Calling all contractors: the ICO wants input on when personal data goes international

You don’t have to be an IT contractor specialising in data to realise that it was lucky for the UK to be granted an adequacy decision by the European Commission. The granting on June 28th 2021 means that personal data from the European Economic Area can, fortunately, be sent to the United Kingdom without needing additional safeguards.

However, transfers to countries which have not been deemed adequate by the EU Commission are not as straightforward and it is this more complicated area which contractors and other UK businesses can now have their say on to the Information Commissioner, albeit only until October 7th 2021, writes Anthi Pesmazoglou, legal consultant at Gerrish Legal.

Until now, businesses in the UK have been relying on the old Standard Contractual Clauses for transfers of data outside the UK. But these ‘SCCs’ (notably Decisions 2001/497/EC and 2010/87/EU), have just recently been repealed as a result of the Schrems II ruling in July 2020. Under that ruling, the European Court of Justice struck down the EU-US data-sharing agreement ‘Privacy Shield’ on the basis that US surveillance laws meant the US did not offer privacy protections equivalent to those under EU law. So, the ICO is now looking to establish new international transfer mechanisms for restricted transfers outside the UK.

New safeguards on UK data flows – a blessing or a curse?

The Information Commissioner’s Office had originally announced its plan to create a replacement for SCCs in May 2021, following the UK’s departure from the European Union.

The process has been moving along swiftly,  and the ICO’s now-open consultation on its draft IDTA or International Data Transfer Agreement can be found here. Published a few weeks ago, the consultation is relevant to many parties, especially freelancers, consultants and contractors who transfer personal data from the UK to abroad, or who provide services to UK organisations.

To help inform your potential contribution, the ICO has stated:

“We recognise the importance of international data flows to the UK’s digital economy and are committed to maintaining high standards of data protection for people’s personal information when being transferred outside of the UK.”

Just what you’ve been waiting for contractors, an IDTA – another contract

Remember, when organisations here send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. An IDTA is a contract that organisations can leverage when transferring data to countries not covered by adequacy decisions and will replace the current SCCs.

The ICO consultation is split into three sections, offering a selection of proposals and options to consider, notably:

• Proposal and plans for updates to guidance on international transfers.
• Transfer risk assessments.
• The international data transfer agreement.

The consultation’s big question (we all should answer)

Where contractors who specialise in data (or not) can really get thinking, or even just plain opinionated, is in answer to the consultation asking whether it would be helpful for the ICO to approve an addendum, allowing the EU Standard Contractual Clauses to be used for transfers of personal data from the UK.

Our feeling is that even if UK organisations (almost irrelevant of size) have no comments on the ICO's other points, this issue alone is important enough to warrant a response to the consultation.

The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications from stakeholders in various industries including civil society groups and business organisations. Among other things, the ICO is seeking feedback on:

• the interpretation of Article 3 of the UK GDPR, i.e., the extra-territorial scope of the UK GDPR; and
• the interpretation of Chapter V of the UK GDPR, which governs restricted transfers from the UK.

Additional UK and non-UK ties-up to consider

Other concerns to be addressed by respondents include whether the UK GDPR should inevitably apply to a UK-based controller’s overseas processor or joint-controller; when a restricted transfer is considered to take place (for example whether it would include the return of data from a UK processor to a non-UK controller); and lastly, the application of the derogations under Article 49 of the UK GDPR, including to what extent the derogations may be relied on.

Be aware, the IDTA (which will replace the current set of SCCs for transfers of personal data from the UK) accommodates different types of transfer arrangements, such as UK controller to non-UK controller, and UK controller to non-UK processor, with several options to choose from depending on the relevant transfer.

Interestingly, the ICO has proposed that the new EU SCCs, published by the European Commission in June 2021, could be used as an alternative to the new IDTA for transfers of personal data from the UK, subject to the use of a ‘UK addendum’.

The UK addendum replaces provisions drawn from the EU data protection regime with UK legislation references and addresses issues such as governing law and choice of forum and jurisdiction for disputes. This may be useful for many controllers and processors that transfer personal data from both the UK and the EEA, as it essentially allows them to use one set of clauses for their data transfers (with the addition of the UK addendum for transfers from the UK), instead of having to use both the EU Standard Contractual Clauses and the UK IDTA (if adopted, and before then the existing Standard Contractual Clauses for transfers of personal data from the UK).

Finally, some practical notes for contractors and freelancers

For UK contractors who want to ensure that they have not missed the key takeaways of this not straightforward area, and the direction of this not unsophisticated consultation, it is important to ensure that all your privacy documentation is up-to-date, including contracts with suppliers or clients based abroad who may process or share personal data on their behalf.

In addition, contractors should ensure compliance with privacy obligations in any other case that their operations or scope of work involves transferring data outside of the UK. In many cases, data transfers will be covered by “adequacy.” As we said at the outset, that’s most fortunate. However, contractors should consider that such adequacy status is only valid for a period of four years. So, it is not outside the realm of possibility that it could be challenged before this period expires – especially since it has not been a welcome change in the eyes of everyone, particularly those critical of the UK’s national security laws.

The ICO’s work around IDTAs, and its consultation, are a requirement under s119a of the Data Protection Act 2018 (UK GDPR). The consultation will inform the final documents the ICO will lay before UK parliament. The office says it will remain open until 5pm on 7 October 2021 to receive feedback to the consultation and we recommend contractors contribute, or reach out to us if you have your own data protection queries, personally or professionally.