Data Protection Law
IDTA or international data transfer agreements, after the current ICO consultation, are likely to be the new means by which organisations can transfer data out of the UK. On the 11th August 2021, the UK’s data protection regulatory body, the Information Commissioner’s Office (ICO) announced that it has launched a consultation on how organisations can continue to protect people’s personal data when transferring it outside the UK. This includes a draft ICO international data transfer agreement (IDTA), draft international transfer risk assessment and tool and updated guidance. You have until 5pm on 7 October 2021 to make your opinions on the drafts heard.
IDTA – Background
Many organisation’s will be scratching their heads after reading the above. Another round of guidance issued on international transfers? Another consultation on draft clauses? You could be mixing it up with the 4th June 2021 adoption by the EU of new Standard Contractual Clauses (SCCs) (read our blog: Data Transfer: EU Adopts New Model Clauses). The new EU SCCs brought long called for clarity on issues stemming from the fact that the old SCCs had been drafted before the implementation of GDPR. There are two key elements to the background of this new ICO consultation: Brexit and the European Court of Justice’s ruling in Schrems II.
With Brexit came the possibility for the UK to diverge from EU data protection laws. This is unlikely however, especially following the adoption of an adequacy decision by the European Commission on 28 June 2021. The adequacy decision allows data to flow freely from the EU to the UK. But it relies on the UK’s continued commitment to the obligations created by GDPR, as well as alignment on future developments in EU data protection rules (the adequacy decision will be automatically reviewed every four years).
Regardless of this willingness and incentive to remain aligned with the EU, the new EU SCCs will not apply in the UK due to Brexit, as with all new EU law, and so it was a natural progression for the UK to also adopt new clauses to reflect this change. Instead of SCCs, the ICO is calling this their international data transfer agreement (IDTA). Although the draft IDTA is in many ways similar to the new EU SCCs, there are also some differences. The changes are only really to do with the possible construction and use of the agreement rather than changing any of the actual obligations. An important way in which the ICO has followed the EU’s lead is by introducing measures reflecting the decision in Schrems II.
IDTA – Schrems II
The 2020 ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559, otherwise known as Schrems II, invalidated the EU-US Privacy Shield, essentially ending the free flow of data from the EU to certified organisations in the US. The ruling also introduced a new obligation on organisations transferring data out of the EU. It would now be necessary to undertake a risk assessment for such transfers.
In response to these developments, the ICO has published a lengthy draft international transfer risk assessment and tool. At the start of the guidance it states:
“The Schrems II judgment embedded risk assessments into the rules on international data transfers. The Court held that before you may rely on an Article 46 UK GDPR transfer tool to make an international data transfer, you must carry out a risk assessment, and this is therefore a requirement under UK data protection laws.”
The ICO guidance focusses on two key aspects of the laws and practices of the destination country. First, whether the IDTA will be enforceable in that country, as this goes to the heart of what it means to put in place contractual protections. Secondly, it considers the destination country’s regime which might require that the importer gives third party access to the data being transferred. The most likely third party will be a government surveillance department. It is important to highlight which third parties may have access because this could conflict with the terms of an IDTA, which seeks to control and confine data to the parties of the agreement. Knowing exactly which third parties and for what reason they may have access is essential for assessing the safety of international data transfers, as reflected in Schrems II which deemed overly invasive US government surveillance as the main reason for invalidating the EU-US privacy shield.
The draft risk assessment produced by the ICO is supposed to be used alongside an IDTA. It states that it is only really intended to be used for routine international data transfers and that more complex transactions will need a more complex bespoke assessment. Complexity may be introduced by the riskiness of the data being processed or the human rights record of the country to which data is being transferred. The assessment and guidance includes:
- There is no need for the country to which data is being transferred to have an identical data protection legal system but rather to reflect certain values.
- It could be good for a country to have surveillance laws because this implies that such surveillance is being regulated.
- There are examples to illustrate low, medium or high risk.
- It highlights the importance of being able to enforce the data transfer agreement. A jurisdiction in which obtaining judgment is seriously impeded will increase risk.
- The ICO states that if a risk assessment is undertaken, but such assessment turns out to be wrong, it will take into account the difficulty of carrying out such an assessment. Therefore, if the ICO deems an assessment to have been undertaken diligently, this will be reflected in any potential regulatory action.
The draft international data transfer agreement is bespoke to the UK. It is to be used when transferring UK personal data out of the UK. The improvements it makes:
- The tables at the start of the agreement allow the parties to input all the information peculiar to their agreement. This is a simple way of making sure all of the information needed is available from the outset. Once organisations are used to the tables, they should be very easy to fill out and so new relationships should be easy to facilitate.
- Unlike the new EU SCCs which provide a number of different modules, i.e. a number of different documents for different relationships such as a controller-to-processor agreement, processor-to-processor agreement etc., the new IDTA is a document which captures all such potential relationships. It does this by specifying that certain clauses do or do not apply to either processors or controllers or other third parties.
- The agreements can also easily be made multi-party or can be drafted to give one party the power to make decisions for everyone.
- The IDTA encompasses a wider range of relationships including transfers from a processor to a third party who is not a sub-processor, but some other third party, and transfers between joint controllers.
Using the EU SCCs
An important question which the new ICO drafts and guidance address is that of whether or not organisations can use the new EU SCCs to transfer UK personal data out of the UK. The answer to which is yes but on the condition that a “UK addendum” is added to any such agreement. The addendum will modify the parts of the EU SCCs referring to EU law and is flexible to further modification, within limits.
However, it is clear that the EU SCCs without modification will be insufficient and this is particularly concerning given that it will take a long time for the ICO to approve the addendum. Until the addendum is approved, data transfers to and from the UK and EU will have to be facilitated by different agreements. What is also clear is that the old SCCs will cease to be valid as they do not account for the provisions in GDPR or the ruling in Schrems II. The consultation proposes that the old SCCs should stop being used three months and forty days after the IDTA is laid before parliament. For existing data transfers that time period is extended to 21 months after the IDTA is officially approved.
It should also be noted that the draft addendum can be used to alter other data transfer agreements such as the New Zealand or ASEAN agreements.
IDTA – Make your voice heard
On the whole we think the proposals made by the ICO are sensible and should be supported, especially concerning the draft addendum to the new EU SCCs. The addendum will make UK-EU business much easier to manage, allowing organisations to use one set of clauses for all of their operations, regardless of jurisdiction, with only minimal extra documentation. For the moment however, organisations need to be wary of divergence in legal systems and the additional burdens created by the ruling in Schrems II. The risk assessment and guidance introduces welcome clarifications for international transfers, giving hope to the idea that if organisations use best efforts within the scope of the guidance given, this will be reflected positively in any ICO regulatory action.