The United Kingdom Information Commissioner’s Office (ICO) recently launched a consultation regarding the transfer of personal data outside of the U.K. The ICO is seeking comment on its draft international data transfer agreement and related guidance.
This consultation follows the U.K.’s departure from the European Union. Although the U.K. left the EU’s legislative framework, the U.K. adopted the General Data Protection Regulation into domestic law (to become the so-called UK GDPR) so many of the same principles apply to data protection in the U.K. post-Brexit.
Under the EU GDPR, transfers of personal data from the European Economic Area (EEA) are not permitted unless certain safeguards are met to ensure that a similar level of protection is afforded to data subjects as that granted under EU law. In June, the European Commission (EC) adopted a new form of Standard Contractual Clauses (the New SCCs) following the Schrems II1 case before the Court of Justice of the European Union which invalidated the EU-U.S. Privacy Shield and required further safeguards to be implemented by parties to SCCs (summarized in our previous alert).
The position of data transfers from the U.K. to outside of the U.K. has been less certain because the EC’s New SCCs have not been formally recognised as a valid data transfer mechanism under the U.K. GDPR. Nevertheless, the U.K. GDPR still requires safeguards for a similar level of protection afforded to data subjects as that granted in the U.K. In practice, this requires use of the “old” EU SCCs, which U.K. data protection law adopted post-Brexit and continues to recognize for the time being, as appropriate safeguards, for transfers from the U.K. The consultation is a response to this uncertainty and an indication of the U.K. ICO’s desire to adopt its own distinctive regulatory approach and mechanisms.
In the consultation, the ICO proposed:
- Its own form of the New SCCs, to be called the International Data Transfer Agreement (IDTA)
- A draft U.K. Addendum to the EC’s New SCCs (to validate their use for U.K. data transfers)
- An international transfer risk assessment tool
- A general consultation on updated guidance on international transfers.
The IDTA is a new agreement that is intended to replace the U.K. version of the EC SCCs. The IDTA is set out in the following format:
- Tables, outlining the particulars of the data transfers
- Extra Protection Clauses, where any supplementary measures needed (as flagged by the Transfer Risk Assessment) are set out
- Commercial Clauses, where any linked agreements are set out
- Mandatory Clauses, which are mandated by the ICO and cannot be amended.
The IDTA (other than the Mandatory Clauses) can be amended to suit particular circumstances for data exporters and importers (by deleting irrelevant sections as necessary) and more than two parties can use the agreement. Parties can also nominate one party to be their decision-maker. Although sections can be deleted, the IDTA can be signed “as-is,” even if some sections do not apply to everyone, making the drafting of the IDTA easier. Additionally, the IDTA can be used even if the data importer is directly subject to the U.K. GDPR. Liability under the IDTA is placed fully on each party for the entire damage suffered by an individual, unless the party can prove it was not responsible for the damage.
Draft Addendum to EC SCCs
As noted above, the EC SCCs cannot currently be used for data flows outside of the U.K. As a result, businesses that have valid EC SCCs in place have had to prepare alternative forms of the data transfer agreement for transfers from the U.K. (the so-called U.K. SCCs) and transfers from the EEA (using EC SCCs), adding to businesses’ costs and complexity of their data flows.
The consultation proposes a simple solution. The draft Addendum adapts the EC SCCs so that any reference to the EU is replaced with the relevant U.K. equivalent (i.e. “Union”, “EU”, “EU Member State” are all replaced with “U.K.”). This Addendum is very short (four pages) and is relatively easy to understand. It also allows some flexibility in how it is executed or drafted, as long as the high threshold for safeguarding data is maintained.
This proposal would clearly be a positive development for international businesses which transfer data from both the EEA and U.K. A large number of those businesses are likely to simply use the EC SCCs for transfers from the U.K. to avoid the need to execute and manage two different forms of agreement.
The Transfer Risk Assessment Tool (TRA)
Under U.K. GDPR Article 24, a data controller must take into account “the risks of varying likelihood and severity for the rights and freedoms of natural persons” when deciding what measures to put into place. The Schrems II judgment (as mentioned above) entrenched the need for a risk assessment into an international data transfer.
When transferring data from the U.K. to another country, that country likely will not have identical laws and practices. The TRA tool is an attempt to provide guidance on how a controller should approach the laws of the other country, and the inherent risk in transferring data to another country.
The TRA focuses on two aspects of the laws and practices in other countries:
- Whether the IDTA will be enforceable in that third country
- Whether the destination third country’s data protection regime requires that the data importer gives a third-party access to the data being transferred (as was the focus of the Schrems II judgment). “Access” could mean many things, including court orders requiring that an importer provide a copy of the data to a private or public organisation, or even surveillance by private or public organisations.
The TRA includes helpful examples on what constitutes low, medium and high-risk transfers; however, it is made clear that the TRA is only suitable for simple data transfers. If the transfer would be too high risk or too complex — for instance: the transfer requires a Data Protection Impact Assessment; more than one country’s data laws would apply; or the human rights record of the destination country would produce a high risk for data subjects — then a more detailed risk assessment should be undertaken.
General Consultation Guidance on International Transfers
In addition to the consultation on the TRA, IDTA and the draft U.K. Addendum, the ICO is also asking for opinions on two other key areas:
- Extra-territorial effects under Article 3 U.K. GDPR
- Interpretation of a “Restricted Transfer” under Chapter V U.K. GDPR
Extra-territorial effect under Article 3 U.K. GDPR
How Article 3 is interpreted will impact on the definition of a “restricted transfer”. The ICO asks for input on the following scenarios (in each case asking for views as to whether they would, by default be subject to the UK GDPR, or whether it would depend on the specific circumstances):
- An overseas processor of data who processes data on behalf of a U.K. controller
- An overseas processor of data who processes on behalf of an overseas controller who is subject to U.K. GDPR under Article 3(2) (which has extra-territorial reach where the overseas controller is offering goods or services to, or monitoring the behaviour of, individuals in the U.K.)
- A foreign joint controller of data (where the other joint controller is subject the U.K. GDPR).
The ICO gives the pros and cons of each approach, and an indication of its current thinking on each matter.
Interpretation of “Restricted Transfer” under Chapter V U.K. GDPR
The ICO consultation seeks views on some nuances that remain to be worked out and whether there are restricted transfers (and therefore requirements for additional safeguards) in the following scenarios:
- Where there is a transfer from one legal entity to another — and therefore a transfer out of the U.K. within a company (for example an employee taking a laptop out of the U.K. or sharing data with an overseas branch) would not constitute a restricted transfer.
- Where a U.K. GDPR processor and a non-U.K. GDPR controller transfer personal data to the processor’s own overseas sub-processors (and whether safeguards would be required where the processor returns data to its non-UK GDPR controller or sends it on to a separate overseas controller or processor).
- Where processing by a data importer is not be governed by the U.K. GDPR. The New EU SCCs are not valid for transfers of personal data where the importer’s processing is already subject to the EU GDPR under its extra-territorial limbs (resulting in some uncertainty as to what (if any) safeguards are required in such circumstances). This is the position which the U.K. ICO has also taken, to date, although the consultation notes that the U.K. ICO may revise this view and require safeguards to be implemented even if the U.K. GDPR applies to the data importer.
These issues have exercised data protection professionals for a while and have practical implications for safeguards that organizations will need to implement in these situations. The ICO is addressing the practical realities of the U.K.’s data protection legislation regime now that the U.K. has left the EU and is taking its own distinct approach on a number of issues. The ICO’s draft documentation is relatively practical and user-friendly in a number of areas, which businesses are likely to welcome.
Organisations which operate in both the EU and U.K. (a large number of U.S. businesses among them) will need to assess and digest the two similar but divergent regulatory regimes. Businesses operating predominantly in the EU will likely want to align their U.K. compliance in respect of international data transfers to the EU model as close as possible and therefore the draft Addendum to EC SCCs is likely to be welcomed. However, the next few weeks and months will likely see some further points of divergence, requiring adjustments to be made to European compliance programs.
- Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II)