The ICO’s Data Transfers Consultation: A New Approach

The Information Commissioner’s Office (ICO) launched a consultation (which runs until 7^th October 2021) about its future approach to international data transfers.

Now that the UK is no longer an EU member, the UK Government is looking to liberalise its approach to international data transfers. They have also recently announced plans to put adequacy decisions in place with several countries that the EU do not have decisions in place with, such as Colombia, the US and Kenya.

Overall, the ICO has indicated it wants to take a pro-business approach to data protection. They have released and are seeking consultation on:

1. A Transfer Risk Assessment (TRA) tool, which allows for a more holistic and straightforward approach to data transfers;
2. Its own contractual Standard Contractual Clauses (SCCs) for UK companies, which it may amend to follow the EU SCCs modular approach;
3. An addendum to the old European Commission SCCs, which can be used as an add on, rather than needing to create separate contracts

Transfer Risk Assessment

The TRA tool is the UK equivalent of the EU’s Transfer Impact Assessment (TIA) and must be completed prior to putting International Data Transfer Agreements (IDTAs) in place. It consists of three steps:

1. Assessing the transfer (including using risk-bases matrices to assess the scope of the data and activities subject to the transfer);
2. Considering if IDTAs are likely to be enforceable in the destination country;
3. Considering if there is appropriate protection for the data from third-party access (including holistic considerations, such as looking at the rule of law or human rights in the destination country).

The ICO have also clarified that organisations can use tools other than a TRA, which means that if your organisation has conducted EU TIAs for their transfers, they do not duplicate efforts.

International Data Transfer Agreements

The IDTAs are proposed to be the equivalent of the EU SCCs, and take on a box-like structure, similarly to the UK’s existing SCCs, which means it’s structured into tables, as opposed to paragraphs as is the case with the EU SCCs. They consist of four sections:

1. Tables – These cover details about the transfer e.g. parties involved, purpose of the transfers and scope of the relevant data. There is only a single agreement with options to be selected (for controller-controller, controller-processor, processor-controller situations) rather than the EU SCCs’ modular approach;
2. Extra protection clauses – These include security and other controls, and can be excluded if the TRA does not identify a need for additional safeguards;
3. Commercial clauses – These are optional commercial clauses that can be added, if there is no other agreement in place between the importer and exporter
4. Mandatory clauses – These clauses outline each party’s responsibilities and obligations for the transferred data, including the requirement to respond to a data subject request, data breach requirements and the application of appropriate safeguards.

Despite the UK Government’s light-touch approach, the new SCCs are more stringent and do provide further safeguards on international data transfers. For example, IDTAs have to be made available to data subjects on request, and data subjects have rights under the IDTAs.

Addendum

The ICO is also looking for views on the bolt-on clauses it has developed, which will act as an addendum to any EU SCCs used between parties and will allow them to also cover data transfers from the UK. As a result, if a company subject to both the EU and UK GDPRs is using EU SCCs to send data to a US-based cloud provider, the bolt-on will allow them to cover transfers from a UK GDPR perspective too. This will hopefully save significant time in drafting multiple addendums for organisations subject to both GDPRs, for the same requirements.

Consultation on Transfer and Jurisdictional Requirements

The ICO also separately invites views on focuses on some contentious topics relating to Art.3 (extraterritorial effects) and Chapter V (restricted transfers) of the GDPR. These, amongst others, include:

• For exceptions where a data transfer is within a company – the ICO has stated that it only considers a ‘restricted’ data transfer to occur where data is sent between two entities (therefore not when data is accessed by staff or an office abroad).
• Where a foreign processor acting for a controller subject to the UK GDPR is itself automatically caught by the GDPR – the ICO recommends it would depend on whether the processing is carried out “in the context of the activities of” a UK-based controller.
• For the application of transfers to a company based outside the UK, but which is subject to the UK GDPR – the ICO considers that a data transfer has not occurred when data is sent to an organisation “subject to the UK GDPR”, as it does not consider this a ‘restricted transfer’.
• For exceptions for transfers from a processor to a non-UK based controller – the ICO considers that where a processor returns data to its international-based data controller, a restricted data transfer has not occurred, as the processor cannot be considered to be ‘authorising’ the transfer.

This guidance covers situations that particularly affect multilateral or complex organisations and will provide welcome clarity to determining where the UK GDPR is considered to apply, and where a restricted transfer is deemed to occur.

Timeline and Summary

The consultation closes on 7^th October 2021. Following this, the findings will be presented to Parliament for approval and, as such, are not expected to be in operation until 2022.

The IDTA would come into force 40 days after their submission to Parliament by the ICO. Organisations would no longer be able to implement the old SCCs three months after this date for new international transfers, and 21 months after that, all old SCCs must be replaced by the IDTA.

The new IDTAs, SCCs and other measures combine pragmatism with more stringent risk-based measures for international data transfers. If introduced, they will provide much needed clarity on what level of transfer measures will be needed, as well as future-proofing controls for organisations with cross-border operations.