The ICO’s long-awaited guidance on how organisations can manage transfers of UK data to receivers outside the UK has arrived. What does it say about the direction this government may want to take on data protection reform?
It will take time for advisers and users to digest but it’s instructive to take an early tour and try to guess what will prove useful and what are the new bones of contention.
Here to help
There are potentially helpful pieces and an understanding of some central problems.
The guidance attempts to describe who should be carrying out restricted transfers and makes clear that this may not always be the controller. In doing this, it makes some heroic attempts to set out some of the more complex processing scenarios - more thoughts on this later.
There’s no change to the central requirement for transferors to carry out transfer risk assessments (TRAs). But we have a useful steer that transferors must repeat TRAs down a supply chain but may rely on existing TRAs across different suppliers where the context is the same.
Also welcome is the very clear walk-through of the eight exceptions to the requirements for Article 46 transfer mechanisms such as standard contractual clauses (SCCs).
Settling the score
The ICO has also cleared up (at least at guidance level) a few ongoing debates which will bring welcome clarity to privacy professionals.
First, the ongoing debate about data flows through third countries where there is no access. It is clear from the guidance that the key consideration is which entity is receiving the data from a contractual point of view, so it is not a restricted transfer if you are sharing personal data under a contract with a UK service company, even if the data flows from you to that service company’s processor which is located outside the UK.
Another interesting clarification is that data which is not under the UK GDPR rules at the point of transfer, because it is unstructured, may become subject to the transfer rules if the receiving importer puts the unstructured data into digital form or provides it with structure.
‘Initiated and agreed’
As we’ve said, a huge challenge when tackling compliance with the rules on international data transfers is understanding who bears responsibility for conducting TRAs and the associated contractual legwork, and when to conduct them. The responsibility does not necessarily match the division between controllers and processors.
The test proposed here is that it is the entity which “initiated and agreed” the transfer which is responsible for the transfer. This is not an easy test to unpick: the act of initiating something, and then agreeing to it, feel like separate roles not always taken by the same party.
A hot potato
Cynics might see an attempt here to make processors likelier to be the party responsible for making restricted transfers – and therefore responsible for the associated costs and risks. On the other hand, perhaps it does capture a central idea: that it is the party who “wants” to send data to a third party outside the UK which has to do the hard stuff.
In the real world this can get complex: for example, if the controller exercises its power of veto over new sub-processors, or even imposes its own, at what point might it retake control to the extent that it has “initiated and agreed” any resultant new transfer?
Interestingly, the guidance is that a processor cannot make restricted transfers to its own controller who initiated the original transfer to the processor. This does knock the ‘return to sender’ issue on the head directly, but also raises questions about exactly when processor-to-controller restricted transfers may come into play.
We have been promised reductions in balancing and other tests which organisations have to carry out in analysing the risks of their data processing activities, but here we have some more: in particular the tests for deciding if an organisation can rely on any of the derogations in Article 49, or whether it is more “necessary and proportionate” to use an Article 46 mechanism: probably SCCs plus a TRA, where the TRA may end up demonstrating that you need to use the Article 49 “derogations” route for part of your transfer anyway.
So one way or another, organisations may end up effectively carrying out every test. Given the proliferation of tests, it’s not hard to see why bearing responsibility for transfers is such a hot potato.
All the more so, since the ICO’s own contractual transfer mechanism, the International Data Transfer Agreement goes further than the European position by requiring exporters to provide copies of any TRA to importers on reasonable request. It may be a hefty file.
Human rights and wrongs
One key change in the guidance is about how to approach transfer risk assessments. The ICO gives the nod to a different approach from that of the European Data Protection Board: instead of an exercise focussed on investigating the laws of an importing country to test their suitability to receive data, you can take a different perspective and look at factors relating to the likelihood of a human rights breach in the destination country.
Put simply, if you are “no worse off” sending the data abroad than you would be if it stayed in the UK, then the transfer can go ahead.
There is an interesting change of emphasis here, which would appear to have two aims: first, ensuring that the US will pass the tests, by steering objections away from the - possibly theoretical, but still obstructive - perils of mass surveillance, and towards specific dangers perceived in countries which we are more comfortable in viewing as having poor human rights records.
Second, trying to steer the ship away from the need to instruct a fleet of international advisers to give you chapter and verse on obscure rules of enforcement in several overseas territories. And the emphasis on a pragmatic approach continues, with the ability to self-identify as an ‘SME’ rather than a ‘large organisation’ permitting fewer steps.
While there may be some politics at play, it is at least a credible attempt at an alternative to the difficulties posed by the EDPB approach.
The ICO gives us a new tool which you may use to assess the risks posed by a particular international transfer. It’s not really a “tool” - which suggests a series of “yes/no” questions, and at least some degree of automation - but in fact another risk assessment framework, set out as a series of questions and matrices.
As an exercise in simplification, it may not be an unqualified success – with 41 pages of cross-referenced material to consider.
Risk categorisation – a dangerous departure?
The Appendix to the TRA tool contains an interesting attempt to categorise types of data as inherently ‘risky’ or ‘less risky’ – with the effect that the transfer of “less risky” data will be fine, even to a country with fewer controls over the use and protection of data.
It’s clearly aimed at facilitating data transfer wholesale for certain sectors, but the categories include some obvious over-simplifications. For example, given that gender, biometric data and health data are acknowledged high risk, it’s hard to see why data relating to “current marriage and partnerships” is only medium, ‘habits’, ‘travel details’ and ‘leisure activities’ are all lumped together as low risk – when these are vague and may include potentially incriminatory material. The same goes for ‘membership of charitable organisations’, ‘security records’ and ‘goods and services supplied’: why so, when the level of risk is obviously context-dependent?
The system sits next to the long-established principles of ‘special category’ data but it’s not entirely clear how the two are meant to interact. This feels like a potentially dangerous development.
The UK government’s mantra has always been that we need a “simplified” approach to data protection. The opportunity to diverge from the EU laws temptingly presented by Brexit means the beginnings of a new direction of travel and there are clear indicators here of how the government may try to sweep away barriers to transfer.
Many organisations will continue to follow the EU guidance as they want to operate outside the UK and need to design a system which will comply with more stringent EU data requirements. Introducing a new suite of concepts and alternative approaches just for the UK may not feel as if it’s making anything any easier.
There’s much food for thought. The sheer complexity of supply chain relationships and the new guidance means that getting sound, strategic advice on how to transfer personal data compliantly will continue to be paramount..