On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a consultation about its plans to assist organisations to comply with the UK General Data Protection Regulation (GDPR) when making UK transfers of personal data to third countries. In this article, we consider the proposed Transfer Risk Assessment tool and International Data Transfer Agreement.
Background
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a judgment in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”). The CJEU upheld the European Union (EU) Standard Contractual Clauses (SCCs) as a valid mechanism for transfers of personal data from the EU and European Economic Area to third countries lacking a European Commission decision that they provide ‘adequate’ protection for individuals’ rights and freedoms. The CJEU further underlined that the data exporter should perform an assessment of the level of protection provided by an SCC in the third country, prior to making the transfer of data. The EU (Withdrawal) Act 2018 and EU (Withdrawal Agreement) Act 2020 retain the Schrems II judgment within UK law, although it is important to note that the UK now has the authority under Sections 17A and 74A of the UK Data Protection Act 2018 (DPA) to make its own adequacy decisions for third countries.
Transfer Risk Assessment (TRA)
On 18 June 2021, the European Data Protection Board adopted the final version of its Recommendations on measures that supplement transfer tools, such as SCCs. However, the ICO has now produced its own TRA for data exporters to conduct an assessment when making low risk, routine and simple transfers of data to third countries lacking an adequacy decision, although exporters will remain free to use other methods to carry out equivalent assessments.
The TRA outlines that data exporters should confirm that the contractual rights set out in the International Data Transfer Agreement (see below) are likely to be enforceable in the relevant third country and where there are concerns, the risk of harm to data subjects is either low or can be reduced to low by taking additional steps and measures. Factors for consideration include:
- whether the third country has an established and respected legal system;
- whether the third party is a signatory to an international convention for the enforcement of foreign judgments;
- the categories of data and data subjects;
- data minimisation;
- whether the data subjects have expressly confirmed that they have been informed of the potential risks of the transfer and have no concerns;
- whether the data importer is bound by ICO approved or sectoral certification, codes of conduct or obligations; and
- whether the data exporter and importer are within the same group of companies.
The TRA further emphasises that data exporters should also confirm that one of the following will apply in the context of the data transfer:
- the destination regime will provide appropriate protection from third party access to data (including surveillance);
- the likelihood of third party access (including surveillance) taking place is minimal (or will become minimal upon applying any extra steps and protection); or
- if concerning third party access to data will occur, the risk of harm to data subjects will be low (or will become low upon applying any extra steps and protection).
Factors for consideration include whether:
- there are laws which set out when and how the law can require access to data is given to third parties (including public authorities), and impose limitations upon the use of the data once accessed;
- individuals have effective and enforceable rights and remedies in relation to the safeguards on third party access;
- there is effective oversight of third party access, for example a Data Protection Authority;
- trade or sector bodies are able to provide evidence as to the volume of requests for third party access in their sector; and
- technical measures (for example, encryption and pseudonymisation) are in place.
International Data Transfer Agreement (IDTA)
The Information Commissioner is exercising her authority under Section 119A(1) of the DPA to issue the model IDTA to replace the EU SCCs. The IDTA contains:
- tables to set out specific information about the data exporter, importer and transfer (for example, ‘Linked Agreements’ such as existing processing agreements between the data exporter and importer, with the caveat that where the terms contradict each other, those of the IDTA take precedence);
- the option to include ‘extra protection’ clauses to provide the right level of protection (for example, additional technical security);
- the option to include commercial clauses agreed by the data exporter and importer, provided that these do not contradict the IDTA; and
- a set of mandatory clauses (for example, appropriate safeguards for the transferred data, compliance with requests from the ICO in regard to the IDTA and / or processing of the transferred data, onward transfers, sub-processing, handling of data subject rights and personal data breaches, liability and legal glossary).
The ICO is inviting feedback as to whether one or more of the following would be helpful for data exporters and importers:
- a modular approach to the IDTA equivalent to the EU SCCs;
- a separate multi-party IDTA;
- additional guidance templates such as an example of a completed IDTA; and
- an IDTA in the form of an addendum to existing model transfer agreements, for example the EU SCCs (the ICO also provides a sample addendum which amends the EU SCCs to work in the context of the UK data transfers).
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in conducting international transfers. For more information please feel free to contact our advisers, who would be more than happy to help.