ICO Consultation on International Data Transfer Agreement to Replace SCCs
On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) launched a consultation on its draft international data transfer agreement (“IDTA”) and guidance for organizations on international transfers (the “Guidance”). Once finalized, the IDTA will replace the existing EU Standard Contractual Clauses (“SCCs”) in the UK. The consultation follows both the UK’s exit from the EU, and the July 2020 Schrems II judgment, in which the Court of Justice of the European Union (“CJEU”) (1) invalidated the EU-US Privacy Shield, and (2) confirmed the validity of the SCCs but required exporting entities to carry out an assessment on a case-by-case basis to verify whether the SCCs provide an adequate level of protection for the personal data transferred, and to implement additional safeguards where that is not the case. The European Commission recently published updated SCCs under the EU General Data Protection Regulation (“GDPR”), however, these do not apply in the UK following Brexit. The ICO must therefore publish its own set of SCCs under the UK GDPR (the GDPR as incorporated into the law of the UK).
The consultation is split into three separate sections, covering proposals for the Guidance, transfer risk assessments (“TRAs”), and the IDTA. The ICO also provides a template Addendum to the EU SCCs, allowing organizations to adapt those SCCs to work in the context of UK transfers. The consultation is open until October 7, 2021, and responses can be submitted by completing the consultation paper and questions and sending them to IDTA.firstname.lastname@example.org. Hunton will prepare a response in conjunction with our Centre for Information Policy Leadership.
For the Guidance, the consultation seeks input on questions around the transfer of personal data, but also includes broader questions relating to the scope of the UK GDPR, such as when Articles 3(1) and 3(2) of the UK GDPR apply to overseas processors of UK personal data. Questions are posed regarding when a relevant transfer is deemed to have taken place, for example providing one interpretation under which the return of data by a UK processor to an overseas controller would not be considered a restricted transfer. In some instances, the consultation invites respondents to select different options depending on their interpretation of the UK GDPR. One of the most notable options provided in the consultation is maintenance of the ICO’s position that a transfer to an entity already directly subject to the UK GDPR by virtue of Article 3(2) does not constitute a restricted transfer. However, the ICO indicates in the consultation that its current intention is not to select this approach.
The consultation further covers the derogations available under Article 49 of the UK GDPR, querying whether exporters should be required to attempt a transfer mechanism before relying on the derogations, and whether the requirements for the derogations to be “necessary” should be interpreted as “strictly necessary.” The responses received during the consultation period will influence the position the ICO takes with respect to these key questions in the Guidance.
The ICO has produced a draft TRA tool to assist organizations when making routine transfers, though organizations are also free to use their own methods to assess risk. The tool involves a three-stage process for assessing risk.
The organization must first establish that the tool is suitable for its transfer (e.g., the transfer is routine rather than high risk). As part of this assessment the organization must consider a number of factors, such as the nature of the importer, any onward transfers, the purpose and method of transfer, and its regularity.
Second, the organization must assess whether the IDTA would be enforceable in the destination country. If there is doubt, the organization should carry out a supplementary risk assessment to assess the potential for harm to data subjects and identify extra protections that may reduce the risk. The ICO provides guidance as to when the risk of harm will be assessed as low, moderate or high, for example deeming basic employment or contact information to be low risk. It also provides guidance as to factors that may reduce or increase the risk of harm to data subjects, with automated decision-making by the importer constituting one risk factor, as well as guidance on measures that may be implemented to supplement the IDTA.
The final step is to assess the destination country’s regime for regulating third-party access to personal data, including an assessment of surveillance laws. Again, the ICO provides guidance as to factors that are likely to safeguard the rights of data subjects and factors that are likely to undermine them, as well as guidance on assessing the likelihood of third-party access. The draft tool specifies that the transfer should only go ahead where the destination’s regime is sufficiently similar to the UK’s, the risk of third-party access is minimal, or the risk of harm to data subjects is low even in the event of third-party access. Specifically, the TRA tool states: “If you decide… the risk of harm to data subjects is low even if there is concerning third party access, you may proceed with the restricted transfer using the IDTA together with the extra steps and protections you identify.”
The draft template IDTA does not follow the same structure as the EU SCCs, instead providing separate sections for details of the parties, the transfer (including whether the importer is permitted to make further transfers and the frequency with which the IDTA will be reviewed), the data transferred and the purpose of the transfer, as well as the security measures that will be implemented at each stage of the transfer. The IDTA also includes “Mandatory Clauses” which set out the exporter’s and importer’s obligations with respect to the transfer. The Mandatory Clauses include provisions regarding how the exporter and importer will ensure that there are appropriate safeguards in place with respect to the transfer, compliance with ICO requests, the actions to be taken in the event of a personal data breach, onward transfers and sub-processing and data subject rights.
The ICO invites feedback on its draft IDTA, including whether it is clear to organizations how the IDTA should be used in conjunction with the TRA tool, whether organizations are likely to use it, whether a modular approach (such as that taken by the European Commission in its new SCCs) would be preferable, and whether the ICO should provide a separate multi-party IDTA.
The ICO also proposes including additional guidance templates, covering, for example, optional TRA extra protection clauses, commercial clauses, and examples of a completed TRA and IDTA.
The ICO also queries whether it should issue an IDTA in the form of an addendum to existing model transfer agreements, such as the EU SCCs, and provides a template Addendum that amends the EU SCCs to work in the context of UK data transfers. This Addendum would potentially provide a practical compliance solution for many companies transferring personal data from the EU and the UK, which would otherwise be required to put in place separate data transfer agreements.
The full consultation can be viewed here.