Data's coming home: the proposed future for international transfers under the UK GDPR
On 11 August 2021, the Information Commissioner's Office ("ICO") published a consultation on its long-awaited draft guidance for international transfers of personal data ("Guidance"), and associated transfer tools. These tools are relevant to anyone transferring or receiving personal data subject to the UK GDPR and come in the form of a transfer risk assessment ("TRA") and an international data transfer agreement ("IDTA"). These will be the new UK equivalents of the European Transfer Impact Assessment ("TIA") and Standard Contractual Clauses (SCCs). The use of UK-specific acronyms may demonstrate that the ICO is seeking to take its own path after Brexit. Alongside these documents, the ICO also published a UK addendum to allow use of the European Commission’s own SCCs in a UK context ("Addendum").
What has been published?
The TRA tool is designed to assist organisations to conduct risk assessments of their international personal data transfers, following the requirements set out in the Schrems II case. The tool utilises a three-stage process for assessing transfer risks, as follows:
- Assessing the circumstances of the specific transfer.
- Would the IDTA be enforceable in the country where the personal data is being sent?
- Is there appropriate protection for the personal data to protect against third-party access?
Each of these steps is accompanied by guidance and flow charts to help make the assessment in practice. The TRA is not intended to be mandatory, as organisations are also free to use their own methods to assess risk, but offers useful guidelines as to the ICO's expectations.
The IDTA is proposed to be an approved, standard form safeguard under the UK GDPR – the equivalent of the old SCCs or "model clauses". It is composed of four main sections:
- Tables to include specific information about the restricted transfer in question;
- Provision for extra protection clauses;
- An option to include commercial clauses; and
- A set of mandatory clauses which must always be included.
The Addendum is designed to be used alongside the European Commission SCCs, to allow them to be used to safeguard a transfer under the UK GDPR, instead of the IDTA. It makes limited amendments to the EU SCCs to make them work in a UK context. The consultation also indicates that the ICO may consider taking this approach with other jurisdictions' standard data transfer clauses too, in a business-friendly move. This will be welcomed by multi-national organisations that wish to streamline their international transfers documentation.
Why are they necessary?
In general, these draft tools seem to indicate that the ICO is keen to take advantage of its ability to carve its own path after Brexit: they are designed to help organisations navigate international transfers subject to the UK GDPR in as simple a manner as possible.
In particular, the TRA provides an approved format for carrying out the required risk assessments when making transfers of personal data to countries that have not been granted adequacy status under the UK GDPR.
The ICO's proposed documentation also clarifies the UK's position in relation to the European Commission's new SCCs, which were published in June. The EU SCCs will not automatically apply in the UK following Brexit and the draft IDTA is the UK's proposed alternative. Currently, the approved contractual safeguard for exports of data from the UK is the old version of the EU SCCs, which are now being phased out for EU GDPR purposes.
The ICO has also addressed the immediate question facing organisations subject to both the EU and UK GDPR: will they need to implement both the EU SCCs and the UK IDTA? The Addendum means that this is not the case, allowing organisations to choose to adapt those EU SCCs to work in the context of UK transfers, should they not wish to use the IDTA.
What are our initial takeaways?
The TRA sets out a more nuanced approach to risk assessments than similar guidance published by the European Data Protection Board ("EDPB") earlier this year.
In particular, the TRA encourages a holistic assessment of all risk factors. For example, the TRA is clear that transfers should only go ahead where the destination’s regime is sufficiently similar to the UK’s, the risk of third-party access is minimal, or the risk of harm to data subjects is low, even in the event of third-party access. Organisations may therefore be able to conclude that the risk of harm to data subjects is low, and the transfer is therefore acceptable, even where there is a risk of third-party access, if the duration of the transfer were limited or the data itself were low risk. In comparison to the EDPB guidance, this provides a more pragmatic approach to scenarios in which third-party access cannot be ruled out but all other risk factors are low or non-existent.
IDTA vs EU SCCs
The structure of the draft IDTA is very different to the EU SCCs. It does not contain modules and it does not include all transfer scenarios – e.g. processor to controller transfers are not covered. Organisations that are subject to both the UK GDPR and EU GDPR are likely to want to minimise duplication of work. As a result, we think organisations are likely to rush to use the EU SCCs (plus UK Addendum) initially, particularly where organisations are already taking steps to introduce the new EU SCCs.
However, the IDTA appears to be a pragmatic document and companies should carefully consider whether it offers a more commercial solution to safeguarding restricted transfers than the EU SCCs.
What are we still waiting to understand?
The consultation asks some fundamental questions which shed light on the areas of the UK GDPR that the ICO considers need clarification in connection with the IDTA.
The most notable line of questions are around who is subject to the UK GDPR under Article 3, whether a "transfer" is a jurisdictional or a territorial concept, and what a "restricted transfer" requiring safeguards under Chapter V of the UK GDPR actually means. In particular, the ICO is consulting on whether to retain its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR.
What are the next steps?
Following the consultation, the ICO will produce final documents to be laid before Parliament for approval. There will no doubt be plenty of responses, given some of the fundamental questions raised in the consultation about the scope of UK data protection law.
It is proposed that the IDTA would come into force 40 days after it is laid before Parliament. The old EU SCCs would be disapplied for use for new transfers under UK GDPR three months thereafter and use of all old EU SCCs in ongoing transfers would need to cease 21 months after that. This will allow organisations 3 months to introduce new transfer safeguards before transition to the ICO's model for transfers is required and 2 years to eradicate reliance on the old EU SCCs altogether.
The consultation is open until 7 October 2021, and responses can be submitted by completing the consultation paper and questions and sending them to IDTA.email@example.com.