• United Kingdom

• Privacy, data protection and cybersecurity
• Consumer
• Food and drink
• Retail

13-08-2021

The ICO has just published a consultation on the future of international transfers of personal data from the UK.

What do you need to know? Listen to our podcast here >

Does this affect me?

Yes, if you:

• are subject to the UK GDPR and transfer personal data outside the UK, EEA or those countries which the UK has confirmed provide adequate protection for personal data

• are in one of those countries outside the UK, EEA or adequate countries, and receive data from an organisation who is subject to the UK GDPR.

What should I do?

If you’re affected by UK international transfers, you should:

• read through the materials published by the ICO for consultation, which primarily comprise:

o a consultation paper and questions

o new set of standard data protection clauses, to be known as the model International data transfer agreement (IDTA) under the UK GDPR

o an example UK addendum which amends the new EU SCCs to work in the context of UK data transfers

o a transfer risk assessment (TRA) tool

• consider responding to the consultation paper, particularly if your organisation faces tricky issues in relation to international transfers – your responses could help simplify the process going forward

• review your international data flows and identify any existing transfers which are under the existing standard contractual clauses. If these haven’t been updated since 1 January 2021 to account for Brexit, you should look to update them to the new UK safeguards once they come into force

• make sure your teams are aware that any upcoming transactions or processes which will require an international transfer of data might need a different approach, and start preparing to implement the new regime

• get in touch if we can help you define your strategy to make these changes as painless as possible, including:

o carrying out transfer risk assessments

o replacing existing transfer agreements

o managing transfers across the UK and EU in as consistent a way as possible, including intra-group arrangements.

Timing

The consultation is open until 8 October 2021.

The ICO then needs to lay the final adequacy safeguards (the IDTA and any UK addendum for the new EU SCCs (or other transfer agreements) approved following the consultation) before Parliament for 40 days.

Assuming there are no objections, the IDTA and/or UK addendum would then be a valid safeguard for international transfers and could be used immediately.

The ICO proposes that organisations will still be able to use the existing standard contractual clauses to protect personal data:

• in respect of new transfers, for 3 months; and

• in respect of existing transfers already being made under the existing standard contractual clauses, for a further 21 months (i.e. 24 months in total).

Although we don’t know when the IDTA and any addendum will be laid before Parliament, this timing doesn’t perfectly align with the requirements for all new EU transfers to be under the new EU SCCs by 27 September 2021.

Therefore, anyone wanting to use the UK addendum alongside the new EU SCCs in the (probable) few weeks between the EU deadline and the entry into force of the addendum (assuming it survives the consultation) may find a slight delay is required.

The consultation

Identifying transfers: interpreting the UK GDPR

Unusually, the ICO is consulting on 3 significant issues of interpretation of the UK GDPR; issues which have NOT been resolved by the new EU SCCs. These all focus on what constitutes a restricted transfer under the UK GDPR, which would require some form of safeguard.

The 3 issues of interpretation of the UK GDPR that the ICO are consulting on are:

1. Are processors established outside the UK subject to the UK GDPR automatically if:

• They are processing data on behalf of a controller established in the UK, as such processing would be in the context of the establishment of that UK controller?

• They are processing personal data which makes the controller subject to the UK GDPR as a result of Article 3(2), namely that it offers goods or services to individuals in the UK or monitors their activities, as their processing must also meet that criteria?

2. If a controller established outside the UK is a joint controller with a controller established in the UK, is that joint controller also processing in the context of the UK establishment?

3. What is a transfer which is restricted by the UK GDPR? In particular, are the following activities transfers:

• Sending personal data to another jurisdiction, but within the same legal entity, e.g. a transfer within a single company, for example to an employee located in another jurisdiction, or from a branch in the UK to its head office outside the UK?

• Sending personal data to a recipient who is outside the UK but subject to the UK GDPR, e.g. if the entity outside the UK is caught by the UK GDPR due to Article 3(2), or as a result of the processor assessment above?

• A transfer from a UK-based processor to its controller who is not subject to the UK GDPR, or to another controller or processor which is not a sub-processor of the UK processor?

The ICO has also clarified that when looking at the nature of the transfer of personal data, they are minded to consider who authorises each “leg” of the transfer, rather than the actual physical data flows.

This removes a lot of uncertainty currently present in relation to outsourcing transactions where data flows directly from the customer to a sub-processor with whom the customer does not have a direct contractual relationship. The transfers to be safeguarded in this situation would be along the lines of the authorisation for the processing, i.e. from the customer to the supplier (if they were outside the UK), and then from the supplier to its sub-processors (if they were outside the UK).

Finally, the ICO would like to know whether it should update its guidance on the use of “derogations” to the requirement to put in place an appropriate safeguard, perhaps indicating a willingness to move from the strict interpretation of the derogations

Transfer risk assessment

The consultation pack contains a TRA tool.

This is important guidance, setting out expectations from the ICO as to the types of safeguards that might be appropriate in certain circumstances.

The tool only applies to routine, low risk transfers - and the guidance from the ICO sets this bar fairly low - but the approach taken will be useful to organisations making more complex transfers too.

Importantly, the ICO makes two important points crystal clear:

• Complying with transfer restrictions should be your final hurdle to clear - before you even get here, you have to ensure that the transfer satisfies all of the other provisions of the UK GDPR, for example that there is a necessary lawful basis, that only the minimum necessary data is transferred, and that the data will be kept secure.

• Not all transfers can be made lawful by putting in place a contract or another legal device. Sometimes, after carrying out a risk assessment, the right decision to make will be to not make the transfer at all. This highlights the importance of carrying out the risk assessment before you commit to a particular supplier or process.

Key differences to current EDPB Guidance

The TRA tool has specific and practical guidance not currently available at an EU level, including:

• It is not necessary to review the whole legal regime of the country you are transferring data to, just those aspects relevant to the transfer

• Guidance as to how to find out information about the legal regime in other jurisdictions, as well as an option to simply assume that the jurisdiction is not equivalent, and therefore to jump straight to other safeguards. Surveillance is not the key focus - a commitment to the rule of law, the enforceability of safeguards are also core elements of an assessment

• One risk assessment can cover a series of connected transfers, and onward transfers should be considered in the context of any individual TRA

• “Red flags” or other indicative factors which should raise concerns that the jurisdiction may not provide sufficient enforceable rights

• Guidance in relation to potential risk of harm, rated red/amber/green in respect of specific categories of personal data, and practical factors which may increase or decrease the risk of harm, including other regulatory obligations (such as financial services obligations) that the recipient is subject to, or the reputation and global nature of the specific organisation

• Specific examples of additional measures which might be taken depending on the risk assessment of the particular transfer

• Factors which should either allay fears in relation to access by government agencies, or raise concerns that access may undermine the rights of individuals, both in terms of the scope and the likelihood of such access taking place.

The international data transfer agreement (IDTA)

The IDTA is, like the majority of guidance issued by the ICO, targeted at small and medium enterprises, without a legal team to steer them through the complex requirements of international transfers. The length of the new clauses might seem off-putting, the approach is more reflective of UK contract terms, and the language is plain and simple, taking businesses step by step through their obligations in relation to personal data.

Whilst the agreement can stand on its own, it is designed to work with linked agreements, such as a services agreement (normally processor agreement, including the mandatory clauses required by Article 28 UK GDPR), a data sharing agreement in accordance with the ICO’s data sharing code, or a joint controller arrangement, in accordance with Article 26.

For the exporter, the focus is on ensuring that it has sufficiently considered the appointment of the importer and the protections that it has in place, that it continues to monitor that position, and takes action where there are breaches. Any transfer risk assessment that the exporter carries out (with the support of the importer) will inform the decision as to whether any additional legal or technical safeguards are required, and the parties need to keep these under review.

For the importer, the obligations are more detailed, but the provisions of the IDTA are a working manual for the key protections that the importer must provide for personal data. It sets out how the importer should ensure that key data subject rights are maintained even though the data is outside the UK, and provides a simplified process for importers who may find themselves under a legal obligation to disclose data to the authorities in their jurisdiction which it is not reasonable to resist. The onus in this situation is on the exporter to have considered the likelihood of such a request as part of its transfer risk assessment, rather than expecting the importer to refuse to comply with legal obligations in its home country.

Key differences to the new EU SCCs

The IDTA, unlike its EU counterpart:

• acknowledges the complexity of linked agreements likely to be in place when international transfers arise, setting out an order of precedence between linked agreements and the IDTA, including how the IDTA works with mandatory processing clauses (complying with Article 28 UK GDPR) in any related agreement, as well as audit and other provisions elsewhere which might provide additional protections for personal data

• gives specific guidance as to what can and can’t be removed from the IDTA, and that it can be reformatted and re-ordered so as to work with your existing agreements, provided that the Mandatory Clauses are still included

• presents the factual information up front, in the style of an order form that many small businesses will be used to working with, allowing quick reference to key facts and options selected

• provides for the situation where the parties have mistakenly considered themselves to be a processor or controller when they are, in fact, the opposite, requiring the IDTA to be interpreted with reference to the correct roles

• sets out contractually the right to recover compensation paid to a data subject under Article 82 UK GDPR where the other party was responsible for some of the damage

• proposes a specialist arbitration scheme, still to be fully defined, for claims made by data subjects and, if selected, between the parties

• does not assume that a processor can only be transferring data to its sub-processor or a controller who is the controller who has instructed it, but also allows for transfers to other processors or controllers who may be unconnected (provided that this is on the instruction of its controller)

• explains to data subjects how they can enforce their rights under the IDTA

• does not require the importer to comply with a higher standard than it would be if it was in the UK, meaning that exemptions to, for example, data subject rights which would apply if the importer was in the UK will still apply

• overrides any existing agreements (other than the defined Linked Agreement) in relation to the transfer of the data, so that old SCCs will be automatically overridden if they were entered into as separate agreements

• contains standard UK boilerplate clauses to assist with interpretation of the contract terms in UK courts, including guidance on how the IDTA should be signed.

Next steps

All organisations who transfer data internationally should review the consultation paper and consider responding. In particular, if your organisation struggles with any of the interpretation issues in relation to “what is a transfer”, then the ICO would benefit from your experience!

If the release of the new EU SCCs wasn’t enough to inspire you to revisit the international transfers that your organisation makes, now is the time to take a look, make sure that you understand where your data is flowing to, and work out your strategy for moving to the new IDTA, UK addendum or new EU SCCs.

If any existing transfers haven’t yet been updated following Brexit to reflect the revised status of the UK, you should look to update them to the new UK safeguards once they come into force.

And any transfers which have not been “risk assessed” since the requirement arose from the Schrems II case can now benefit from this guidance.

You should make sure your teams are aware that any upcoming transactions or processes which will require an international transfer of data might need a different approach, and start preparing to implement the new regime

Protecting personal data when it is transferred to other jurisdictions is an important and complex undertaking. Whilst historically it may have been treated by some as an admin exercise, the obligations on all parties to a transfer are binding, and failing to put protections in place can have a significant impact, particularly if the data is later exposed by virtue of a security breach, or data subjects seek to enforce their rights.

Eversheds Sutherland can help you define your strategy to make these strategic changes as efficiently and effortlessly as possible, including:

• supporting your transfer risk assessment process and decisions

• replacing existing transfer agreements with revised provisions

• managing transfers across the UK and EU in as consistent a way as possible, including intra-group arrangements

• implementing processes to ensure that new international transfers are identified easily, risk assessed prior to supplier downselect and documented appropriately in an efficient and strategic manner.

Please do get in touch with your usual contact or one of the team below.

To assist with your planning, we have created a timeline, illustrating which clauses may be used and when. Click here to view the SCC timeline