International transfers of personal data are a functional reality for most organisations, particularly for those who operate remotely or using cloud services – all the more common in current times.
However, this area has been in a state of flux, with case law requiring that organisations undertake more detailed risk assessments than ever before (the “Schrems II” case), and the European Commission issuing new standard contractual clauses to safeguard personal data being transferred to “third countries”.
In the UK, the ICO has had the opportunity to start from scratch. Although Brexit retained the overarching framework of the GDPR (for now, at least, pending the responses to the DCMS’ consultation “Data: a new direction”), the new EU SCCs arrived too late to be considered an adequate safeguard for transfers out of the UK.
The ICO has therefore recently carried out their own consultation, going further than just the form of agreement, asking respondents for their views on:
- key areas of uncertainty around what constitutes a transfer;
- a new set of standard data protection clauses, to be known as the model International Data Transfer Agreement (IDTA);
- an example UK addendum which amends the new EU SCCs to work in the context of UK data transfers; and
- a transfer risk assessment (TRA) tool.
Once approved, organisations transferring personal data to countries:
- outside the UK or EEA; and
- which the UK has not confirmed as providing adequate protection for personal data
will be able to rely on either the IDTA or the UK Addendum to provide appropriate safeguards under the UK GDPR. It’s expected that they will be laid before parliament in December or January. If after 40 days they have not received any objections, they will enter into force.
Until then, organisations subject to the UK GDPR who transfer personal data internationally will need to rely on either existing appropriate safeguards (e.g. the old EU SCCs – amended to account for Brexit).
Once the ICO’s new guidance and documents have been approved, UK organisations will need to decide whether to use the IDTA or the UK Addendum.
Historically, transfer agreements may have been treated by some as an administrative exercise, but they are legally binding contracts and should be considered carefully.
The convenience (and consistency) of the UK Addendum and EU SCCs across a global enterprise might be an appealing thought, but UK based organisations should take this interim period before the new UK safeguards are approved to consider which of these contracts will offer them the most flexibility and security going forward, particularly bearing in mind any potential future legal divergence from the EU.
Since the Schrems II case, data exporters need to carry out (and document) a transfer risk assessment, identifying and assessing the risks posed to affected individuals whose personal data is being transferred, looking at the laws of the recipient jurisdiction and in particular any attacks on an individual’s right to privacy (such as government surveillance).
The Transfer Risk Assessment Tool from the ICO is the most detailed and practical guidance for how to carry out this assessment issued by a regulator in connection with the GDPR, albeit the UK GDPR. Organisations can use it as a tool in its own right, but also as a benchmark to inform their risk appetite for personal data transfers going forward, and to support them in choosing appropriate additional safeguards for the transfers they undertake.
So far, the UK position remains consistent with that across the EU, and this practical guidance from the ICO should give organisations in the UK greater confidence that their regulator is both looking to provide greater clarity in some of these tricky areas, as well as supporting the rights of individuals in respect of their personal data.