The UK’s data protection regulatory authority, the Information Commissioner’s Office (“ICO”), has launched a public consultation on its new draft transfer agreement and associated guidance designed to facilitate international transfers of personal data in compliance with the UK GDPR given that, post-Brexit, the new EU standard contractual clauses (“SCCs”) are not valid for transfers under the UK GDPR. Whilst the practical examples will likely be of assistance, the regulatory burden of dealing with the challenges created by Schrems II still falls heavily on businesses.
The requirement to undertake a ‘Schrems II’1 assessment when transferring personal data to third countries whose privacy regimes are not deemed ‘adequate’ remains part of UK law. However, the European Data Protection Board’s recommendations on “supplementary measures” designed to help protect such personal data and ensure that such transfers are compliant with the GDPR (the “EDPB Recommendations”) and the European Commission’s newly adopted SCCs do not apply in respect of the UK GDPR.
In order to address the position under the UK GDPR, the ICO has published:2
- a consultation paper asking various questions regarding interpretation of the extraterritoriality and transfers sections of the UK GDPR;
- a draft international transfer risk assessment and tool (“TRA”, i.e. the UK version of the EDPB Recommendations);
- a draft international data transfer agreement (“IDTA”, i.e. the UK version of the SCCs); and
- a draft UK addendum to the SCCs.
The consultation closes on 7 October 2021.
The ICO asks several questions about how it should interpret the extraterritoriality and transfer provisions of the UK GDPR, including the following:
1. Whether processing by an overseas processor of a “UK GDPR controller” (i.e. a controller whose processing is in scope of the UK GDPR) should always be considered in scope of UK GDPR because its processing is carried out “in the context of the activities of” a UK-based controller, or its processing “relates to” the non-UK based controller’s targeting or monitoring activity.
In the first “in the context of the activities of” scenario, the ICO’s current preference is that it would be dependent on the circumstances. In the second “relates to” scenario, the ICO is leaning towards the processing by the overseas processor always being governed by the UK GDPR. Whilst the distinction is somewhat odd on the face of it, this does follow the approach of the EDPB in its territorial applicability guidelines. Overseas processors should therefore continue to be aware that they may be subject to direct enforcement action.
2. In the context of transfers, the ICO suggests that there must be a transfer from one legal entity to another in order for it to be restricted (i.e. there is no restricted transfer where an employee takes a laptop outside the UK, or a UK company shares data with its overseas branch). The ICO also asks whether a UK GDPR processor (with a non-UK GDPR controller) returning data to that controller should be a restricted transfer.
Interestingly, it also asks for comments on one of the issues that remains unclear following the adoption of the new SCCs. The new SCCs are not valid for transfers of personal data where the importer’s processing of the data is subject to the EU GDPR, which has left uncertainty as to whether safeguards (and which ones) are required in these circumstances, or whether the importer’s processing being subject to the EU GDPR is itself sufficient.
The ICO’s current guidance on this point in the context of the UK GDPR is that no transfer protection is needed if the importer’s processing is subject to the UK GDPR. However, the consultation says that it intends to change this position to reflect that a restricted transfer still takes place in such circumstances and it is irrelevant whether or not UK GDPR applies to the importer. Although, in contrast to the position adopted in respect of the SCCs, the ICO indicates that the IDTA could still be used.
The posing of these fundamental questions on interpretation of the UK GDPR gives businesses a good opportunity to have their say in the shaping of the UK data protection framework.
Transfer Risk Assessment (TRA)
The ICO has produced a draft transfer risk assessment tool to assist with Schrems II assessments. It is voluntary and businesses may use other methods instead although the examples and decision trees may be helpful to many businesses.
In contrast to the EDPB Recommendations where the EDPB is quick to say when a transfer should not take place, the ICO takes a more cautious approach and states that in certain cases the TRA may indicate that it is unlikely the proposed transfer can go ahead. In such a case, the exporter may consider completing a more detailed risk assessment, or relying on another appropriate safeguard or an exception.
A major difference between the EDPB Recommendations and the TRA is that the TRA explicitly provides assessment steps for the exporter to assess the risk of harm that the transfer causes to data subjects and allows for a transfer to proceed where there is a low risk (even though some issues may technically have been identified in the assessment of the destination country’s regime). The TRA comprises a series of steps, albeit different in order and number to the EDPB Recommendations, as well as accompanying tables designed to provide examples and factors for exporters to consider.
Step One – Assess the transfer
As with the EDPB Recommendations, this step also involves mapping data flows and recording the specific circumstances of the transfer.
The TRA also asks the exporter to consider whether the transfer complies with the rest of the UK GDPR. For example, by ensuring that the fundamental principles of data minimisation and transparency are met.
Step Two – Assess the enforceability of the IDTA in the destination country
Step Two asks the exporter to assess the enforceability of the contractual safeguards of the IDTA in the destination country. The ICO provides a table including a range of factors which could impact the extent to which enforceable and effective rights are provided in the destination country. For example, whether the country recognises the rule of law and whether foreign judgments/ arbitration awards can be enforced.
If satisfied with the enforceability of the IDTA, the exporter can move straight onto Step Three. If there are concerns, a supplementary risk assessment should be carried out. At this point, the ICO’s risk of harm concept comes into play. This supplementary risk assessment involves looking at the particular risks attached to the data being transferred and whether there are factors which increase or decrease the risk of harm to data subjects if the IDTA is difficult to enforce against the importer. Again, the ICO provides a table as a guide. For example, basic employment details about staff are inherently low risk, whereas special category employment records like health information are inherently high risk. Risk levels may be reduced where data is already in the public domain or increased where data subjects are children.
Having identified the risks, the exporter should consider whether any extra steps and protections can be applied to safeguard the data and reduce those risks. A further table is provided which sets out a list of typical extra steps and protections and guidance on how effective they may be at reducing the risk of harm to data subjects. For example, password protection is a basic level risk reduction; encryption prior to transfer and split party processing is a significant level risk reduction.
At this point, if there is no or a low risk of harm (taking into account reductions made by the extra steps and protections), the exporter can proceed to Step Three.
If there is still an enhanced risk of harm (a phrase that the ICO seems to use to mean more than a low risk) that cannot be appropriately reduced, the ICO recommends that the exporter do a more detailed risk assessment or consider relying on an exception.
Step Three – Assess the destination country’s regime for regulating third party access
The ICO starts by saying that this part of the assessment does not need to be done (and consequently the transfer can go ahead) if the exporter is satisfied that, given the circumstances of the transfer and the nature of the personal data, the possibility of third party access (including surveillance) is minimal; or even if third party access did take place, the risk of harm to data subjects is low. This represents a point of difference in comparison to the EDPB Recommendations which focuses heavily on documenting this assessment. In practice though, it would be difficult for an exporter to comply with the accountability principle without documenting at least some assessment of the destination country’s regime.
Step Three involves considering whether the destination country provides legal safeguards for data subjects when the law requires that third parties are able to access their data, and whether those legal safeguards are sufficiently similar to the UK’s underlying standards. The table in this section includes factors to consider such as the breadth of powers of public authorities to access data and whether there are any safeguards such as a court order being required.
If the exporter decides that there are appropriate legal protections, the restricted transfer may go ahead using the IDTA. Otherwise, the exporter then needs to consider the likelihood of third party access to the particular data being transferred (e.g. is it likely to be of interest to surveillance authorities). The table in this section lists factors such as whether or not public authorities have in practice accessed such data before (as emphasised in the final EDPB Recommendations) or whether the data is subject to protections such as confidentiality or legal privilege. If the exporter decides there is a minimal risk of access, it can proceed with the transfer.
If not, it must ask itself what the risk of harm is if access occurs. A risk level table is provided here too. If the risk of harm is low, the transfer may proceed. Otherwise, the exporter should consider whether it can apply extra steps and protections to safeguard the data, similar to those considered earlier in Step Two. In practice, it therefore may make more sense for exporters to consider the extra steps and protections that they can apply in the round.
If there is still an enhanced risk of harm which cannot be reduced, the ICO says that the exporter should carry out further steps in order to decide whether the transfer is lawful.
International Data Transfer Agreement (IDTA)
At first glance, the ICO draft IDTA looks very different to the SCCs. It is structured into four parts: (1) tables which set out various details about the parties and the transfer in question, (2) optional extra protection clauses, (3) optional commercial clauses, and (4) mandatory clauses. The IDTA does not utilise a modular format but does have a number of instances where a clause may or may not be applicable depending on the transfer scenario. The applicable scenarios are subject to change pending feedback on the consultation. The non-modular approach is helpful in that businesses do not need to consider the appropriate amalgamation of modules as in the SCCs, but the interoperability of the various provisions is not always clear.
As with the SCCs, the parties make various “promises” relating to, inter alia, the local laws of the data importer, onwards transfers and data subject rights. Notably, the IDTA also includes a “review date” concept, the least frequent of which is an annual review. The ICO is apparently also considering introducing an arbitration scheme as an optional dispute resolution mechanism under the IDTA which would be an interesting way of dealing with disputes.
Helpfully, a draft addendum to be used alongside the new SCCs (which essentially just states that certain EU references are to be read as UK references) has also been published. Such an addendum being in the final package would certainly make life a lot easier for those businesses dealing with multi-national flows who may need to consider both EU and UK transfer mechanisms.
As with the new SCCs, a transitional period has been proposed. The initial suggestion is that the legacy SCCs (which are the ones currently still valid in the UK) will cease to be valid for new contracts 3 months after the new IDTA comes into effect, with a further 21 months to transition to the IDTA for existing contracts.
Steve Wood, the ICO Executive Director of Regulatory Strategy, said “We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies”. Whilst the issue of transfers has become increasingly more complicated since the Schrems II decision and so putting together simple guidance would be quite the feat, it is difficult to see how an SME without a dedicated legal function or budget will be able to make effective use of the TRA or IDTA without investing significant time and effort. Nevertheless, businesses undertaking transfer impact assessments will likely find the ICO’s examples and tables in the TRA helpful for their analyses, even if the burden of undertaking a complex assessment still ultimately falls on the business.
In terms of timing, final versions of the ICO documents are unlikely to be due before the end of this year at the earliest given that the consultation does not close until 7 October. As the legacy SCCs cease to be valid for new contracts under the EU GDPR from 27 September 2021, this leaves a not insubstantial period of time during which companies would be required to use the new SCCs for EU GDPR but the legacy SCCs for UK GDPR. At this point, contracts may be more transfer clauses than commercial agreement. Businesses should, as part of their transfers audit and broader Schrems II assessments, consider whether they can take a risk-based approach to this period in the context of their particular transfers.