On 11 August, the ICO launched a consultation on international data transfers and published a draft ‘International Transfer Risk Assessment and Tool’, and a draft ‘International Data Transfer Agreement’ (“IDTA”). The IDTA would replace the existing Standard Contractual Clauses for transfers of personal data from the UK.
The consultation is divided into three sections:
proposal and plans for updates to the ICO’s guidance on international data transfers;
transfer risk assessments; and
the draft IDTA.
1. ICO guidance on international data transfers
The ICO has published guidance on international data transfers on its website. The ICO now, as part of the consultation, invites comments on proposals to update that guidance, and in particular in relation to:
the interpretation of Article 3 of the UK GDPR (the extra-territorial scope of the UK GDPR); and
the interpretation of Chapter V of the UK GDPR, which governs restricted transfers from of the UK.
These topics cover areas that have been troubling businesses, such as:
whether the UK GDPR should inevitably apply to a UK-based controller’s overseas processor or joint controller;
when a restricted transfer is considered to take place (for example whether it would include the return of data from a UK processor to a non-UK controller); and
the application of the derogations under Article 49 of the UK GDPR, including to what extent the derogations may be relied on.
The feedback received may affect the final positions the ICO will adopt in any updated guidance on international data transfers.
2. Transfer Risk Assessment
The ICO has published a draft ‘International Transfer Risk Assessment and Tool’ (“TRA”), designed to evaluate the risks associated with an international personal data transfer and thus whether an Article 46 ‘transfer mechanism’, such as the IDTA (if adopted), could be relied on.
The steps of the TRA include taking into account:
the facts of the transfer, including the specific transfer intended (e.g. types of personal data, categories of data subjects, purposes of the transfer);
the particular facts about the destination country (e.g. possibility of enforcement of overseas judgments); and
the potential impact / harm on individuals, especially considering any appropriate protections for restricting third-party access to the data.
It should be noted that the ICO indicates that data exporters need only examine the parts of the destination country’s regime that are relevant to the data transfer when performing the assessment.
The TRA closely aligns with the recommendations from the European Data Protection Board (“EDPB”) on measures that may be required to supplement the ‘transfer mechanisms’ in Article 46 of the GDPR, which were published earlier this year following the Schrems II case. The key for the UK is to determine whether the destination country offers a level of protection to data subjects that is “essentially equivalent” to the UK regime.
3. The International Data Transfer Agreement (“IDTA”)
The IDTA, which will replace the current set of Standard Contractual Clauses for transfers of personal data from the UK, accommodates different types of transfer arrangements (e.g. UK controller to non-UK controller, UK controller to non-UK processor, etc.) with several options for the parties to choose from depending on the relevant transfer.
The IDTA includes four parts:
tables that need to be populated for each relevant transfer, for example the names of the parties, the details of the personal data transferred and any security measures;
extra protection clauses, where the TRA identified that the data exporter needs to implement additional safeguards;
commercial clauses the parties may want to include, for example if there is a linked agreement; and
mandatory clauses, which have to be adopted in their entirety except only to adapt cross-referencing, remove the sections the parties explicitly agreed not to include, and add more parties to the IDTA.
It is worth noting that the ICO has also proposed that the new EU Standard Contractual Clauses, published by the European Commission in June 2021, could be used as an alternative to the new IDTA for transfers of personal data from the UK, subject to the use of a ‘UK addendum’. The UK addendum substitutes references to the EU data protection regime with UK legislation and addresses issues such as governing law and choice of forum and jurisdiction for disputes. This will be a relief for many controllers and processors that transfer personal data from both the UK and the EEA, as it essentially allows them to use one set of clauses for their data transfers (with the addition of the UK addendum for transfers from the UK), instead of having to use both the EU Standard Contractual Clauses and the UK IDTA (if adopted, and before then then the existing Standard Contractual Clauses for transfers of personal data from the UK).
What does this mean for businesses?
The ICO’s consultation on the ‘updates’ to its own current guidance on international data transfers is both welcomed (to aid clarity), and also somewhat alarming. Alarming, as in some areas, the ICO appears to be suggesting the possibility of not so much just ‘updating’ its current guidance, but actually materially changing it. The nature of any changes will determine the impact on businesses. If they result in a less restrictive regime for international data transfers, the changes will be welcomed. If they result in greater restrictions, organisations will need to reassess their earlier analyses in relation to such transfers and make such changes as are necessary.
In relation to the draft TRA and IDTA, at the moment, these are in draft form pending completion of the consultation and thus there is no specific action to take at present. That said, organisations should watch this space for the final drafts, and in the meantime, it may be useful to review current practices and transfers and consider changes that may be required.
Off the back of the IDTA, the ICO also intends to produce practical tools and guidance templates, such as optional extra protection and commercial clauses, a multi-party IDTA, and an example of a completed TRA & IDTA, to support organisations with their compliance.
The consultation is open until 7 October 2021.