The Information Commissioner (the ICO) launched a consultation on 11 August 2021 on "how organisations can continue to protect people’s personal data when it’s transferred outside of the UK" which is due to close on 7 October 2021.
This consultation was expected to start immediately following the ICO's announcement on 5 May 2021 that it was working on a new UK version of the European Commission new Standard Contractual Clauses (the EU SCCs) and that the EU SCCs wouldn't be able to be used to legitimise transfers of data outside the UK.
Once EU SCCs were finally adopted on the 4 June, the waiting time then started for many international organisations acutely aware of the potential complexity which were likely to arise from the use of two different sets of SCCs applying to data transfers outside the EEA and outside the UK.
In the end, the anticipated UK SCCs did not materialise as the ICO seems intent to depart from the EU model of SCCs and introduce its own data transfer toolkit, in line with the UK being a third country able to carve its own rules. The ICO has taken a somewhat more innovative approach in its proposed data transfer rules which are perhaps designed to be closely aligned not only with the EU SCCs but also with other model contracts for cross-border data flows such as the Model Contractual Clauses adopted in New Zealand, the model clauses under review in Hong Kong, or the ASEAN (the Association of Southeast Asian Nations) model clauses albeit these are all intended to be non-binding.
Scope of the Consultation
The ICO consultation includes a three part data transfer suite of proposals and options as follows:
- Proposal and plans for updates to guidance on international transfers.
- Transfer risk assessments (TRAs).
- The international data transfer agreement (IDTA).
Understandably, the focus for many international businesses will be to understand the proposed updates to guidance on international transfers (Section 1), the proposed methodology applicable to TRAs and the new TRA tool (Section 2) and the benefits of a proposed draft IDTA and its guidance in lieu of UK SSCs (Section 3).
SECTION 1 - PROPOSAL AND PLANS FOR UPDATES TO GUIDANCE ON INTERNATIONAL TRANSFERS
The ICO is seeking input on a number of issues relating to the applicability of the UK GDPR to the transfer of personal data and in particular on the interpretation of the extra-territorial effects of Article 3 of the UK GDPR. It is looking for views on:
- whether a processor of a controller under UK GDPR is always covered under Art 3(1) and Art 3(2) or whether it will depend on the circumstances; and
- whether an overseas joint controller is always covered by UK GDPR Art 3(1) or whether it will depend on the circumstances.
It is worth noting that the ICO is seeking evidence to reconsider its current position that a transfer to an entity which is directly subject to the UK GDPR in accordance with Article 3(2) does not constitute a restricted transfer.
The ICO is also seeking comments on the interpretation of Chapter V of the UK GDPR and Article 44 in particular:
- whether for a restricted transfer to take place, there must be a transfer from one legal entity to another;
- whether a UK GDPR processor with a non-UK GDPR controller, will only make a restricted transfer to its own overseas sub-processors; and
- whether processing by the importer must not be governed by UK GDPR.
The consultation then further seeks feedback on the derogations set out under Article 49 of the UK GDPR, in particular:
- Should exporters first try to put an appropriate safeguard in place before relying on a derogation?
- Should the requirements for those derogations to be “necessary” be interpreted as “strictly necessary”?
- To what extent may the derogations be relied on for repetitive transfers, regular and predictable transfers and systematic transfers?
The ICO is also seeking views on proposed guidance on how to use the IDTA (or other Art 46 transfer tools) in conjunction with the Art 49 Derogations.
THE TRA TOOL
The ICO is proposing a draft international TRA tool which may be used by organisations as a method to conduct a TRA for routine transfers.
The ICO is seeking views in particular on whether the TRA tool is practical or could be improved; on whether the underlying decision tree and the approach to risk is useful, and whether the IDTA may be used where the risk of harm to data subjects is low?
THE DRAFT IDTA
The ICO invites comments on: (i) whether it provides effective safeguards for data subject rights; (ii) if it clear how to use the IDTA in conjunction with the TRA tool; (iii) if organisations will use it, whether a modular approach (such as in the EU SCCs) would be preferable; (iv)whether there should be an option to make changes to the Mandatory Clauses to remove sections which are not relevant; and (v) whether the ICO should produce an additional formal multi-party IDTA.
The ICO also proposes to include at Chapter 5 of the IDTA a number of guidance templates, such as optional TRA extra protection clauses, commercial clauses, a template to make changes to the IDTA, a multi-party IDTA and an example of a completed TRA and IDTA.
Finally, the ICO is considering issuing an IDTA in the form of an addendum to existing model transfer agreements from other jurisdictions, such as the EU SCCs, and is seeking comments on its proposed template Addendum that amends the EU SCCs to work in the context of UK data transfers.
SECTION 2 - TRANSFER RISK ASSESSMENTS
The ICO has produced a draft TRA tool (TRA tool) to assist when completing the transfer risk assessment required following Schrems II judgement of the Court of Justice of the European Union (Schrems II). It is made available as an optional tool as the ICO recognises that other transfer assessment methods may be used.
The TRA tool may be used to assess a routine restricted transfer as opposed to a high risk restricted transfer when relying on any of the transfer tools under Article 46, such as BCRs, and the IDTA.
The TRA tool is based on three steps instead of the six step roadmap part of the European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted on 18 June 2021 (the EDPB Supplementary Recommendations).
In the overall, the three steps do mirror closely the EDPB Supplementary Recommendations but they provide more granular guidance and examples, as follows:
Step 1: Assessing the transfer
The TRA tool is particularly helpful to highlight the importance of mapping out data flows and the specific circumstances of the transfer as well as to identify cases where the restricted transfer may be too high risk or complex for this tool. It provides a reminder of all the UK GDPR requirements which need to be met prior to undertaking a restricted transfer.
Step 2: Is the IDTA likely to be enforceable in the destination country?
The ICO facilitates the analysis required under this second step by providing a set of tables guiding the assessment including:
- Table A on the enforceability of contractual safeguards in the destination country; and
- Table B on assessing overall risks to data subjects arising from the specific circumstances of the transfer, caused by concerns over the enforceability of the IDTA
- Table C on the types and levels of measures to supplement the IDTA safeguards
Based on the response to Table A, if the assessment of the recipient country laws do not challenge the protections set out in the IDTA then the supplementary risk assessment as set out under Table B will not be needed.
The ICO helpfully provides guidance to help assessing when the risk of harm to data subjects may be considered low, moderate or high. Table B gives examples of certain categories of data subjects and relevant types of data which may indicate a likely level of harm.
Finally, Table C provides a non-exhaustive list of some additional extra steps and protections against potential risks which may be taken together with guidance on the likelihood they may help reduce the risk of harm to data subjects. They reflect the additional technical, organisational or contractual supplementary measures recommended by the EDPB and are referenced in accordance to the risk reduction levels they are meant to achieve ranging from basic and enhanced to significant.
The aim of a TRA is to assess whether applicable local laws and practices of the recipient country of the Transferred Data may override the protections afforded by the IDTA. Such protections allow Data Subjects of the Transferred Data to benefit from a similar level of protection enjoyed in the UK.
The outcome of the TRA is to help determine whether a restricted transfer may proceed solely on the basis of the IDTA or if extra steps and protections may be required to legitimise the transfer. If no extra steps are likely to help, the fall-back position would be to consider other transfer tools or any of the derogations provided by the exceptions set out in Article 49 of the UK GDPR.
Step 3: Is there appropriate protection for the data from third-party access?
This final step is to assess the destination country’s regime for regulating third-party data access, including applicable surveillance laws.
The ICO provides guidance by way of a decision tree aiming at identifying:
- How similar to the UK’s regime is the destination country’s regime;
- How likely is third party access to the data;
Table D on assessing the third-party access or surveillance regime helps to identify factors whereby third party access rules (including surveillance laws) are likely to safeguard or undermine the rights of data subjects.
Table E on assessing the likelihood of third party access or surveillance helps to identify a list of factors which may impact the likelihood of third party access or surveillance of the Transferred Data.
- Considering the circumstances of the transfer and the destination country’s regime, what is the risk of harm to data subjects?;
Table F on assessing overall risk of harm to data subjects arising from the specific circumstances of the transfer caused by third party access provides factors that may impact risk levels deemed low, moderate or high.
- Are you able to take extra steps and protections to reduce the risk of harm to low risk?
Table G on the Types and levels of measures to supplement IDTA safeguards provides a non-exhaustive list of measures which may help reduce potential harm to data subjects arising from concerning third party access and includes risk reduction scoring system of the measures from basic, enhanced, to significant.
Following the approach set out in the guidance, a restricted transfer may only go ahead if the risk of harm to data subjects is low even where third-party access may occur, using the IDTA together with the extra steps and protections identified.
SECTION 3 - THE INTERNATIONAL DATA TRANSFER AGREEMENT
The IDTA is meant to provide appropriate safeguards for restricted transfers when it is entered into as a legally binding contract. The IDTA Guidance explains that the IDTA may be linked to other agreements entered into between the parties such as service, data sharing or processing agreement (Linked Agreements). It does not mirror the structure of the EU SCCs and adopts a contextual approach taking into account the TRA and Linked Agreements.
The IDTA proposal includes guidance explaining how to use this new mechanism in accordance with Article 46 of the UK GDPR (the IDTA Guidance). The style of the IDTA Guidance is clear and accessible with a step by step approach the ambition to address a wide public ranging from SMEs to multinationals.
DEFINITION AND SCOPE OF THE IDTA
The IDTA is defined as a contract which contains appropriate safeguards for a restricted transfer of personal data to a country outside the UK (the Transferred Data), including effective and enforceable data subject rights.
The IDTA Guidance replicates prior definition by the ICO of a restricted transfer taking place if:
- the UK GDPR applies to the personal data you are transferring;
- you are sending data to or making it accessible by a receiver [to whom the UK GDPR does not apply] OR [located in a country outside the UK]; and
- the receiver is a separate company or individual (including another company in the same corporate group).
This definition of a restricted transfer is open to consultation as the implication under Article 3 of the UK GDPR that a transfer to a receiver which may be subject to the UK GDPR under Article 3.2 of the UK GDPR may not be deemed a restricted transfer is not a conclusion shared by EU Supervisory Authorities' guidance.
Clearly, the IDTA Guidance has been drafted taking into account the need to comply with the Schrems II and the UK GDPR more generally as it includes the need to complete a TRA prior to any restricted transfer.
The IDTA may be used in relation to data flows between a Sender/Exporter (subject to the UK GDPR and located in the UK or outside the UK) and a Receiver/Importer (being a separate legal person not subject to the UK GDPR or located outside the UK) in the following scenarios:
- Controller or Joint Controller and any party which is not its Processor, not subject to the UK GDPR or located outside the UK;
- Controller or Joint Controller and its processor;
- Processor and its Sub-Processor;
- Processor (with a UK GDPR Controller) and any party which is not its Controller or Sub-Processor;
- Sub-Processor and its Sub-Sub-Processor; and
- Sub-Processor (with a UK GDPR Controller) and any party which is not its Controller or Processor.
STRUCTURE OF THE IDTA
The IDTA is divided into four parts as follows:
- Part 1: covers the details to be completed about the parties, the restricted transfer, the Transferred Data and the security requirements.
- Part 2: lists extra protection clauses in the event the TRA has identified the need for such clauses.
- Part 3: provides the ability to insert commercial clauses.
- Part 4: includes mandatory clauses.
Mandatory clauses set out the obligations of both the exporter and the importer with respect to the transfer (Mandatory Clauses). In particular, it includes provisions detailing the appropriate safeguards to implement with respect to the transfer, the obligation to comply with ICO requests, the obligations in case of a personal data breach, rules governing onward transfers and sub-processing and data subject rights. Reflecting Schrems II requirements, it includes rules governing third parties access to Transferred Data under local laws, liability and conduct of claims by individuals or the ICO, before courts or arbitration (a proposed IDTA Arbitration Scheme).
Like in the case of the EU SCCs, Mandatory Clauses must be included in full and may not be amended. If the IDTA is entered into by more than two parties, Mandatory Clauses may be amended to accommodate a multi-party contract.
As for the EU SCCs, if any of the terms contradict each other, the IDTA must take precedence over the terms of any of the Linked Agreements.
THE UK ADDENDUM TO THE EU SCCS
The ICO is proposing the use of an IDTA for transfers from the UK in the form of an addendum to model data transfer agreements from other jurisdictions such as the European Commission, New Zealand and ASEAN. By way of example, Annex 3 provides a template UK Addendum that amends the EU SCCs to work in the context of UK data transfers (the UK Addendum).
The proposed recognition by the ICO of the EU SCCs, albeit predictable, will come as a significant relief for many multinational organisations operating in the UK and in the EU which may have harboured reasonable concerns of facing dual SCC regulations. Yet, the consultation will no doubt determine whether there is sufficient consensus around the practicality of the proposed UK Addendum. If the UK Addendum ends up being adopted, one wonders what will be the fate of the IDTA, as in practice, many multinational organisations will likely consider the use of the EU SCCs alongside the UK Addendum, a simpler and more convenient transfer tool. It may result in a choice to be made by organisations to choose between using the IDTA as the main transfer mechanism for organisations based in the UK or which business mainly originates from the UK and using the EU SCCs for organisations based in the EEA and for which business mainly originates from the EEA.
Clause 7 (Hierarchy) reflects a conscious effort of the ICO to ensure that the rights of data subjects may not be compromised by conflicting rules as well to accommodate any discrepancies between the Linked Agreements. It provides that in case of conflict or inconsistency between the UK Addendum and the EU SCCs or other related agreements between the Parties, the provisions which provide the most protection to data subjects shall prevail.
The ICO is firmly positioning this data transfer toolkit in the context of a multipolar data protection world which requires practical and flexible tools facilitating data flows and able to integrate easily with other countries' data transfer models.