On 11 August, the data protection regulator in the United Kingdom, the Information Commissioner’s Office (ICO) opened a consultation on international data transfer post-Brexit.
Like the EU GDPR, the UK GDPR allows for post-Brexit data transfers based on so-called appropriate safeguards, which include the use of approved model clauses.
In the EU, the European Commission recently updated the Standard Contractual Clauses (SCCs).
The ICO now proposes a model International Data Transfer Agreement (IDTA) that can be used for data transfers originating in the UK.
In addition, the consultation comprises guidance on the Transfer Risk Assessment (TRA) and a draft UK addendum, that could be used in combination with the EU SCCs.
The International Data Transfer Agreement
The IDTA is a draft contract that can be used as a legal basis to transfer personal data out of the UK on the basis of so-called appropriate safeguards, under article 46 UK GDPR.
It would only be required when transferring data to countries that are not deemed adequate by the UK.
The use of the agreement is subject to a transfer risk assessment (see next section).
Also, if you are a data processor subject to the UK GDPR, but your data controller is not subject to the UK GDPR, there is no need to use the IDTA, since that would not be a restricted transfer – other contractual requirements may of course still exist.
The set-up of the IDTA is different from the EU SCCS.
The main content is covered in a series of tables that need to be filled out, including on the parties involved, the details of the transfer, the transferred data and the security requirements.
Other Sections of the IDTA Cover
- Extra Protection Clauses (in case the TRA identifies that additional safeguards are needed),
- Commercial Clauses (for example the regular data protection requirements under article 28 UK GDPR)
- Mandatory Clauses (covering the various obligations of the data exporter and importer, individual rights, oversight, redress and enforcement of the clauses)
Instead of including commercial clauses, it is also allowed to refer to a data processing agreement as a “linked agreement”.
The draft IDTA makes clear that there is some room for flexibility when using the document.
For example, it is not mandatory to use the tables that are included, as long as all the content is covered in a signed contract. The mandatory clauses may – bar some limited alignment exceptions – not be altered.
The Transfer Risk Assessment
It is clear the ICO considers also the UK remains subject to the Schrems-II decision, meaning that all data transfers are subject to the essentially equivalent level of data protection in the country where data are sent to, or from where they are accessed.
A TRA is therefore required in order to find out “whether the laws and practices include safeguards which are sufficiently similar in their objectives to the principles which underpin UK laws”.
In other words: will the safeguards you put in place to accompany the transferred data, for example via the IDTA, be respected and are they sufficient?
For routine and relatively straightforward data transfers, especially those with only one partner in one third country, data exporters can rely upon the TRA tool, described in the consultation papers.
This is a three step approach.
First assess the transfer itself – is it of low risk to individuals?
Next, verify if the IDTA is likely to be enforceable in the country of destination.
Finally look for appropriate data protection from third-party access.
For more complex or high risk data transfers, more in-depth assessments are required.
In all situations, should the TRA result in the conclusion that there are serious risks associated with the data transfer, these risks need to be remedied with additional safeguards to be included in the IDTA.
The consultation documents contain extensive overviews of potential risks, as well as elements that can contribute to a conclusion the risks are low.
The ICO also distinguishes between various types of data subjects in their risk assessments, including employees, patients, business contacts and consumers.
As is the case under the EU’s data transfer impact assessment, the conclusion could very well be that the data transfer entails risks that cannot be mitigated. If that is the case, the transfer may not continue or be started.
Furthermore, note that both the IDTA and the TRA need to be reviewed at least on an annual basis. If the situation has not changed, that should be a relatively straightforward process, but the review is mandatory.
Using the EU SCCs for data transfers originating in the UK
The third document up for consultation is an addendum that could be used in combination with the EU SCCs, in order to make them valid for the UK as well.
The ICO is considering creating similar addenda for model data transfer clauses from other jurisdictions as well, like New Zealand and the ASEAN countries.
Signing the addendum would “change” the language of the European Commission approved SCCs when the clauses are relevant for the UK, obviously without really changing the wording of the contract valid in the EU.
If the addendum is indeed approved, this would be a very business-friendly way to extend the scope of transfer agreements that have been negotiated, signed and executed to also encompass the UK without a lot of extra work.
Documents referenced in this blog are subject to a consultation by the ICO. The consultation questions are available in a separate document released by the ICO. Responses can be provided until 7 October 2021, 5pm BST.
The final versions of the transfer documentation will be developed based on the consultation responses.