ICO launches public consultation on the protection of personal data transferred outside the UK
On August 11, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft International Data Transfer Agreement (IDTA) and guidance to determine how organizations can protect data personal data of individuals when transferred outside of the UK.
Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA), transfers of personal data from the UK by controllers and processors who are subject to UK GDPR to organizations that are not subject to UK GDPR – often because these organizations are located in jurisdictions other than the UK, including the European Economic Area (EEA) – are generally considered ” restricted transfers ”and are subject to certain transfer rules. These rules are currently broadly equivalent to similar rules in the EU General Data Protection Regulation (GDPR).
In order to ensure that data subjects do not lose UK GDPR protection if their personal data is transferred outside of the UK, individuals’ personal data rights need to be given substantially equivalent protection in a different way. Such protection will be assumed if the jurisdiction in which the recipient is located is subject to UK ‘adequacy regulations’ (at present there are UK adequacy regulations covering the EEA and all covered jurisdictions. by existing EU ‘adequacy decisions’).
If there are no adequacy regulations in the UK, appropriate protection can be provided by the implementation of one of the many ‘appropriate safeguards’ set out in the UK GDPR. These safeguards include, for example, UK Binding Corporate Rules and Standard Contractual Clauses or ‘SCCs’ (agreements between transfer and receiving organizations, which include standard data protection clauses approved under UK data protection law).
Before any such guarantees can be relied upon, the transferring organization must perform an impact assessment of the transfer, which takes into account the protections included in the relevant guarantee and the legal framework of the jurisdiction to which the restricted transfer will be made. If the transfer impact assessment suggests that the appropriate backup does not provide the necessary level of protection, the transferring organization may implement additional measures to ensure adequate protection of the personal data transferred.
There are also various exceptions set out in the UK GDPR, which may apply (although they generally cannot be invoked consistently).
The OIC notes that the proposed IDTA will replace the current SCCs to incorporate the judgment of the European Court of Justice into the Schrems II case, which required organizations to conduct additional investigations when transferring personal data outside the UK or the EEA to countries without an adequacy decision.
The consultation is divided into three parts, which offer different options to consider:
- a proposal and plans for updated guidance on international transfers
- transfer risk assessments (TRA)
On the proposal to update the ICO guidance on international credit transfers, the consultation focuses on a number of proposals regarding two key points where updated guidance may be useful. This includes whether the UK GDPR inevitably governs processing by:
- a foreign processor of a “UK GDPR controller” (a controller whose processing falls within the scope of the UK GDPR)
- a foreign joint controller with a UK joint controller
The consultation also examines the ICO’s interpretation of what constitutes a “restricted transfer” under UK GDPR. Among other things, the ICO is considering whether or not to maintain its current guidelines, namely that a restricted transfer only takes place when the processing of personal data by the importer is not subject to the UK GDPR. on the basis that, if the importer is already required to process the data in accordance with UK GDPR, no additional protection for the transferred data is required.
Alternatively, the ICO could update its current guidelines to reflect that a restricted transfer occurs when an exporter is subject to UK GDPR (whether located in the UK or overseas) and the importer is located outside the UK, with the question of whether or not UK GDPR applies to the importer being considered irrelevant, which aligns more closely with the EU’s position on this point.
The consultation also plans to update the ICO’s guidance on exemptions under the UK GDR, including the interpretation of whether a waiver is “necessary and proportionate”. The ICO is also considering providing advice on how to combine IDTAs (and other safeguards) with the exemptions set out in the UK GDPR.
The ICO is also seeking advice on the draft TRA tool and on the IDTA, as well as on the possibility of issuing an IDTA as an addendum to the model data transfer agreements issued by others. jurisdictions (e.g. European Commission SCCs, which could be changed to operate in connection with data transfers to the UK).
The international TRA project and tool focus on two main questions regarding the laws and practices of the country of destination of the personal data: (i) whether the IDTA will be enforceable in that country; and (ii) the legal regime of the destination country, which may require data importers to provide third parties with access to the transferred data. The focus is not so much on whether third party access is permitted by local law, but whether the laws and practices of the destination country incorporate safeguards similar to those enshrined in UK law.
The IDTA project includes an introduction to IDTA and sections on how to complete the IDTA, the IDTA template, various frequently asked questions and guidance templates.
The ICO seeks advice on data protection rights and legal, political and economic considerations regarding new proposals. The ICO wishes to hear the views of all relevant stakeholders before the consultation closes after 5 p.m. on October 7, 2021.
It will be interesting to see what emerges from the consultation and to what extent the ICO’s position will differ from the EU position on international transfers of personal data as a result of the consultation, in particular taking into account the fact that the recently granted adequacy decision with respect to the UK depends in part on a limited divergence between the UK data protection regime and the EU data protection regime.
The Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and its guidelines.