On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here).  To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:

  • a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
  • a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).

The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021.  In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.

(1)  Consultation Paper on International Transfers

The consultation paper is divided into three sections:

  1. Proposal and plans for the ICO to update its guidance on international transfers. This section examines:
    • the extraterritorial scope of the UK GDPR – in particular, it discusses when and under what circumstances the UK GDPR applies to: (1) a non-UK processor of a controller established in the UK, or (2) a non-UK entity operating as a joint controller together with an entity established in the UK;
    • the interpretation of Chapter V of the UK GDPR on international transfers – in particular, it discusses whether it is necessary to implement safeguards (g., a transfer agreement) for transfers: (1) to an entity outside the UK that is subject to the GDPR by virtue of its extraterritorial scope; (2) from a UK-based processor back to a non-UK controller; and (3) within the same corporate group. This section also discusses the transfer derogations under Article 49 GDPR and sets out various policy options for their interpretation.
  2. Transfer risk assessments. This section seeks feedback on the ICO’s draft transfer risk assessment tool published together with the consultation paper.  It also asks for example transfer scenarios that could be considered and address by the tool.
  3. ICO model IDTA and EU Addendum. This section asks for feedback regarding the draft IDTA and EU addendum published together with the consultation paper.  It also requests feedback on the transition period during which the old version of the EU standard contractual clauses (approved under the EU Data Protection Directive) can still be used.

(2) Draft Contractual Templates

The draft templates (see here) includes not only a template IDTA intended to replace the EU standard contractual clauses, but also explanatory instructions on how to implement the IDTA.  These instructions are divided into five chapters:

  1. Introduction to the IDTA. This chapter explains the purpose of the IDTA and how it relates to other contractual agreements.  It discusses, in particular, how to incorporate the IDTA into data processing agreements between controllers and processors pursuant to Article 28 of the UK GDPR.  Notably, in contrast with the new EU standard contractual clauses, the ICO does not propose to incorporate the substantive provisions of Article 28 UK GDPR into the IDTA itself.
  2. Completing the IDTA. This chapter provides step-by-step instructions on when and how to implement the IDTA, presented in a question-and-answer format.
  3. Template IDTA. This chapter includes the template IDTA itself, which is split into four parts:
    • Part 1 includes tables to be completed with information about: (1) the parties, their contact points, signatures, and start date of the agreement; (2) transfer details; (3) categories of personal data transferred and the purpose(s) of the transfer; and (4) security measures implemented;
    • Part 2 is a placeholder to specify additional technical, organizational and/or contractual data protection measures to protect the transfer(s), where such measures are determined necessary to mitigate the risks identified in the transfer risk assessment;
    • Part 3 may be completed with commercial clauses, if the parties elect to do so; and
    • Part 4 includes mandatory clauses that stipulate, for example: the parties’ commitment to be bound by the IDTA; how to sign or change the IDTA; how to ensure that the IDTA provides appropriate safeguards; the exporter’s obligations; the importer’s obligations; the rights of individuals; what happens in the event of a breach of the IDTA; circumstances resulting in termination of the IDTA; and how individuals can bring claims under the IDTA.
  4. Frequently Asked Questions. This chapter includes answers to frequently asked questions to assist controllers and processors in implementing the IDTA.
  5. Guidance Templates. In this chapter, the ICO states that it may issue additional guidance on:
    • optional supplementary clauses (to address risks identified in the transfer risk assessment);
    • optional commercial clauses;
    • a template for introducing changes to the IDTA;
    • a multi-party IDTA; and
    • an example of a completed transfer risk assessment and IDTA.

While the abovementioned documents support parties in implementing the UK’s own IDTA, the EU Addendum (see here) amends the EU standard contractual clauses (“SCCs”) approved by the European Commission on June 4, 2021 (see our blog post here).  The EU Addendum is designed to restate the language of the EU SCCs to effectively facilitate transfers outside the UK (e.g., by changing certain references from “EU” to “UK”).  The EU Addendum also revises the choice of law and jurisdiction provisions to refer to the laws and courts of England and Wales.  Note also that the EU Addendum can be revised, so long as any revision(s) maintain the “appropriate safeguards” required by Article 46 of the UK GDPR or guarantee a higher level of protection for data subjects.

In its consultation paper, the ICO also announced that it is planning to issue a similar addendum for transfer clauses adopted by other jurisdictions, such as the New Zealand and ASEAN (the Association of Southeast Asian Nations) clauses.

(3) Draft Transfer Risk Assessment Tool

The transfer risk assessment tool (see here) is designed to help controllers and processors assess whether they can lawfully transfer personal data outside of the UK on the basis of a transfer safeguard mentioned in Article 46 of the UK GDPR (e.g., the IDTA or binding corporate rules).  The transfer risk assessment tool consists of a three-step analysis, reflecting the key elements of the CJEU’s decision in Schrems II, namely:

  • Assess whether the selected transfer safeguard is sufficient to protect the personal data transferred. In particular, this requires evaluating whether the safeguard is able to satisfy the UK GDPR’s fundamental data protection principles in light of the nature of the transfer;
  • Assess whether the safeguard is enforceable in the country of destination (e., the country where the data importer is located). Where the exporter has concerns about the safeguard’s enforceability, it must carry out an additional risk assessment to determine whether extra steps can be taken to mitigate the attendant risks; and
  • Assess the country of destination’s regime for regulating third-party access to personal data. This includes assessing national surveillance laws of the country of destination.

In summary, the consultation paper and adjoining documents illustrate (at least to some extent) the flexibility that the ICO wields in setting its own course for regulating transfers of UK personal data, as compared to the multilateral approach required in the EU.  As a national regulator, the ICO is empowered not only to publish its own transfer clauses (in line with the role of the European Commission), but also issue adjoining guidance and tools for implementing them in practice (such as those provided by the European Data Protection Board and independent supervisory authorities in the EU).  Whilst the UK will still need to plot a course that tracks closely with the EU to maintain its adequacy status (see our blog post here), the ICO appears to be making the most of this opportunity to tailor its approach to regulating transfers, in order to support the needs of stakeholders and seek further harmonization with other regimes internationally.

*             *             *

We are glad to assist clients who are planning to submit a response to the ICO’s public consultation.  We are continuously monitoring these developments, and we have significant experience in assisting multinational companies and organizations in navigating complex cross-border transfer requirements in the UK and beyond.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.