the ICO wants input on when personal data goes international


You don’t have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from the European Commission. The grant on June 28, 2021 means that personal data from the European Economic Area can fortunately be transferred to the United Kingdom without additional guarantees.

However, transfers to countries that have not been deemed appropriate by the EU Commission are not that easy and it is in this more complicated area that contractors and other British companies now have a say with the information officer, if only until October 7, 2021 can. writes Anthi Pesmazoglou, legal advisor at Gerrish Legal.

So far, UK companies have relied on the old Standard Contractual Clauses when transferring data outside of the UK. However, these “SCCs” (in particular decisions 2001/497 / EC and 2010/87 / EU) were only recently repealed due to the Schrems II ruling of July 2020. With this ruling, the European Court of Justice approved the data exchange agreement between the EU and the USA “Privacy Shield” on the basis that the USA did this under US surveillance laws not offer data protection that is equivalent to that under EU law. Therefore, the ICO is now looking to set up new international transfer mechanisms for restricted transfers outside the UK.

New security measures for British data streams – a blessing or a curse?

The information commissioner’s office had originally announced that it would create a replacement for SCCs in May 2021 after the United Kingdom left the European Union.

The process has progressed rapidly and the ICO’s now open consultation on the draft IDTA or the International Data Transfer Agreement can be found here. The consultation published a few weeks ago is relevant to many parties, especially freelancers, consultants and contractors who transfer personal data from the UK abroad or provide services to UK organizations.

To help educate your potential contribution, the ICO has stated the following:

“We recognize the importance of the international flow of data to the UK digital economy and are committed to maintaining high standards of data protection for individuals’ personal data in transit outside the UK.”

Just what you’ve been waiting for with contractors, an IDTA – another contract

Remember, when companies here send personal information outside of the UK, they need to make sure that people’s privacy rights are still protected. An IDTA is a contract that organizations can use in transferring data to countries not covered by adequacy decisions and will replace the current SCCs.

The ICO advice is divided into three sections that offer a range of suggestions and options, in particular:

  • Proposal and plans for updates to the guidelines on international credit transfers.
  • Transfer risk assessments.
  • The international data transfer agreement.

The big question of advice (which we should all answer)

If contractors who specialize in data (or not) can really think or even think bossily, the consultation asks whether it would be helpful for the ICO to approve an addendum that allows the use of the EU Standard Contractual Clauses for transfers of personal data from the UK.

In our view, this issue alone is important enough to warrant a response to the consultation, even if UK organizations (almost irrelevant in size) do not comment on the other points of the ICO.

The ICO also solicits stakeholders in various industries, including civil society groups and corporate organizations, for views on relevant data protection rights, legal, economic or political considerations and implications. The ICO is looking for feedback on:

  • the interpretation of Article 3 of the UK GDPR, i.e. the extraterritorial scope of the UK GDPR; and
  • the interpretation of Chapter V of the UK GDPR which governs restricted transfers from the UK.

Additional UK and non-UK connections to be considered

Other concerns that respondents need to address include whether the UK GDPR should inevitably apply to the overseas processor or co-controller of a UK-based controller; where a limited transfer is expected to take place (e.g. whether this would involve returning data from a UK processor to a non-UK controller); and finally, the application of the UK GDPR Article 49 exemptions, including the extent to which the exemptions can be invoked.

Note that IDTA (which will replace the current SCCs for transfers of personal data from the UK) will consider different types of transfer agreements, e.g. several options to choose from depending on the transfer.

Interestingly, the ICO has proposed that the new EU SCCs published by the European Commission in June 2021 could be used as an alternative to the new IDTA for transfers of personal data from the UK, subject to the use of a “UK Addendum” . .

The addition for the UK replaces provisions from the EU data protection regime with references to UK law and addresses issues such as applicable law and the choice of forum and jurisdiction for disputes. This can be useful for many controllers and processors who transfer personal data from both the UK and the EEA as it essentially allows them to use a number of clauses for their data transfers (with the addition of the UK addition for transfers from the UK). rather than having to use both the EU Standard Contractual Clauses and the UK-IDTA (if adopted, and before that the existing Standard Contractual Clauses for transfers of personal data from the UK).

Finally, some practical tips for contractors and freelancers

For UK contractors who want to make sure they haven’t missed the key takeaway from this not-easy area and the direction of this not-easy advice, it is important to ensure that all of your privacy records are up to date, including contracts with suppliers or Customers based abroad who can process or pass on personal data on their behalf.

In addition, contractors should ensure compliance with data protection obligations in all other cases where their operation or scope of work involves the transfer of data outside the UK. In many cases, data transfers are covered by “appropriateness”. As we said at the beginning, that’s lucky. However, contractors should take into account that this adequacy status is only valid for a period of four years. So it is not out of the realm of possibility that it could be challenged before that deadline – especially since it was not a welcome change in the eyes of anyone, especially those who criticize UK national security laws.

The work of the ICO around IDTAs and its consultation are a requirement according to s119a of the Data Protection Act 2018 (UK GDPR). The consultation will include the final documents that the ICO will submit to the UK Parliament. The office says it will remain open until 5:00 p.m. through October 7, 2021 for feedback on the consultation, and we encourage contractors to get involved or contact us if they have any personal or professional privacy questions.