subject; industry sector, purpose of the transfer, technical and organisational security, whether the data will be forwarded to other third parties, laws of the importing country, human rights record etc. The ICO offer a template for the TRA and a TRA tool together with detailed guidance, but stress that the format of the TRA can be changed so long as it covers all required elements.
The TRA tool consists of 3 steps (as opposed to the 6 steps recommended for the EU SCCs) and offers a list of questions as well as useful tables and guidance. Step one involves assessing the transfer to confirm that the tool is suitable for your restricted transfer and that the transfer meets other UK GDPR obligations such as the Article 5 principles. Step 2 involves an assessment to determine whether the IDTA will be enforceable in the importing country, and if you think it is then you can move to Step 3. If there’s doubt about the IDTA’s enforceability however, you must conduct a supplementary risk assessment to determine the likely level of potential harm to individuals. Step 3 involves assessing the importing country’s regime for regulating third-party access to personal data, including surveillance. If the destination country’s regime is similar enough to that of the UK regime, or if there is only a minimal chance of third-party access happening, or if the risk of harm to data subjects is low, even if third-party access (including surveillance) did take place, then the transfer can go ahead. I see this as being a little more flexible than the EU position.
International Data Transfer Agreement
Below are a few of the key features in the proposed IDTA, as well as some of the variances from the new EU SCCs :
The EU SCCs are modular with 4 optional sets of clauses – Controller-Processor, Controller-Controller, Processor-Controller and Processor-Processor. The proposed ICO contract is not modular. The IDTA does not have modules but can apply to various relationships, though I can’t see any reference to Processor-Controller:
The EU SCCs require the parties to demonstrate compliance and exporters to make documents available to importers where required. The ICO documents additionally state that copies of the IDTA and TRA must be submitted to the ICO on request
The IDTA is split into 4 parts as follows:
Part 1: Tables – these need to be completed with information such as the parties, types of data to be transferred, purpose, and the security measures taken
Part 2: Extra protection clauses - which you may (or may not) need to add in order to increase the level of protection
Part 3: Commercial clauses – these may be added but you may not need to do so if for example you already have a service agreement with data protection clauses, or a data processing agreement in place. If you choose not to add any commercial clauses here, you are permitted to delete references to them in the mandatory clauses. With any added clauses it’s really important to ensure they don’t conflict with the mandatory clauses or in some way reduce the level of protection
Part 4: Mandatory clauses – these clauses cannot be changed other than for a few exceptions such as deleting references to sections that do not apply or where there are more than 2 parties to the contract. Full details are given in the guidance
One notable and welcome initiative which if adopted will potentially be well received by business, is the potential to use an Addendum to the EU SCCs instead of the IDTA in order to make them compliant with the UK regulation. This will mean that companies can continue to use the current EU SCCs but complement them with this Addendum. A TRA will still be required of course.
An interesting feature of the consultation document is that the ICO are requesting feedback on the interpretation of Chapter V of the UK GDPR in respect of what constitutes a ‘restricted transfer’. Article 44 of the UK GDPR states that:
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
The ICO are suggesting a possible option whereby the above wording can be interpreted to mean that a transfer between branches of the same legal entity would not constitute a restricted transfer. Such a transfer would still be required to adhere to GDPR principles but would not be required to adhere to Chapter V requirements.
There’s also lengthy discussion in the consultation document regarding a point raised (and often debated) in the new EU SCCs, which is whether the importer needs to be subject to the UK GDPR in order for a transfer to be a restricted transfer. Article 3.1 states that:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the Union or not”
Current ICO guidance states that “A restricted transfer only takes place where the importer’s processing of the data is not subject to UK GDPR. If the importer is already required to process the data in accordance with UK GDPR, no additional Chapter V protection is needed. For example, the exporter will not need to carry out a Schrems II risk assessment (such as a TRA) nor put in place an Art 46 transfer too (such as a IDTA).”
So, for example, the ICO asks in its consultation document whether, if a UK controller whose processing is regulated by the UK GDPR, uses an overseas joint controller, is the processing inevitably governed by the GDPR, or would that only be the case in certain circumstances? How do we define “in the context of the activities…” under Article 3? Could there be examples of an overseas joint controller processing data that is not in the context of the activities of the UK controller, and if this is the case does the wording of the UK GDPR need to change to reflect this? The ICO is asking for comment and potential examples.
A similar question is asked regarding the wording of Article 3.2 which governs the nature of processing that is governed by the UK GDPR. Article 3.2 states that the UK GDPR applies to processing where it relates to:
“the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;
the monitoring of their behaviour as far as their behaviour takes place within the Union”
So, the ICO asks again whether processing by a controller’s overseas processors is inevitably governed by UK GDPR. Do the processor’s processing activities inevitably also relate to offering of goods or services to people located in the UK or to monitoring people located in the UK? Again, they suggest that the UK GDPR wording may not be explicit. And there are other similar examples upon which the ICO asks for feedback.
My interpretation of the consultation paper, rightly or wrongly, is that following Brexit the ICO are looking in detail at the text of the GDPR in respect of this really important aspect of commercial activity i.e. international business, and trying to take a pragmatic approach, even if this means making some minor changes to the regulation, in order to simplify the process. However, inevitably this process, along with for many companies EU SCCs, require a lot of thought and a great deal of work. Issues such as assessing destination countries’ legal regimes in respect of access to data, surveillance, legal recourse for individuals etc., takes time and although both parties should, and in fact must, collaborate, all this takes time and can sometimes stress within international relationships.
New data protection laws are springing up all over the world, many closely based upon the GDPR. The UK government is seeking to adopt adequacy decisions for other countries, which will alleviate the need for transfer tools. Whether the UK and US can come up with a solution that overcomes the Schrems 2 issues, keeps the EU on side so as not to jeopardise the UK’s own adequacy, well that’s another question but if they can pull it off it would certainly make life a lot simpler for many businesses.
The ICO consultation closes on 7th October 2021 and full details plus links to the above documents and guidance are available here
If you need help with your international transfers or with your general data protection compliance, feel free to get in touch for a no-obligation chat.
Nick Richards CIPP/E CIPM