Data Protection Law
UK data protection law has the possibility to assert its independence following Brexit. That said, we don’t expect the UK to stray too far from the EU position because to do so would threaten the continuing adoption of an adequacy decision by the European Commission on 28 June 2021. A recent consultation issued by the Information Commissioner’s Office (ICO), the regulatory body for data protection in the UK, has raised some difficult and long unanswered questions. Alongside a draft international data transfer agreement and a draft risk assessment for international transfers, the ICO has posed questions which many data lawyers have been scratching their heads over since GDPR was introduced in 2016. Organisations can submit their opinions up until 5pm on Thursday 7th October 2021. We look at the questions asked here and take a view on their proposed answers.
UK Data Protection Law: Article 3 UK GDPR
The ICO raised UK data protection law questions around how Article 3 UK GDPR would apply to certain relationships. The crux of this investigation concerning who, in an international context, the UK GDPR applies to. ‘The Regulation’ in the article is referring to UK GDPR. The article is as follows:
- “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the UK or not.
- This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
- The monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.”
The UK data protection law issues raised by the ICO here was whether Article 3 applied to (a) an overseas processor of a UK controller; and (b) an overseas joint controller with a UK controller.
This needs simplifying. Firstly, data controllers are the main decision-makers – they exercise overall control over the purposes and processing of personal data. Processors act on behalf of, and only on the instructions of, the relevant controller. A good example would be where a business uses a software platform to process its data for analysis, human resources or any other possible function. The business would usually be the controller in this case and the software platform provider, the processor.
The ICO is therefore asking whether the Regulation (UK GDPR), as referred to in Article 3, directly applies to overseas processors or an overseas joint controller of a UK controller. This is supplementary to the fact that data controllers are obliged to enter into data processing agreements with their processors which will contain most of the UK GDPR obligations. If the ICO were to say that such overseas processors and controllers were to be directly subject to the UK GDPR, then such contractual provisions may become obsolete. It is also noted that an overseas joint controller usually always processes ‘personal data in the context of the activities of an establishment of a controller… in the United Kingdom’ (Article 3(1)) and therefore, usually, overseas joint controllers would be seen to be directly subject to UK GDPR.
Google Spain Judgement
The ‘spanner in the works’ of all this theorising around the obligations of overseas processors / joint controllers was the controversial judgement in Google Spain SL v. Agencia Espanola de Protection de Datos. Although a Spanish case, it eventually went to the European Court of Justice (ECJ), and with all case law from the ECJ being retained by the UK following Brexit, the ruling still holds sway. Essentially the ECJ stated that Google was the data controller of EU personal data published by third party websites and so GDPR applied, even though they were based in the US. Many commentators would distinguish Google in this instance from your average overseas processor/controller, however, because of the unusual amount of influence the search engine has over how personal data is presented to users.
Article 3 UK GDPR – ICO views
So the ICO is considering making the following three proposals applicable – subject to the consultation, which allows organisations to submit their opinions by 7th October 2021:
- For overseas processors of a UK GDPR Controller under Article 3(1) – the ICO suggests that whether UK GDPR directly applies will depend on the circumstances.
- For overseas processors of a UK GDPR Controller under Article 3(2) – the ICO suggests that the UK GDPR should always be directly applicable to processors.
- For overseas joint controllers with a UK-based joint controller – the ICO suggests that whether UK GDPR directly applies will depend on the circumstances.
As previously stated, this may all be fairly irrelevant given that UK controllers are obliged to enter into data processing agreements with their processors and most overseas controllers will intuitively be deemed to be subject to the UK GDPR. If the ICO were to decide that the UK GDPR applied to all overseas processors, this would potentially mean less contractual protection for data subjects. We take the suggestion at 2) therefore to be counterproductive, although we support the suggestions in 1) and 3) even though they introduce increased ambiguity.
UK Data Protection Law – Chapter V UK GDPR
The next set of UK data protection law questions posed by the ICO concerned chapter 5 UK GDPR and, in particular, Article 44. Questions here were raised around when a ‘restricted transfer’ is taking place and therefore whether measures need to be taken to protect such a transfer. The article is as follows:
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
What this is essentially saying is that a transfer falling within article 44 is a “restricted transfer” and can therefore only take place when the conditions in Chapter V are complied with. This means contractual protections will need to be in place, security measures will need to be accessed and a risk assessment should also take place.
Chapter V UK GDPR – ICO views
The ICO asked UK data protection law questions around when such Article 44 restricted transfers would take place. They suggested the following clarifications could take place:
- In order for a restricted transfer to take place, there must be a transfer from one legal entity to another – this means that it is not a restricted transfer where the data flows within a legal entity. For example, it is not a restricted transfer where an employee takes a laptop outside the UK, or a UK company shares data with its overseas branch. However, where the data flow stays within a single legal entity, it would still have to ensure those data flows comply with general UK GDPR obligations (e.g. security requirements) but not the transfer requirements in Chapter V.
- A UK GDPR processor with a non-UK GDPR controller, will only make a restricted transfer to its own overseas sub-processors – this interpretation means that it is a restricted transfer when a UK GDPR processor (with a non-UK GDPR controller) appoints an overseas sub-processor and transfers personal data to it. But it is not a restricted transfer when a UK GDPR processor (with a non-UK GDPR controller) returns data to its non-UK GDPR controller or sends it to a separate overseas controller or processor (but not its own sub-processor).
- Whether processing by an importer subject to UK GDPR is considered a restricted transfer – currently, if the importer is already required to process data in accordance with UK GDPR, no additional Chapter V protection is needed. For example, the exporter will not need to carry out a Schrems II risk assessment nor put in place an Art 46 transfer tool. What the ICO is now suggesting is that it could update its guidance to reflect that a restricted transfer takes place whenever the exporter is subject to UK GDPR (and may be located in the UK or overseas) and the importer is located outside of the UK.
We support points 1) and 2) because they bring greater clarity around when restricted transfers are not taking place. However, point 3) seems slightly unnecessary although is not wholly unsupported. If an organisation has gone to the effort of determining whether or not an importer they are working with is subject to the UK GDPR, why then should they have to make a restricted transfer? On the flip side, point 3) offers further protection to data subjects because more contractual protection is introduced. You could also argue that although some importers are subject to UK GDPR, the difficulty in enforcing it will mean contractual obligations would be a good thing. Overall, we support the proposal in point 3 but with some reservations.
UK Data Protection Law – The Finer Details
This is pretty high-level UK data protection law analysis. The main finding here being that the ICO isn’t afraid to ask difficult questions, although in some cases they seem to be on a rather unnecessary tack. We support most of the suggestions and are pleased to see the ICO acting independently. Some simple questions, however, such as whether consultants are deemed to be within an organisation, are still left unanswered. Our hope would be that they don’t stop here in taking their independent perspective on retained EU law and that they continue to keep in mind the practical issues raised by organisations.