It has only been two months since the European Commission published updated EU SCCs (“EU SCCs”) under the EU General Data Protection Regulation (“EU GDPR”), however, as they do not apply in the UK as it left the EU, we have eagerly awaited the ICO’s introduction of new contractual safeguards under the UK GDPR (the EU GDPR as incorporated into the law of the UK). On 11 August 2021, the Information Commissioner’s Office (“ICO”) launched a public consultation on its draft international data transfer agreement (“IDTA”), its accompanying draft transfer risk assessment tool (“TRA”) and accompanying guidance.
The IDTA will replace the old EU Standard Contractual Clauses (“old EU SCCs”) in the UK, which is currently the approved contractual safeguard for restricted transfers from the UK to third countries or international organisations. The TRA will be used to assess whether the IDTA will be sufficient to protect data subjects’ rights and freedoms in the importing country by reference to the legal and data protection regime in place and is the UK’s answer to the issues raised with SCCs by the CJEU in its Schrems II decision.
The ICO’s consultation
The ICO’s consultation is divided into three separate parts, covering proposals for the ICO to update its guidance on international transfers, the TRA, and the IDTA. The ICO has also published a template Addendum to the EU SCCs, allowing organisations to amend EU SCCs to work in the context of UK transfers.
The consultation seeks to clarify the interpretation of the extraterritorial effects of Art.3 UK GDPR and on the interpretation of Chapter V UK GDPR, which sets out the rules for restricted transfers of data. One of the most intriguing questions raised by the ICO is regarding when a restricted transfer is deemed to have taken place – either when an importer’s processing is not subject to the UK GDPR (which aligns to both the ICO’s and the European Commission’s current position in the new EU SCCs) or the transfer will be restricted when an exporter is subject to the UK GDPR and the importer is located outside the UK, regardless of whether the UK GDPR applies to the importer.
The outcome of this decision may have implications on the need (or lack thereof) to implement contractual safeguards when transferring data to a processor that is already subject to the UK GDPR since it offers goods or services to individuals in the UK or monitors their behaviour. Within the consultation the ICO has invited respondents to select the option they believe is most appropriate and to justify their final position but has already suggested that it may depart from its current interpretation and adopt the latter approach. One could argue the latter is a simpler, cleaner approach which could make it somewhat easier to navigate what has been sometimes, a complex area of law.
The IDTA is proposed to be an appropriate contractual safeguard mechanism under the UK GDPR for restricted transfers from the UK. It is the UK equivalent of the EU SCCs. However, the IDTA does not follow the same modular structure as the new EU SCCs (for further detail about the new EU SCCs and its structure, please take a look at our previous blog. Instead, the IDTA is composed of four main sections:
- Tables – specific information about the restricted transfer in question must be included (such as identification of the parties, transfer details, the data transferred and the purpose of the transfer, as well as the security measures to be implemented)
- Extra protection clauses – this is to be included only when the respective TRA identifies that the organisation needs extra steps and protections to protect the transferred data
- Commercial clauses – there is an option to include commercial clauses within the IDTA. However, it is most likely that the exporter will already have a data processing agreement, a data-sharing agreement, or a service agreement in place with the importer (referred to as “Linked Agreement” by the IDTA) covering all aspects of the contractual relationship that are not directly related to the restricted transfer. Therefore, in most cases, there may be no need to add any commercial clauses and it will be sufficient to provide reference to the Linked Agreement.
- Mandatory clauses – these must always be included. The mandatory clauses set out the exporter’s and importer’s obligations with respect to the transfer. These include provisions regarding how the exporter and importer will ensure that there are appropriate safeguards in place, how they will comply with ICO requests, the actions to be taken in the event of a personal data breach and provisions regarding sub-processing and data subject rights.
The IDTA and the associated TRA must be reviewed on a regular basis, and at least once a year.
The ICO has also opened a consultation on whether it should issue an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions (such as the EU SCCs) and has provided a template draft Addendum that amends the EU SCCs to work in the context of UK data transfers. This Addendum would be used alongside the EU SCCs instead of the IDTA.
If approved, the Addendum is likely to save significant time and resources for organisations that are subject to both the EU GDPR and the UK GDPR, since they will not need to put in place separate transfer agreements (the EU SCCs and the IDTA) for intra-group transfers or other types of restricted transfers from the EU and UK.
In line with the requirements set out in the Schrems II judgement, the TRA tool is designed to assist organisations to conduct risk assessments when relying on the IDTA to make routine restricted transfers from the UK. A TRA must always be completed prior to putting in place an IDTA and is the UK equivalent to the EU Transfer Impact Assessment (“TIA”). The TRA tool is one proposed method to conduct risk assessments of routine restricted transfers as organisations are free to choose their own methods to assess each transfer; the key point is that the risks associated with any restricted transfer are adequately assessed and mitigated to acceptable levels.
The ICO’s TRA tool involves a three-step process to assess risk:
- Assessing the transfer – the organisation must first establish that the tool is suitable for the transfer (e.g. the transfer is routine, to a country not covered by a UK adequacy regulation and is not high risk). The specific circumstances of the transfer must be considered, such as: the nature of the importer, whether there will be any onward transfers, the technical and organisational security measures implemented by the importer to protect the data and the purpose and method of transfer.
- Is the IDTA likely to be enforceable in the destination country? – the organisation is required to assess whether the legal regime in the destination country is likely to respect the contractual safeguards the IDTA sets out, in a way that is sufficiently similar to how it would be enforced in the UK. This is to ensure that the level of protection the UK GDPR guarantees is not undermined and that enforceable data subject rights and effective legal remedies are available for the exporter and for data subjects.
The ICO includes a list of factors that would suggest there are enforceable rights and effective legal remedies in the destination country, for instance, there is ready access to justice in the destination country via its court system with effective remedies for individuals. If there are any concerns that protections guaranteed under the IDTA may be undermined, the organisation should carry out a supplementary risk assessment to assess the potential for harm to data subjects and identify extra steps and measures that may reduce the risk of harm.
The guidance provides a non-exhaustive list of examples of when the risk of harm might be assessed as low, moderate, or high, and factors that may reduce or increase the risk of harm to data subjects. It also helps organisations by suggesting measures that may be implemented to supplement the IDTA. For example, encrypting relevant data prior to the transfer, or including additional clauses in the IDTA allowing a data subject to bring a claim against the exporter for a breach of the IDTA by the importer
- Is there appropriate protection for the data from third-party access? – the organisation needs to assess the destination country’s regime for regulating third party data access, including surveillance. The ICO provides guidelines on factors organisations should consider to form a view as to the extent to which the third-party access regime in the destination country is likely to safeguard the rights of data subjects as well as on how to assess the likelihood of third-party access.
The TRA tool specifies that the transfer should only go ahead where the destination’s regime is sufficiently similar to the UK’s regime, the risk of third-party access is minimal or the risk of harm to data subjects is low even in the event of third-party access. For example, if public authorities have wide powers to intercept communications and to access data from private companies, with minimal safeguards, it is unlikely that there is appropriate protection for the personal data from third-party access and therefore the transfer should not proceed. Whereas if public authorities in the destination country cannot access data from private companies without a warrant or court, this is far more reassuring and suggests there is appropriate protection for the data from third-party access.
The ICO’s TRA tool is a broad assessment, which is why it can only be used for those transfers which are not complex or high risk. For more complex transfers, for example, the importer is based in more than one country or you are legally required to complete a data protection impact assessment (DPIA), a more detailed risk assessment will be required or consider relying on another transfer mechanism or an exception.
What are the next steps?
The consultation is open until 7 October 2021, and responses can be submitted by completing the consultation paper and questions and sending them to IDTA.email@example.com . Following the consultation, the ICO will produce final documents to be laid before Parliament for approval.
The ICO proposes that the IDTA would come into force 40 days after it is submitted to Parliament (assuming there are no Parliamentary objections to the IDTA). Moreover, 3 months after the IDTA comes into force, organisations would no longer be allowed to use the old SCCs for new restricted transfers, and 21 months after that (24 months in total as of the date when the IDTA would come into force) organisations would be required to have replaced all old SCCs for the IDTA for ongoing transfers. This time period would allow organisations to have 3 months to introduce the IDTA for any new restricted transfers and 2 years to replace old EU SCCs with the new IDTA for all existing transfers.
If you would like to discuss the content covered in this blog or require assistance to update your relevant agreements or conduct a TRA, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.