To keep you up-to-date on the latest data protection developments, we look at the latest position on international transfers in light of the new standard form agreements published by the ICO.
Alexandra Gill: Hello my name is Alexandra Gill and I am a Senior Associate specialising in data protection at Gowling WLG.
Today I will give you a refresher on internal data transfers from a UK data protection perspective.
The UK GDPR regulates the transfer of personal data from the UK to other countries. The European Data Protection Board have clarified that a transfer of personal data will occur when a data exporter who is subject to the GDPR transmits or otherwise makes available personal data to a recipient who is based in a third country. This means that if an overseas entity has access to personal data for example, through an online portal, then this is likely to constitute a transfer for the purposes of the data protection regime.
Article 44 of the UK GDPR sets out the framework by which data can be lawfully transferred. In short you are permitted to send data to third countries provided that you comply with one of three conditions. These conditions are:
- Ensuring that the data importer is based in a country with an adequacy decision. In practice, this will be any country which has been deemed by the UK Secretary of State as providing an equivalent level of protection to data subject regarding their personal data. The UK Information Commissioners Office has published a list on their website but it should be noted that the US is not currently on this list.
- Putting in place a data transfer mechanism such as binding corporate rules or standard contractual clauses. This option is useful when you have routine and systematic transfers of personal data. However, recent changes to standard contractual clauses have complicated this landscape as we will cover briefly later.
- Finally, you might want to consider whether there are any exceptions which apply such as consent of the data subject or where the transfer is necessary to perform a contract between the data subject or on the data subject's request. Whilst these exceptions may be useful in practice they won't always be helpful where you have to routinely share data to a recipient.
So what does this mean in practice?
Firstly if you are a UK company exporting data to another UK company you don't need to worry. This will not constitute a transfer for the purposes of the data transfer regime. Likewise, if you are sending personal data to Europe, the EEA or European Economic Area or any of the other countries with an adequacy decision then no further action is required. However, if you are regularly sending data to any other third country you will need to consider binding corporate rules or standard contractual clauses or another derogation.
As I mentioned both the European Commission and the UK Secretary of State have published new versions of the standard contractual clauses. The European version became effective from 27 June 2021 and replaced the previous set of SCC's which needed updating to reflect both the GDPR and case law.
Data exporters and importers who are subject to the EU GDPR have until 27 December 2022 to re-paper all existing contracts with the new EU version. Now the EU version is more flexible in catering for different scenarios including processor to processor and processor to controller transfers. It also allows new parties to accede to the clauses via docking mechanism.
Crucially it also contains a warranty given by the exporter that it has no reason to believe that the applicable laws of the importer's country would prevent the importer from complying with the clauses. This warranty is a nod to the Schrems II decision was a pivotal case decided in 2020 by the European Court of Justice and reinforces the need for data exporters to now undertake a transfer risk assessment prior to making any restricted transfer.
The new UK versions of the SCCs came into force on 21 March 2022 however guidance is still yet to be published by the ICO on how they are intended to be used. There are now two versions of the new UK SCCs, the first is a UK addendum to the EU's new SCCs; this addendum effectively sits at the front of the EU new SCCs and makes certain changes to ensure that the EU version is integrated into UK law.
The other option is called the International Data Transfer Agreement, or IDTA, which is a brand new document prepared to comply with the UK's data transfer regime. Data exporters and importers who are subject to the UK GDPR have until 21 March 2024 to repaper all existing contracts with one of the new UK versions.
Now in the absence of UK ICO guidance and given the complexity of this topic we cannot at this stage provide any substantive commentary on the new UK regime, save for the following points: on the face of it the UK's version appears to be more user-friendly, easier to execute and more flexible than the new EU SCCs. There is also a generous transitional period to allow businesses to repaper their existing transfers and replace the old set of SCCs with the new ones. However, this also introduces complexity including a timing mismatch between the EU's longstop date for repapering being much sooner than the UK's. Furthermore any deficiencies in the new EU SCCs will also be replicated into the UK version.
Now, you may recall that I mentioned that the US is not on the list of adequate countries. This is because the framework which govern transfers to the US known as privacy shield was held by the European Court of Justice in the case of Schrems II to be invalid due to concerns that the laws and practices of the US allowed US security agencies to have indiscriminate access to personal data. From this the CJEU held that exporters should assess the risks associated with the laws and practices of an importer's country. Exporters are therefore now expected by regulators to undertake a transfer risk assessment to assess, document the risks and mitigations associated with the proposed transfer.
The UK ICO has prepared a draft TRA tool to help businesses identify the risks. Whilst still in draft this tool provides an indication of the ICO's direction of travel particularly around assessing the risks associated with an importing country's laws and practices. The TRA tool sets out a list of factors which exporters must consider when assessing the laws and practices of the destination country. These include factors to assess whether the transfer mechanism is in itself enforceable, such as whether the country recognises the rule of law and whether there is ready access to the justice through the court system. It also provides for factors which might increase the risk of harm to individuals including the nature of the data itself and the processing and activities being undertaken.
The TRA tool then, helpfully, suggests factors which should be taken into account to mitigate those risks; these include whether the importer is a reputable global company or is otherwise regulated. Now whilst this process sounds horrendously onerous it is important to remember that the data protection regime is subject to the principle of proportionality. Parties should take a risk based approach. The tool confirms that it is not about assessing whether the laws of the importing country are identical to the UK GDPR but rather what the key principles are which determine whether the transfer mechanism is enforceable, for example considering the rule of law.
When working out this point the onus should therefore be on the processors to provide analysis of the local law as the processor themselves is better placed to provide this information. Therefore some of the costs of this will be put on the processor which should also be reflected in the agreement with the processor.
Exporter will also need to put in place supplementary measures to mitigate any technical risks associated with the transfer; these include access controls and contractual safeguards.
And finally to wrap up, here are some practical tips:
- It is important to revisit your current data maps to understand where your organisation's data is going to and from.
- You should also identify existing and new restricted transfers, considering how they comply with the data transfer regime.
- Identify which transfer mechanisms can be relied on for new transfers.
- Start to consider the practical implications of repapering existing transfers.
- Undertake a transfer risk assessment having regard to the ICO draft TRA tool.
- And remember that this does not exist in a silo. Other countries are now implementing their own legal and regulatory requirements to govern the collection and onward transfer of data so you should consider how you comply with other jurisdictions and laws.
Thank you for watching, I hope that you found this useful.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.