UK ICO Opens Consultation on Data Transfer Agreements and Guidance
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
To address the current uncertainty, the ICO is now consulting on adopting its own form of SCCs, which are to be referred to as an International Data Transfer Agreement (IDTA), and issuing a UK addendum that can be used with the EU SCCs. The ICO is also consulting on its own form of UK Schrems II data transfer assessment that will be referred to as a Transfer Risk Assessment (TRA).
Organizations that transfer personal data from the UK to third countries will need to review the Consultation and consider carefully how to incorporate the position being proposed by the ICO into their broader Schrems II data transfer project, including the proposed TRA and use of the proposed IDTAs.
The ICO has advised that the primary purpose of the Consultation, which closes on 7 October 2021, is to understand the practical impact of its proposed approaches on impacted organisations and, in turn, has sought feedback from a variety of stakeholders, including data protection practitioners, multinational companies and SMEs, and legal professionals.
The Consultation is split into three sections as follows:
- Proposal and plans for updates to guidance on international transfers: the ICO has proposed additional guidance on:
- the interpretation of the extra-territorial effect of Article 3 of the UK GDPR which will, in turn, have an impact on the definition of a ‘restricted transfer’ under the UK GDPR. In particular, the ICO considers whether the following three scenarios would always be subject to the UK GDPR: (a) processing by an overseas processor (g., in the US) on behalf of a UK-based controller; (b) processing by an overseas processor on behalf of an overseas controller which is directly subject to the UK GDPR (i.e., by virtue of Article 3(2) UK because it is offering goods/services to, or monitoring individuals in, the UK); and (c) processing by an overseas joint controller where the other joint controller is subject to the UK GDPR. In each case, the ICO has presented two options and certain points for stakeholders to consider; and
- the interpretation of chapter V of the UK GDPR – and in particular the definition of a restricted transfer under the UK GDPR. Here the ICO puts forward for comment the following 5 proposals: (a) whether, in order for a restricted transfer to take place, there must be a transfer from one legal entity to another; (b) whether a UK GDPR processor with a non-UK GDPR controller can only make a restricted transfer to its own overseas sub-processors; (c) whether processing by the importer must not be governed by UK GDPR (e., for the transfer to constitute a restricted transfer under the UK GDPR); (d) updates to the ICO’s guidance on the Article 49 UK GDPR derogations – including, whether the concept of ‘necessary’ should in fact be read as ‘strictly necessary’; and (e) guidance on how to use the IDTA in conjunction with the Article 49 UK GDPR derogations. – With respect to restricted transfers (part (c) above), the ICO has historically taken the position that to constitute as a restricted transfer, the processing by the importer must not be subject to the UK GDPR, but the ICO has indicated that the intention is not to continue this approach going forward.
- TRA: the ICO has produced a draft transfer risk assessment tool (TRA tool). The TRA tool is a combination of guidance on how to carry out TRAs, and tables organizations can use to help decide on the risk level when undertaking routine restricted transfers in reliance on the IDTA. The TRA tool is comprised of 3 steps as follows: (i) assessing whether the TRA tool is suitable for the restricted transfer (i.e., is it routine and not high risk); (ii) is the IDTA likely to be enforceable in the recipient country – if “yes” you move to step 3, but if “no” you carry out a supplementary risk assessment to assess whether this gives rise to a risk of harm to data subjects and whether any extra steps or protections could reduce the risk; and (iii) is there appropriate protection for the personal data from access by third parties. The ICO clarified that the TRA tool is “only one method for carrying out a risk assessment,” and it is only intended for use with routine international transfers.
- IDTA: the ICO has published a new draft set of standard data protection clauses, which according to the ICO will be referred to as the model IDTA and will replace the existing UK Standard Contractual Clauses (UK SCCs). As part of the draft IDTA (which we comment on further below), the ICO has proposed publishing various templates for use by organisations including, for example, optional commercial clauses to incorporate into the IDTA, a multi-party IDTA and an example of a completed IDTA (and TRA).
Separately, the ICO is considering issuing an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions. As an example, the ICO has published a UK GDPR addendum to the new EU SCCs. The addendum proposes certain edits to the EU SCCs to change, for example, references to the EU, to the UK. The proposed addendum will undoubtedly be welcomed by multi-national organisations engaged in transfers from both the EU and the UK and who were previously faced with the prospect of grappling with two forms of agreement.
Finally, the ICO has requested feedback on its proposal for disapplying the old SCCs (i.e., adopted under the former EU Data Protection Directive) – essentially providing a long stop date approximately 25 months after the IDTA is approved by UK Parliament.
IDTA vs. EU SCCs
We have set out below some of the key differences and similarities we have identified between the draft IDTA and the recently adopted EU SCCs:
- Format of the IDTA: the IDTA (which does not follow the same format as the EU SCCs) is formed of four parts as follows: (i) Tables – where the particulars of the transfer are included (i.e., similar to the Appendices in the EU SCCs – albeit more detailed) – although, the tabular format is not mandatory; (ii) Extra Protection Clauses, e., supplementary measures to be included where the TRA determines there is no essential equivalence in the recipient third country; (iii) Commercial Clauses e.g., where Linked Agreements are cross-referred to (see below); and (iv) Mandatory Clauses – which must be included in full without any amendments.
- Multiple Transfer Scenarios: as with the EU SCCs, the IDTA addresses the following four data transfer scenarios: (i) controller to controller, (ii) controller to processor, (iii) processor to processor, and (iv) processor to controller.
- Multiple Parties: as with the EU SCCs, multiple parties can sign up to the IDTA, and the ICO confirms that such a multi-party IDTA “may nominate someone to make decisions on everyone’s behalf”. In turn, a template is provided at Chapter 5 of the IDTA.
- Schrems II Transfer Impact Assessment: unsurprisingly, as with the EU SCCs, the IDTA requires that a Schrems II TRA be carried out in advance of any restricted transfers and the parties are required to provide similar representations in regard to this assessment as in the EU SCCs.
- Article 28 Data Processing Provisions: unlike the EU SCCs, the IDTA does not incorporate the Article 28 data processing provisions. Instead, the IDTA permits organisations to cross-refer to the “Linked Agreements” (g., existing data processing agreements). In the event of conflict between the IDTA and the Linked Agreement, the former shall take precedence.
- Liability: under the IDTA, each party is fully liable for the entire damage suffered by an individual unless it can prove it is not in any way responsible for the event giving rise to the damage.