It’s tricky writing articles about international data transfers. No sooner do you put down your figurative pen, than someone goes and changes the rules.
Much has changed since I last wrote about the subject. First, the EU finalised its much-needed new standard contractual clauses (SCCs) for transfers of personal data out of the EU. Then it approved the UK data protection regime as “adequate”, a mere whisker before the deadline of the end of June 2021.
Fresh with its adequacy decision from the EU, the UK started pumping out consultations on ways to change UK data protection law and guidance, and depart from consistency with EU law, in the form of the Data Reform Bill. International transfer issues formed a big part of these consultations. Most importantly, the UK’s new International Data Transfer Agreement (IDTA) came into force on 21 March 2022.
When did the EU’s new SCCs come into force?
The EU SCCs for cross-border transfers were finalised on 4 June 2021. This is the most popular way to send personal data from the EU to a ‘third country’. EU organisations swiftly started updating their transfer contracts, with a deadline of 27 September 2021 to stop using old SCCs for new data transfers.
However, the UK didn’t allow the use of new EU SCCs for transferring data from the UK. British organisations were temporarily left with very limited ways to legitimise data transfers other than the out-of-date SCCs. Global organisations, including big tech companies transferring data to the US, needed to use different SCCs for data travelling from the EU to those used for data travelling from the UK. This was undoubtedly a good exercise in mapping out data flows, and finding tailored solutions, but again pointed to the fact the UK approach was soon expected to change.
How does the UK’s data adequacy agreement fit into the equation?
The EU Commission’s adequacy decision for the UK arrived on 28 June 2021 – just in time – as 30 June was the final day of the “bridge” allowing personal data to flow without additional safeguards. It was a huge relief. Although the ICO recommended organisations put in place a backup plan, many had put faith in the adequacy decision coming through.
This agreement, however, excludes data transferred to the UK for immigration control, which was one of the sticking points in the debate, as UK law exempts organisations from providing certain data protection rights. The decision also has an expiry date of 27 June 2025, and could be repealed before then if the UK deviates too far from GDPR.
How does the UK’s International Data Transfer Agreement work?
The IDTA, prepared by the Information Commissioner’s Office (ICO) came into force on 21 March 2022. UK organisations can now escape the clutches of the old SCCs, but they’re still available for contracts concluded before 21 September 2022.
As an alternative, the ICO has produced an “addendum” to the new EU SCCs. This converts them to be suitable for transfers from the UK (rather than the EU) and reflects the requirements of UK law. The addendum may be useful for global organisations looking for a consistent set of clauses for transfers from the EU and the UK, or those unwilling to adapt to new provisions. On the other hand, the new IDTA is a standalone document, has more of a UK style, and may be easier to understand and put into practice.
What should organisations look out for?
Organisations using the IDTA need to understand their data flows, first and foremost. Full details of the parties and transfers must be included in tables at the top. This includes descriptions of data types, data subjects, security requirements and any extra protections arising from transfer risk assessments.
The terms cater for different types of transfer (as do the new EU SCCs), including controller to controller, controller to processor, processor to sub-processor, and processor to controller. There are then some provisions that apply to all transfers, and some that apply only to specified types.
Evaluating modern enterprise storage
Dell EMC PowerStore is modern enterprise storage designed to address the needs of our new era
The IDTA also envisages separate “linked agreements”, including data sharing or data processing agreements. This means the transfer agreement can focus on transfer issues, and doesn’t need to address all data protection issues associated with the parties’ relationship, such as requirements under UK GDPR for contracts with a processor.
The majority of the clauses are mandatory, so organisations using the IDTA should generally use them as they are. However, practical changes are permitted, such as to make the agreement multi-party, where needed.
To assist in protecting data protection rights, data subjects and the ICO may bring claims against the parties for breach of the terms.
How did different consultations impact the International Data Transfer Agreement (IDTA)?
Alongside its consultation on the IDTA in August 2021, the ICO consulted on updates to its international data transfer guidance, together with a transfer risk assessment and tool. The UK government, in September 2021, also published a paper called Data: A new direction to consult on reforms to data protection legislation. Chapter 3 of this discusses reducing barriers to data flows.
Assessing data transfer risks
Firstly, the UK government recognises that assessing data transfer risks isn’t easy. Since the Schrems II court decision in July 2020, all organisations, large and small, have been required to do just this. I advise several small companies using cloud-based technology, which involves data transfers outside the UK. When I explain to my clients that they must research and assess the risks of such transfers, and then discuss this with giants such as Amazon, Google and Microsoft, I receive glazed and confused looks that tell me I am crazy.
Now, of course, just because an organisation is small, that doesn’t mean there are no data processing and transfer risks. Dispensing altogether with risk assessments, therefore, would not be a good solution. But the government says it intends to apply proportionality in developing transfer mechanisms, and to provide more practical support for organisations in assessing risks.
Exempting reverse transfers
Another legislative proposal that my clients may welcome is exempting “reverse transfers” from the rules. Let’s say a UK company is providing add-on services to customers of an Australian company. The Australian company sends customer details to the UK company (in line with Australian data transfer rules). The UK company then needs to confirm some of these details, before sending them back to the Australian company. Currently, UK data transfer rules would kick in, creating an additional burden, when this is information which the Australian company already holds and sent to the UK in the first place. Under the proposals, the transfer rules would not capture sending data back to the originating entity.
On a similar note, the ICO proposes that where a UK processor has been appointed by a controller outside the UK (which isn’t otherwise subject to UK data protection law), the transfer of data from the processor to the controller would not be a restricted transfer. For example, if a US company appoints a UK company to manage payroll on its behalf, the UK company would not then need to apply UK transfer rules each time payslips are sent over to the US company. This would also assist UK processors to stay competitive when pitching for work against providers local to the controller.
Where can the guidance improve?
The ICO’s guidance, and a point it consulted on, is that transfers are only restricted between legal entities. This includes transfers to group entities, but not to your own staff in another country. I’d like to see more clarity on whether this also excludes transfers to the data subjects themselves. Another proposal is that a restricted transfer is made by the party authorising it, which does not necessarily follow the data flow. This could ease (though not erase) the burden on small companies raised above; if a UK company uses a UK cloud provider that appoints a sub-processor in the US, the cloud provider makes the restricted transfer. My view is that this should also work the other way around: if the UK company directs the cloud provider to transfer data directly to an overseas recipient, the UK company makes the restricted transfer.
Go ahead, dream big: The Dell EMC PowerVault ME4 platform
Delivering fast, affordable storage, optimised for the big plans of growing businesses
The government is also proposing to allow repetitive use of derogations to transfer rules. Even though it’s generally accepted that use of derogations should be a last resort, sometimes the situation boils down to them being the best option. But UK GDPR recitals indicate that some are only available where the transfer is “occasional”. For example, the derogation for transfers that are necessary for performing a contract with the data subject could not currently be used if the transfers are repetitive.
A final point is that the government refers to an “ambitious programme of adequacy assessments”. Since Brexit, the jurisdictions that the UK deems adequate mirror those of the EU’s adequacy decisions, with the addition of Gibraltar, which isn’t covered by the EU’s adequacy decision for the UK.
Where do we go from here?
On the face of it, these proposals seem sensible and helpful for many UK organisations. Though, if the UK creeps away from EU data protection law, this leads to the question of whether the UK’s regime will continue to be deemed adequate by the EU.
Both consultations ended in 2021. The ICO and the government are building up my excitement with signals that full outcomes will be published soon. On a final note, the US and the EU Commission agreed, in principle, a new framework for trans-Atlantic data flows to replace the previous Privacy Shield. The UK may not be jumping on board, though, as it’s exploring its own data adequacy partnership with the US.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.