On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here). To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:
- a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
- a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).
The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021. In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.
(1) Consultation Paper on International Transfers
The consultation paper is divided into three sections:
- Proposal and plans for the ICO to update its guidance on international transfers. This section examines:
- the extraterritorial scope of the UK GDPR – in particular, it discusses when and under what circumstances the UK GDPR applies to: (1) a non-UK processor of a controller established in the UK, or (2) a non-UK entity operating as a joint controller together with an entity established in the UK;
- the interpretation of Chapter V of the UK GDPR on international transfers – in particular, it discusses whether it is necessary to implement safeguards (g., a transfer agreement) for transfers: (1) to an entity outside the UK that is subject to the GDPR by virtue of its extraterritorial scope; (2) from a UK-based processor back to a non-UK controller; and (3) within the same corporate group. This section also discusses the transfer derogations under Article 49 GDPR and sets out various policy options for their interpretation.
- Transfer risk assessments. This section seeks feedback on the ICO’s draft transfer risk assessment tool published together with the consultation paper. It also asks for example transfer scenarios that could be considered and address by the tool.
- ICO model IDTA and EU Addendum. This section asks for feedback regarding the draft IDTA and EU addendum published together with the consultation paper. It also requests feedback on the transition period during which the old version of the EU standard contractual clauses (approved under the EU Data Protection Directive) can still be used.
(2) Draft Contractual Templates
The draft templates (see here) includes not only a template IDTA intended to replace the EU standard contractual clauses, but also explanatory instructions on how to implement the IDTA. These instructions are divided into five chapters:
- Introduction to the IDTA. This chapter explains the purpose of the IDTA and how it relates to other contractual agreements. It discusses, in particular, how to incorporate the IDTA into data processing agreements between controllers and processors pursuant to Article 28 of the UK GDPR. Notably, in contrast with the new EU standard contractual clauses, the ICO does not propose to incorporate the substantive provisions of Article 28 UK GDPR into the IDTA itself.
- Completing the IDTA. This chapter provides step-by-step instructions on when and how to implement the IDTA, presented in a question-and-answer format.
- Template IDTA. This chapter includes the template IDTA itself, which is split into four parts:
- Part 1 includes tables to be completed with information about: (1) the parties, their contact points, signatures, and start date of the agreement; (2) transfer details; (3) categories of personal data transferred and the purpose(s) of the transfer; and (4) security measures implemented;
- Part 2 is a placeholder to specify additional technical, organizational and/or contractual data protection measures to protect the transfer(s), where such measures are determined necessary to mitigate the risks identified in the transfer risk assessment;
- Part 3 may be completed with commercial clauses, if the parties elect to do so; and
- Part 4 includes mandatory clauses that stipulate, for example: the parties’ commitment to be bound by the IDTA; how to sign or change the IDTA; how to ensure that the IDTA provides appropriate safeguards; the exporter’s obligations; the importer’s obligations; the rights of individuals; what happens in the event of a breach of the IDTA; circumstances resulting in termination of the IDTA; and how individuals can bring claims under the IDTA.
- Frequently Asked Questions. This chapter includes answers to frequently asked questions to assist controllers and processors in implementing the IDTA.
- Guidance Templates. In this chapter, the ICO states that it may issue additional guidance on:
- optional supplementary clauses (to address risks identified in the transfer risk assessment);
- optional commercial clauses;
- a template for introducing changes to the IDTA;
- a multi-party IDTA; and
- an example of a completed transfer risk assessment and IDTA.
While the abovementioned documents support parties in implementing the UK’s own IDTA, the EU Addendum (see here) amends the EU standard contractual clauses (“SCCs”) approved by the European Commission on June 4, 2021 (see our blog post here). The EU Addendum is designed to restate the language of the EU SCCs to effectively facilitate transfers outside the UK (e.g., by changing certain references from “EU” to “UK”). The EU Addendum also revises the choice of law and jurisdiction provisions to refer to the laws and courts of England and Wales. Note also that the EU Addendum can be revised, so long as any revision(s) maintain the “appropriate safeguards” required by Article 46 of the UK GDPR or guarantee a higher level of protection for data subjects.
In its consultation paper, the ICO also announced that it is planning to issue a similar addendum for transfer clauses adopted by other jurisdictions, such as the New Zealand and ASEAN (the Association of Southeast Asian Nations) clauses.
(3) Draft Transfer Risk Assessment Tool
The transfer risk assessment tool (see here) is designed to help controllers and processors assess whether they can lawfully transfer personal data outside of the UK on the basis of a transfer safeguard mentioned in Article 46 of the UK GDPR (e.g., the IDTA or binding corporate rules). The transfer risk assessment tool consists of a three-step analysis, reflecting the key elements of the CJEU’s decision in Schrems II, namely:
- Assess whether the selected transfer safeguard is sufficient to protect the personal data transferred. In particular, this requires evaluating whether the safeguard is able to satisfy the UK GDPR’s fundamental data protection principles in light of the nature of the transfer;
- Assess whether the safeguard is enforceable in the country of destination (e., the country where the data importer is located). Where the exporter has concerns about the safeguard’s enforceability, it must carry out an additional risk assessment to determine whether extra steps can be taken to mitigate the attendant risks; and
- Assess the country of destination’s regime for regulating third-party access to personal data. This includes assessing national surveillance laws of the country of destination.
In summary, the consultation paper and adjoining documents illustrate (at least to some extent) the flexibility that the ICO wields in setting its own course for regulating transfers of UK personal data, as compared to the multilateral approach required in the EU. As a national regulator, the ICO is empowered not only to publish its own transfer clauses (in line with the role of the European Commission), but also issue adjoining guidance and tools for implementing them in practice (such as those provided by the European Data Protection Board and independent supervisory authorities in the EU). Whilst the UK will still need to plot a course that tracks closely with the EU to maintain its adequacy status (see our blog post here), the ICO appears to be making the most of this opportunity to tailor its approach to regulating transfers, in order to support the needs of stakeholders and seek further harmonization with other regimes internationally.
* * *
We are glad to assist clients who are planning to submit a response to the ICO’s public consultation. We are continuously monitoring these developments, and we have significant experience in assisting multinational companies and organizations in navigating complex cross-border transfer requirements in the UK and beyond.