ICO launches public consultation on the protection of personal data transferred outside the UK

On 11 August the UK Information Commissioner’s Office, (ICO) launched a public consultation on its draft international data transfer agreement (IDTA) and guidance to determine how organisations can protect individuals’ personal data when it is transferred outside of the UK.

Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA), personal data transfers from the UK by controllers and processors who are subject to the UK GDPR to organisations which are not subject to the UK GDPR - often because such organisations are located in jurisdictions other than the UK, including the European Economic Area (EEA) - are generally considered to be “restricted transfers” and are subject to certain transfer rules. Such rules are currently broadly equivalent to the similar rules under the EU General Data Protection Regulation (GDPR).

In order to ensure that data subjects do not lose the protection of the UK GDPR if their personal data is transferred outside the UK, individuals’ personal data rights must be afforded essentially equivalent protection in a different way. Such protection will be assumed if the jurisdiction where the relevant recipient is located is the subject of UK “adequacy regulations” (at present, there are UK adequacy regulations covering the EEA and any jurisdictions covered by existing EU “adequacy decisions”).

If there are no relevant UK adequacy regulations, then suitable protection can be ensured through the implementation of one of a number of “appropriate safeguards” as set out in the UK GDPR. Such safeguards include, for example, UK binding corporate rules and standard contractual clauses or “SCCs”, (agreements between the transferring and receiving organisations, which include standard data protection clauses approved under UK data protection legislation).

Before any such safeguards can be relied upon, the transferring organisation should carry out a transfer impact assessment, which considers the protections included in the relevant safeguard and the legal framework of the jurisdiction to which the restricted transfer will be made. If the transfer impact assessment suggests that the appropriate safeguard does not provide the necessary level of protection, the transferring organisation can implement additional measures to ensure that adequate protection for the transferred personal data will be guaranteed.

There are also various exceptions set out in the UK GDPR, which may apply (although generally these cannot be relied upon routinely).

The ICO notes that the proposed IDTA will replace the current SCCs to incorporate the European Court of Justice’s judgment in the Schrems II case, which obliged organisations to conduct further investigations when transferring personal data outside the UK or the EEA to countries without an adequacy decision.

The consultation is divided into three parts, which propose various options for consideration:

1. a proposal and plans for updated guidance on international transfers
2. transfer risk assessments (TRA)
3. the IDTA

Regarding the proposal to update the ICO’s guidance on international transfers, the consultation focuses on a number of proposals concerning two key points where updated guidance may be helpful. These include whether or not the UK GDPR inevitably governs processing by:

• an overseas processor of a “UK GDPR controller” (a controller whose processing falls within the scope of the UK GDPR)
• an overseas joint controller with a UK joint controller

The consultation also considers the ICO’s interpretation of what constitutes a “restricted transfer” under the UK GDPR. Among other things, the ICO is reflecting on whether or not to maintain its current guidance, which is that a restricted transfer only takes place where the importer’s processing of personal data is not subject to the UK GDPR on the basis that, if the importer is already required to process the data in accordance with the UK GDPR, no additional protection for the transferred data is required.

Alternatively, the ICO could update its current guidance to reflect that a restricted transfer occurs when an exporter is subject to the UK GDPR (whether located in the UK or overseas) and the importer is located outside the UK, with the issue of whether or not the UK GDPR applies to the importer being deemed to be irrelevant, which aligns more closely with the EU’s position on this point.

The consultation is also considering updating the ICO’s guidance on derogations under the UK GDR, including the interpretation of whether a derogation is “necessary and proportionate”. The ICO is also considering providing guidance on how to combine IDTAs (and other safeguards) with the derogations set out in the UK GDPR.

The ICO is also seeking views on the draft TRA tool and IDTA, together with the possibility of issuing an IDTA in the form of an addendum to model data transfers agreements issued by other jurisdictions (e.g. the European Commission SCCs, which could be amended to work in the context of UK data transfers).

The draft international TRA and tool focuses on two main issues regarding the laws and practices of the destination country of personal data: (i) whether the IDTA will be enforceable in that country; and (ii) the destination country’s legal regime, which may oblige data importers to provide third party access to the transferred data. The emphasis is not so much on whether third party access is allowed by local law, but whether the destination country’s laws and practices incorporate safeguards which are similar to those enshrined in UK laws.

The draft IDTA includes an introduction to the IDTA and sections on completing the IDTA, the template IDTA, various frequently asked questions and guidance templates.

The ICO is seeking opinions on both relevant data protection rights and legal, policy and economic considerations in respect of the new proposals. The ICO is keen to hear the views of all relevant stakeholders before the consultation closes after 5pm on 7 October 2021.

It will be interesting to see what emerges from the consultation and the extent to which the ICO’s position will diverge from the EU’s position on international personal data transfers following the consultation, particularly in view of the fact that the recently granted adequacy decision in respect of the UK is partly dependent on limited divergence by the UK data protection regime from the EU data protection regime.