ICO's proposals on UK international transfers may be simpler than the EU's approach but nevertheless remain onerous
20 October 2021
This is a laudable objective but how far it can really be achieved is unclear, given that the ICO’s hands are tied by the terms of the UK GDPR and by the Schrems II ruling from the CJEU, which remains a part of UK case law. The ICO’s proposed transfer risk assessment tool runs to approximately 38 pages and its proposed template data transfer agreement runs to approximately 43 pages. Even without the surrounding guidance, managing significant international transfers from the UK remains a daunting prospect for any business, let alone an SME, for some time to come.
The UK Government’s recent public consultation on the future of the UK’s data regime – and recent statement on adequacy and international transfers, including that, “The UK is already a highly connected hub for data flows and consulting on reforms to UK data law will help build on this strength” – holds out the promise of simplifying the UK law on international transfer. But any fundamental change will be a long way off. For the foreseeable future the underlying legal requirements for international transfers post-Brexit remain as complex and burdensome as ever. The ICO’s proposed tools and guidance (contained in the recently closed consultation) will – if adopted – undoubtedly help businesses to navigate their way through this complexity and go some way towards alleviating the burden on them but there is only so much that tools and guidance can achieve, without a change in the law.
The ICO’s consultation was split into three sections:
- Proposal and plans for updates to guidance on international transfers.
- Transfer risk assessments.
- The international data transfer agreement.
The “international data transfer agreement” is in fact the UK’s version of standard contractual clauses (SCCs). Just why the ICO chose to depart from the wording in the UK GDPR which refers to “standard data protection clauses” and the commonly used and well-understood term “standard contractual clauses” was not specified in the consultation but it seems intended to make the term more understandable to those less familiar with the legislation. It remains to be seen whether adopting different and, to many, unfamiliar terminology creates more confusion.
Addendum to the EU SCCs
As part of its proposals on the International data transfer agreement (IDTA) the ICO is considering whether to issue an IDTA in the form of an addendum to what they term “model data transfer agreements” from other jurisdictions. Perhaps unsurprisingly this was the aspect of the ICO’s proposals that was most welcomed by businesses, at least by those businesses that have operations that fall within the scope of the EU GDPR as well as the UK GDPR and which have therefore had to become familiar with the new EU SCCs. The ICO also refers to the New Zealand and the ASEAN (Association of Southeast Asian Nations) agreements in this context as well as to the EU SCCs but the first two appear to be included largely for presentational reasons. All interest will be in the possibility of using a simple addendum to the EU SCCs to validate transfers from the UK.
Notably, it is only in relation to the EU clauses that the ICO goes so far as to provide the text of its proposed addendum. This addendum is relatively short and simple, and mainly just replaces EU specific terms and EU jurisdictions by UK ones – though it does not explicitly identify all provisions requiring amendment, which creates a degree of both flexibility and uncertainty. If adopted it should go a long way towards limiting the additional burden placed on those businesses that will, in any case, be moving to the Commission’s new SCCs for their EU transfers. The addendum allows parties to apply consistent terms and standards across both EU and UK transfers. However, questions will remain (subject to the wording of the final addendum) as to how parties can incorporate the EU SCCs effectively to ensure they apply to UK transfers appropriately. In the event of conflict, the provisions that provide “the most protection to data subjects” will have precedence. If there is significant divergence between the UK and EU regimes, the interpretation of these provisions in the SCCs may not necessarily align with the relevant interpretation under UK data protection laws.
The prospect of addenda ever appearing for New Zealand, the ASEAN and perhaps other jurisdictions seems much less certain. Any such addenda would need to be much more extensive than the one proposed for the EU SCCs given how far short of the GDPR standard on international transfers the equivalent provisions of the relevant countries’ laws fall. This is particularly so in relation to assessing the risks of access to the transferred data by a third country’s public authorities in the light of the Schrems II ruling. In any case, it is uncertain how much demand there is might be from business users for any non-EU addenda.
The International Data Transfer Agreement (IDTA)
Despite its length, the proposed IDTA – if adopted – will be an important tool for businesses subject to the UK GDPR. There is a limit to how far any simplification can go given that the underlying law on international transfers is (currently) essentially no different despite the UK now having left the EU. This means that both the Schrems I ruling, i.e. that adequate protection must mean “essentially equivalent” protection, and the Schrems II ruling on the ability of public authorities to access transferred data, and the related rights of individuals, must be taken into account in any tools used for transfers from the UK. Despite this, the ICO appears to have found a more flexible and user-friendly approach to delivering the required level of protection through SCCs than anything that has so far emerged from the EU.
Flexibility is provided through one set of terms that can be applied, as appropriate, to a wide range of transfer scenarios. These include not just transfers from one controller or processor to another controller or processor but also transfers from a controller or processor to someone who is neither a controller nor a processor (nor a sub-processor). Although there are extensive mandatory clauses, which can only be adapted so that they fit with the other terms of the agreement, there is flexibility as to how these are incorporated into the full transfer agreement. There is then scope to add commercial clauses (and applicable processing terms between a controller and processor that govern the transfer), although these must not inadvertently reduce the level of protection provided by the mandatory clauses. Extra protection clauses may also be added. The ICO even goes so far as to say that, following the consultation, it might provide some standard but optional commercial clauses in an effort to further assist businesses. Additionally, the use of optional tables and tick boxes through which basic details (such as the nature of the data transferred) can be specified help to make the documentation user friendly.
However, organisations should be mindful that the IDTA differs from the SCCs in key areas – which may influence whether or not to rely on the IDTA or the addendum (if applicable). For example, the mandatory clauses in the IDTA do not (and are not intended to) satisfy the requirements in Article 28(3) UK GDPR. This differs from the SCCs, which explicitly confirms that the clauses, when between a controller and processor, fulfil the requirements of Article 28(3) EU GDPR. It is also notable that the IDTA implies that only the exporter is required to conduct and document a transfer risk assessment, whereas the SCCs requires both exporter and importer to carry out the adequacy assessment. Other distinctions in approach from the SCCs, include the extent to which importers are required to challenge public access requests to data, and the imposition of a contractual requirement to review the IDTA periodically (the ICO guidance indicates this review should occur at least annually or more often if the data is very high risk).
One question that businesses will be asking is for how long they will be able to continue to rely on the existing EU SCCs for transfers under the UK GDPR once the ICO’s IDTA has been formally adopted. The ICO’s proposal is that there will be a relatively generous two-year lead in period. The final version of the IDTA will have to be laid before Parliament, and the timetable for this is uncertain, but it might be reasonable to assume that this will happen early in 2022. If this is correct, businesses will then have until early 2024 to transition from the EU SCCs valid for transfers under UK GDPR, to the UK IDTA in respect of ongoing transfers. However, for any new transfers they will have to default to the IDTA within a matter of a few months.
Transfer Risk Assessment (TRA)
Certainly, the ICO’s proposed tool offers practical support to businesses that goes well beyond anything in the EDPB’s published recommendations on measures that supplement transfers tool (01/2020). It also differs from the EDPB’s recommendations and related guidance in some other significant respects:
- Whereas the EDPB’s recommendations focus mainly on assessing the third country’s legal regime surrounding access to the transferred data by the third country’s public authorities, the ICO’s proposed tool considers two aspects relevant to the transfer and jurisdiction as a whole. For example, as well as the risks around access by public authorities (i.e. the risk and likelihood of access, and the risk of harm to individuals arising from such access), the ICO’s tool requires an assessment of whether the IDTA will be enforceable in the destination country. How easy this step will be, particularly for smaller businesses, is unclear considering the assessment may require specialist advice (including potentially local counsel input) on the enforceability of UK judgments or foreign arbitration awards in the destination country.
- The choice of the designation “Transfer Risk Assessment” rather than “Transfer Impact Assessment” appears to be indicative of the ICO’s thinking. As the term suggests, the ICO’s tool has a more explicit focus than the EDPB’s recommendations on the risks that the transfers in question pose to data subjects in practice rather than simply on whether the laws and practices of the destination country are out of step with the values of a democratic society which, in the EU’s case, are represented by the fundamental rights and freedoms in the EU Charter. In several places, the ICO’s tool makes clear that if, for a specific transfer, the risks to data subjects are sufficiently low the transfer can take place based on the IDTA regardless of the destination country’s more general laws and practices. In fact, the tool goes so far as to say that an assessment of the destination country’s regime for managing when access to data by third parties can be required and the safeguards for individuals does not need to be carried out at all if either, “the possibility of third-party access, including surveillance, is minimal” or, “if third-party access, including surveillance, did take place, the risk of harm to data subjects is low”.
- The ICO appears to take a more relaxed view than the EDPB about what might constitute an acceptable regime for access by public authorities in the destination country. It takes the view that, “Allowing third party access, including surveillance, is an important part of the checks and balances and protections in a country. It is one of the ways that we recognise the balance that has to be struck between fundamental rights (such as privacy and freedom of expression) both against each other and against the wider needs of society. Countries have significant discretion in how they balance these rights.” The ICO therefore places emphasis, not so much on the extent to which third party access may be permitted by local law, but more on the extent to which this permitted access is subject to safeguards that are sufficiently similar in their objectives to those that are applicable in the UK, for example robust regulation of compliance with the law by public authorities in respect of their surveillance activities.
The ICO’s Guidance on International Transfers
The ICO is also consulting on two aspects of its guidance on international transfers. These are its interpretation of the extra-territorial effects of Article 3 of the UK GDPR and its interpretation of Chapter V of the UK GDPR, particularly in so far as it relates to the ICO’s concept of a “restricted transfer”. It is unusual for the ICO to be consulting on its interpretation of the law. Generally, the regulator can be expected to come to its own view of the meaning of the law taking into account the purpose of the law, any relevant case law and the intentions of the legislator coupled with a degree of pragmatism. Essentially the regulator is coming to its own conclusions on the approach the courts would be likely to take were a relevant case to come before them.
Of course, the regulator’s interpretation can then be challenged in the courts but a court would not conduct a public consultation before coming to a decision. It is therefore surprising to see the ICO seeking the views of those who may well have a vested interest in one interpretation or another before deciding on what it believes to be the correct meaning of the law. Perhaps the driver here is the lack of clarity in the underlying legislation and the challenges that that this poses for the ICO in confidently coming to its own agreement on what the intention behind the relevant provisions would have been. The underlying legislation, the UK GDPR, is derived from the EU regulation and a certain lack of clarity in its drafting can pose challenges in interpretation.
Essentially, there is a mismatch between Article 3 of the UK GDPR, which extends its territorial scope well beyond the borders of the UK, and the international transfer provisions of Chapter V which fail to acknowledge this extra territorial effect. Thus, the articles regulating international transfers make no provision for the possibility of the UK GDPR applying directly to processing of personal data that takes place in a third country nor that such overseas processing can be caught by the UK GDPR without there necessarily having been any prior transfer of the personal data in question from the UK. The EDPB has, for a long time, been trying to square this circle, in the context of the EU GDPR, but its promised guidance on the subject has so far failed to emerge. The ICO has also attempted to resolve the problem, at least partially, by introducing the concept of “restricted transfers” and, by implication, unrestricted transfers into its guidance. Unrestricted transfers are those where the personal data remains directly subject to the UK GDPR once it reaches the destination country. This concept of restricted and unrestricted transfers is an area of interpretation in the ICO’s consultation.
However, the ICO’s interpretation was never endorsed by the EDPB in relation to the EU GDPR and now looks increasingly difficult to sustain in the light of the Schrems II ruling. The ICO’s proposition, put simply, is that if the personal data is protected by the UK GDPR in the destination country, it does not need any further protection and therefore the restrictions on international transfers and the accompanying requirements for safeguards set out in Chapter V do not apply. However, it is hard to find any basis in the wording of Chapter V for such an interpretation. Furthermore it appears to ignore the fact, highlighted by Schrems II, that even if the UK GDPR applies to the personal data in the third country they are no more or less at risk of access by the public authorities of that third country than they would be if the UK GDPR did not apply. There may be a good argument that, where the UK GDPR applies in the destination country, the full weight of an IDTA adds little value, even if it might be difficult to find a legal basis for concluding that neither this, nor any of the other Article 46 safeguards, is required. It is hard though, following Schrems II, to see any legal or logical argument as to why a TRA would not be necessary, given that the transferred data will still be vulnerable to the surveillance regime in the destination country whether or not it continues to be protected the UK GDPR. Ultimately, this could go so far as to require that the transfers in question are halted if sufficient additional safeguards cannot be provided.
The doubt arises because Article 3(1) of the UK GDPR provides that the UK GDPR applies to the processing of personal data in the context of the activities an establishment of a controller or a processor (as opposed to the controller or the processor) in the UK, regardless of whether the processing actually takes place in the UK. Thus, it can be argued that an overseas processor that processes personal data in the context of the activities of an establishment of any UK controller is caught by the UK GDPR rather than the more restrictive interpretation that the overseas processor will only be caught if the UK data controller is considered to be one of its establishments.
Perhaps surprisingly even the EDPB has held back from the more expansionist approach in its interpretation of the EU GDPR. In its guidelines on territorial scope (3/2018) the EDPB merely says that, “Where a controller subject to the GDPR chooses to use a processor located outside the Union for a given processing activity, it will still be necessary for the controller to ensure by contract or other legal act that the processor processes the data in accordance with the GDPR.” It is hard to see what the ICO might gain from taking a more expansionist approach than the EDPB, particularly given the confusion (that any lack of consistency in interpreting what is essentially the same regulation) will engender. Furthermore, given that the ICO, on its current interpretation, would not regard the transfer from the UK GDPR controller to the overseas processor subject to the UK GDPR as a “restricted transfer”, there would be no requirement on the UK GDPR controller to put in place any transfer mechanism or to conduct a TRA. Thus, the level of protection for data subjects would potentially be lower than would be the case with the current, albeit more restrictive interpretation.
Similar arguments apply to the position of an overseas joint controller with a UK joint controller. It would be unhelpfully and unnecessarily expansionist for the ICO to conclude that processing by an overseas joint controller will inevitably be governed by the UK GDPR. As one of the ICO’s proposals (contained in the consultation) recognises, much will depend on the circumstances of each case, including whether or not the UK joint controller is an establishment of the overseas joint controller.
Some Final Thoughts
Now that John Edwards, the New Zealand Privacy Commissioner has been announced as the UK Government’s preferred candidate to be the next UK Information Commissioner it might be instructive to consider the approach of the (New Zealand’s) Office of the Privacy Commissioner to international transfers. This approach consists of step-by-step guidance accompanied by two online tools, a decision tree and a model contract clauses agreement builder, designed to help users generate their own agreement. The New Zealand guidance has been much praised as for its simplicity and practicality. It will therefore be interesting to see if, once appointed, John Edwards pushes the ICO towards developing even more simple guidance and user-friendly tools. However, New Zealand law on international transfers is very much more straightforward than the equivalent provisions in the UK GDPR. John Edwards might therefore find that his scope to deliver such an approach is severely limited by the legal framework within which he has to operate.
Indeed, it is hard to see how the ICO’s approach could change very much without a change in the underlying law. As illustrated by the ICO’s consultation questions on its international transfer guidance, there is certainly scope for substantial simplification and greater clarity in the UK GDPR. It should also be possible to achieve this without reducing the practical rather than merely theoretical protection afforded to individuals. The UK Government has recently announced (via the DCMS consultation) its intention to reform the UK’s data laws, and in doing so has indicated that it will be doing this, “so that they’re based on common sense, not box ticking”. This may be encouraging for UK businesses but any significant change in the legal framework is nevertheless likely to be some years away.
In the meantime, businesses can perhaps take some comfort from the ICO’s statement in relation to the TRA that, “if you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of Chapter V UK GDPR.” As ever, the message is that the ICO is likely to take a sympathetic approach to those businesses that have made their best efforts to comply with their international transfer obligations, and can demonstrate that this is the case, even if ultimately the ICO may come to a different view. There is nothing so far to suggest that this pragmatism is likely to change under the stewardship of John Edwards.