UK guidance on international data transfers – striving for pragmatism
Will it add clarity or complexity
10 September 2021
As the UK unveils a commercial, pro-growth plan for data regulation, many will be weighing up the benefits of this business-friendly approach with the complexity that could result from a divergence with EU standards.
On 26 August 2021, the UK Government published a press release on the UK's data regime, including materials setting out the UK's approach to international transfers of personal data. The announcements reflect a focus on facilitating data exchange to drive innovation and economic growth, and a push for a data transfer regime that supports the UK's trade agenda.
The public consultation on international personal data transfers recently published by the UK Information Commissioner's Office (ICO) should be understood in this context, as it seeks to balance the aims of maintaining equivalence with the EU's data standards with a mandate to adopt a pragmatic approach to international personal data transfers.
UK Government's Data Regime
The UK Government has:
- published a mission statement on the UK's approach to data protection adequacy assessments, as well as an adequacy assessment manual and associated guidance document setting out a framework for adequacy assessments;
- stated that it will seek to strike data adequacy partnerships with the US, Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre and Colombia, as well as prioritising future partnerships with India, Brazil, Kenya and Indonesia;
- announced the launch of an International Data Transfers Expert Council to provide independent technical and tactical advice on the UK's international data transfers policy;
- announced a consultation on the UK's data protection regime;
- named New Zealand's Privacy Commissioner, John Edwards, as the UK's next Information Commissioner.
Many will welcome this ambitious pro-growth agenda, which aligns with the innovation strategy published in July 2021. However, there will also be concerns about the uncertainty created regarding the evolution of the UK's legal regime and whether the Information Commissioner will be successful in maintaining sufficient equivalence with the EU standards for the UK to retain its adequacy decision.
ICO's Consultation on International Personal Data Transfers
On 11 August 2021, the ICO launched a public consultation on their draft international data transfer agreement and related guidance. The consultation paper introduces and seeks views on:
- proposals for guidance on restricted transfers, including clarifications and possible changes of interpretation of aspects of the extra-territorial scoping and restricted transfer provisions under the UK GDPR;
- draft international data transfer risk assessment guidance and tool; and
- UK-specific draft contract terms to address restricted international data transfers under the UK General Data Protection Regulation (UK GDPR) namely: a draft international data transfer agreement (IDTA); and a UK addendum to the European Commission's new Standard Contractual Clauses (UK Addendum).
This suite of documents reflects a risk-balanced, pragmatic approach to international personal data transfers under the UK GDPR, in the wake of the UK's departure from the EU and the European Court of Justice's judgement in Schrems II. It also seeks to address long-standing areas of ambiguity in an open manner, sometimes setting out the pros and cons of possible alternative interpretations. For example, the ICO asks whether non-UK processors of UK-established controllers should automatically be directly subject to the UK GDPR, and proposes to take the position that data flows within a legal entity (e.g. to an overseas branch) are not considered 'restricted transfers'.
Overview of the ICO's Draft International Data Transfer Risk Assessment ("TRA") Guidance and Tool
Following Schrems II, TRAs should be completed in advance of restricted transfers of personal data that are (i) subject to the UK GDPR and (ii) made using one of the Article 46 UK GDPR appropriate safeguards, such as standard contractual terms or binding corporate rules.
The ICO's TRA tool is designed to assist with completing 'routine' (rather than high-risk or complex) TRAs. It contains decision trees and guidance tables that take the user through three steps for determining whether use of the IDTA would provide "essential equivalence" – i.e. protection that is sufficiently similar to the relevant protections applicable to the personal data when it is in the UK.
- Step One - Assessing the transfer itself: Does the transfer comply with the rest of the UK GDPR (e.g. in relation to data minimisation)?
- Step Two – Assessing enforceability: Will the contractual safeguards of the IDTA be enforceable in the destination country?
- Step Three – Third-party access: Does the destination country's legal framework regulate third-party access to personal data (e.g. surveillance laws) and what safeguards are afforded to a data subject's rights in this regard?
Helpful aspects of the ICO guidance include:
- making use of the TRA tool optional – data exporters may conduct TRAs in other ways, which may be helpful in facilitating creation of processes that address both EU and UK requirements in this area;
- a focus on underlying principles such as respect for rule of law and access to justice as 'indicative factors' as to the IDTA's enforceability (rather than requiring specific rights or obligations be present in the destination country's laws);
- a table of risk assessment factors that may help to render a data transfer sufficiently low risk for the data subject(s) that it could be completed even where there are concerns regarding enforceability of the IDTA;
- examples of supplemental measures that could compliment the use of an IDTA in order to reduce identified risks and thereby facilitate a data transfer;
- framing the assessment of the destination country's third-party access laws as a comparison with the UK's regime (which grants significant surveillance powers) and suggesting factors that might help balance extensive access, such as administrative oversight, transparency and data subject rights of challenge and access;
- an option to (1) not assess the destination country's regime for third-party data access, or (2) to proceed with a transfer even if the destination country's third-party access regime cannot be considered similar to the UK's, where: (a) the risk of third-party access is minimal; or (b) if third-party access were to take place, the risk of harm to data subjects is low;
- examples of supplemental measures that might be taken to reduce the likelihood of third party access occurring and/or the level of risk of harm to data subjects where points (v) and (vi) above do not render the proposed transfer sufficiently low risk.
Overview of ICO's Draft IDTA and UK Addendum
The ICO's IDTA is the UK's equivalent to the EU Standard Conditional Clauses (SCCs); it is a contract that organisations may use as an 'appropriate safeguard' to make a restricted transfer under the UK GDPR to a non-adequate country in circumstances where an Article 49 UK GDPR exception does not apply. The ICO also proposes to issue terms that can be appended to the standard contractual terms of other data protection laws, and has published a draft UK Addendum to the new EU SCCs as an example of this flexible approach. The UK Addendum is a short set of terms that modify parts of the new EU SCCs to refer to UK laws, jurisdiction and institutions.
The IDTA or UK Addendum may be used for controller-to-controller transfers, controller-to-processor transfers and processor-to-processor transfers. The IDTA may also be used for transfers from a processor to a party that is not its controller or sub-processor – a type of transfer not specifically addressed in the new EU SCCs. However, the IDTA does not currently appear to address transfers from a processor to its controller (a type of transfer that is contemplated by the new EU SCCs).
Helpful aspects of the draft IDTA and UK Addendum include:
- A tabular approach to the IDTA, making the fact-specific aspects of a data transfer (e.g. details of the parties and of the data being transferred) easy to insert;
- The ability to use the IDTA "as is" without a need to select applicable terms depending on the relationship between the importer and exporter (as the IDTA already states which clauses apply to which relationships);
- The ability to use the new EU SCCs together with the UK Addendum for restricted transfers even where the restricted transfer is only subject to the UK GDPR (and not the EU GDPR) – thereby reducing the number of contracting documents that companies need to use;
- Flexibility as to how the UK Addendum can be executed;
- Optional template additional ('extra protection') clauses and commercial clauses, alongside the mandatory clauses.
Potentially challenging elements of the draft IDTA and UK Addendum include:
- An expectation in the IDTA that the provisions and associated TRA will be reviewed at least annually, and that a copy of the TRA will be provided to the importer by the exporter;
- An obligation in the IDTA to comply with 'any reasonable request' of the data subject;
- Clauses in the UK Addendum changing the governing law and jurisdiction provisions of the EU SCCs to refer to the courts and laws of England and Wales, which could add complexity to disputes relating to data transfers that are subject to both the EU GDPR and UK GDPR.
The ICO's consultation closes on 7 October 2021, with a view to laying a final version of the IDTA and UK Addendum before Parliament by the end of the year. Prior to this, the IDTA and UK Addendum will not technically operate as Article 46 "appropriate safeguard" under the UK GDPR because UK law still refers to the old (superseded) EU Standard Contractual Clauses. The many companies that are currently updating their contractual terms to incorporate the new EU SCCs (which must be used for new restricted transfers under the EU GDPR from 27th September 2021) will be frustrated by this lack of alignment on timeframes.
There may also be some disappointment that the ICO has not set out a view on the legal regimes in certain third countries or included an example TRA in their guidance. However, the absence of these things also brings a benefit in terms of flexibility - both in the manner that TRAs are conducted (which will be helpful to companies looking at how to address TRAs within processes that may also have to meet various other regulatory requirements) and in the risk assessments ultimately reached (with no specific countries effectively 'blocked' by an unfavourable ICO view).
It remains to be seen whether the UK's desire to 'unlock' data flows and ICO's pragmatic approach will nevertheless give rise to complexity through divergence from the EU position over time, particularly as we await the European Data Protection Board's opinion on Territorial scope (Article 3) of the EU GDPR and its interplay with Chapter V and the wider UK consultation on data protection regulation.