On August 11, 2020, the UK Information Commissioner’s office (ICO) a public consultation on their draft international data transfer agreement and guidelines (advisory). The consultation takes place two months after the European Commission has adopted new EU Standard Contractual Clauses (EU SCCs) and the publication of the final guidelines of Schrems II by the European Data Protection Board. The EU SCCs do not apply automatically in the UK since it left the EU. In addition, the ICO has not yet officially recognized the EU SCCs, i.e. as a valid data transfer mechanism under the UK GDPR.
In order to counter the current uncertainty, the ICO is now advising on the introduction of its own form of SCCs, which are to be referred to as the International Data Transfer Agreement (IDTA) and issuing a UK addendum that can be used with the EU SCCs. The ICO also advises on its own form of assessment of data transmission according to UK Schrems II, which is referred to as assessment of transmission risk (BETWEEN).
Organizations transferring personal data from the UK to third countries need to review the consultation and carefully consider how to incorporate the position proposed by the ICO into their wider Schrems II data transfer project, including the proposed TRA and use of the proposed IDTAs .
The ICO has indicated that the main purpose of the consultation, which ends October 7, 2021, is to understand the practical implications of its proposed approaches on affected organizations and, in turn, has sought feedback from a variety of stakeholders, including data protection practitioners, multinational companies and SMEs as well as lawyers.
The consultation is divided into three sections as follows:
- Proposal and plans for updates to the guidelines on international credit transfers: The ICO has proposed additional guidelines on:
- the interpretation of the extraterritorial effect of Article 3 of the UK GDPR, which in turn will affect the definition of “restricted transfer” under the UK GDPR. In particular, the ICO is examining whether the following three scenarios would always be subject to the UK GDPR: (a) processing by a foreign processor (e.g. in the US) on behalf of a UK-based controller; (b) Processing by a foreign processor on behalf of a foreign controller directly subject to the UK GDPR (i.e. under UK Article 3 (2) for offering goods / services in the UK or monitoring individuals in the UK). ); and (c) processing by a joint controller overseas if the other joint controller is subject to the UK GDPR. In any case, the ICO has presented two options and certain points that stakeholders should consider; and
- the interpretation of Chapter V of the UK GDPR – and in particular the definition of a restricted transfer under the UK GDPR. Here the ICO makes the following 5 suggestions for comment: (a) whether a transfer from one legal entity to another must be made in order for a restricted transfer to take place; (b) whether a UK GDPR processor can only make a limited transfer to its own overseas sub-processors with a non-UK GDPR processor; (c) whether the processing by the importer cannot be subject to the UK GDPR (e.g. for the transfer to be a restricted transfer under the UK GDPR); (d) updates to the ICO guidance on the UK Article 49 exemptions – including whether the term “necessary” should in fact be read as “strictly necessary”; and (e) guidance on how to use the IDTA in conjunction with the UK GDPR Article 49 exemptions. – Regarding restricted transfers (part (c) above), the ICO has taken a position in the past that processing by the importer cannot be subject to the UK GDPR to qualify as a restricted transfer, but the ICO has indicated that who does not intend to continue this approach in the future.
- BETWEEN: The ICO has drawn up a draft of an instrument for assessing transfer risk (TRA tool). The TRA tool is a combination of TRA implementation guides and tables that organizations can use to aid in deciding the level of risk in conducting routine restricted referrals with confidence in IDTA. The TRA tool consists of the following 3 steps: (i) assessing whether the TRA tool is suitable for limited transmission (ie whether it is routine and not high risk); (ii) the IDTA is likely to be enforceable in the recipient country – if “yes” go to step 3, if “no” you carry out a supplementary risk assessment to assess whether this creates a risk of data corruption issues and whether additional steps are taken or protective measures could reduce the risk; and (iii) the personal data is adequately protected from access by third parties. The ICO made it clear that the TRA tool is “just a method of performing a risk assessment” and is only intended for use in routine international transfers.
- IDTA: The ICO has released a new draft of Standard Data Protection Clauses, which the ICO says will be referred to as the Model IDTA and will replace the existing UK Standard Contractual Clauses (UK SCCs). As part of the IDTA draft (which we comment on below), the ICO proposed to publish various templates for use by organizations, including, for example, optional trade clauses for inclusion in the IDTA, a multi-party IDTA, and an example of a completed IDTA (and TRA).
Irrespective of this, the ICO is considering issuing an IDTA in the form of an addendum to the model of data transfer agreements from other jurisdictions. As an example, the ICO has published a British GDPR addendum on the new EU SCCs. The addendum suggests certain changes to the EU SCCs, for example to change references to the EU to the UK. The proposed addendum will undoubtedly be welcomed by multinational organizations operating transfers from both the EU and the UK who have previously faced two forms of settlement.
Finally, the ICO has asked for feedback on its proposal to abolish the old SCCs (i.e. under the previous EU Data Protection Directive) – essentially a long stop date around 25 months after the IDTA is approved by the UK Parliament.
IDTA vs. EU-SCCs
Below we have listed some of the key differences and similarities we found between the draft IDTA and the recently adopted EU SCCs:
- Format of the IDTA: The IDTA (which does not follow the same format as the EU-SCCs) consists of the following four parts: (i) Tables – which contain the details of the transmission (i.e. similar to the annexes in the EU-SCCs – but more detailed) – however, the table format is not mandatory; (ii) additional safeguard clauses, ie additional measures to be taken if the TRA determines that there is no substantial equivalence in the recipient third country; (iii) trade terms, for example when referring to related agreements (see below); and (iv) mandatory clauses – which must be included in full and without amendment.
- Multiple transmission scenarios: As with the EU-SCCs, the IDTA handles the following four data transfer scenarios: (i) controller to controller, (ii) controller to processor, (iii) processor to processor and (iv) processor to controller.
- Multiple parties: As with the EU SCCs, multiple parties can register with the IDTA, and the ICO confirms that such a multi-party IDTA “can appoint someone to make decisions on behalf of everyone”. A template is again provided in Chapter 5 of the IDTA.
- Schrems II Transfer Impact Assessment: Not surprisingly, as with the EU-SCCs, the IDTA requires a Schrems-II-TRA to be carried out prior to a restricted transfer and that the parties have to provide similar representations to this assessment as in the EU-SCCs.
- Article 28 Data processing provisions: In contrast to the EU SCCs, the IDTA does not contain the provisions of Article 28 on data processing. Instead, the IDTA allows organizations to refer to the “Linked Agreements” (e.g. existing data processing agreements). In the event of a conflict between IDTA and the linked agreement, the former will prevail.
- liability: According to the IDTA, each party is fully liable for all damage suffered by any person unless they can demonstrate that they are in no way responsible for the event that caused the damage.