Posts Tagged ‘idta’

|

UK data protection law update – October 2022

19/10/22 – After the uncertainties regarding post-Brexit transfers of data from the UK to third countries, the International Data Transfer Agreement (IDTA) finally came into force on 21st March 2022.  Since then things have been a bit calmer.  Or at least until a couple of weeks ago when the Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, announced at the Conservative party conference that the government proposes to replace GDPR with a ‘consumer-friendly British data protection system’.

This update looks at the changes to UK data protection law that are currently being considered by Parliament and recent progress being made with post-Schrems II transfers of personal data to the U.S., and finishes with some thoughts on Michelle Donelan’s announcement.

Data Protection and Digital Information Bill

Last year the government announced a plan to create an ‘ambitious, pro-growth and innovation-friendly data protection regime’ for the UK, and following an extensive consultation the Data Protection and Digital Information Bill (‘DPDI Bill’) was introduced to Parliament on 18 July 2022.

The DPDI Bill proposes a number of changes to the UK GDPR and Data Protection Act 2018. Despite the government’s lofty goals, most if not all of the changes can probably best characterised as relatively minor adjustments and, with the exception of changes to the law on cookies, will make little difference to the majority of businesses.  Changes proposed by the DPDI Bill include:

  1. Clarification of the definition of ‘personal data’. Whether an individual is or can be identified is to be determined only from the perspective of the controller, the processor and any third party who will likely receive the information, rather than by absolutely anyone in the whole world.  Also, when assessing whether data has been sufficiently anonymised (and not just pseudonymised), only additional information that is available ‘by reasonable means’ needs to be considered, rather than all information that could be obtained irrespective of effort.
  2. When a controller is considering legitimate interests as a lawful basis for processing personal data and, as part of that exercise, assessing whether the controller’s interests outweigh those of the data subject, the controller may now rely on a list of ‘automatic’ legitimate interests.  Although the list may be extended by the Secretary of State, it is currently limited to ‘public interest, national security, public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement’.  Until it is extended the list will therefore be of limited help to most businesses.
  3. A new test for the transfer risk assessment carried out before transferring personal data from the UK to a third country.  Instead of verifying whether the level of protection required by UK law is applied in the third country (the ‘essentially equivalent’ test), controllers can take a risk-based approach based on outcomes, assessing whether the level of protection in the third country is ‘not materially lower’ than that provided in the UK.  The new test will also apply to the Secretary of State when making an adequacy determination.
  4. The requirement for certain organisations to designate a Data Protection Officer (DPO) is replaced with an obligation for public bodies and organisations carrying on ‘high-risk processing’ to a appoint a Senior Responsible Individual (SRI), who must be part of the organisation’s senior management. For most organisations this will simply be a rebadging exercise.
  5. The requirement to carry out a Data Protection Impact Assessment (DPIA) to determine whether proposed processing may result in a high risk to data subject and, if so, to consult with the Information Commissioner’s Office (ICO) is replaced with a requirement to carry out an ‘assessment of high-risk processing’, with a consultation with the ICO being voluntary.
  6. Controllers may currently refuse to respond to a data subject request which is ‘manifestly unfounded or excessive’. This test is replaced in the DPDI Bill with ‘vexatious or excessive’.  I expect I’m not the only one wondering how much of a difference this will make in practice.
  7. The ICO is renamed is renamed the Information Commission, and is given a broad range of new duties, including to promote innovation and competition.
  8. Website operators are currently required to obtain user consent for all cookies unless they are ‘strictly necessary’ for the functioning of the website. This is extended to cookies used for installing necessary security updates, ensuring user preferences are followed, and collecting information for statistical purposes to make improvements to the services, with a right for the user to opt out.

Progress of the DPDI Bill has however stalled.  Its second reading in Parliament was postponed on 5th September 2022 following the announcement of Liz Truss’s leadership victory.  And, in light of Michelle Donelan’s recent announcement, the bill could of course be abandoned altogether.

Transfers of personal data to the U.S.

Perhaps the thorniest issue for controllers and processors since the CJEU’s Schrems II decision is whether – and if so how – they can lawfully transfer personal data to the U.S.  By way of a reminder, the CJEU in Schrems II invalidated the U.S.-EU Privacy Shield as a transfer mechanism, and then made it clear that EU data exporters cannot rely on Standard Contractual Clauses (SCCs) for transfers to the U.S. without addressing the lack of safeguards for data subjects as a result of U.S. signal surveillance activities.  The UK in effect inherited the Schrems II problem under the EU-UK Withdrawal Agreement.

The EU and the U.S. have however now made good progress.  On 7th October 2022 President Biden signed an Executive Order (EO) which adopts a number of measures to limit the activities of U.S. signals surveillance activities, provides individuals with the right to have such activities reviewed and creates a mechanism for individuals to obtain redress.   The EO also implements the EU-U.S. Data Privacy Framework announced earlier this year, in effect a relaunch of the Privacy Shield as a transfer mechanism for EU-U.S. data transfers.  In response the European Commission stated that the actions set out in the EO will “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision”, and the Commission is now expected to make the EU-U.S. Data Privacy Framework the basis of an adequacy determination for the U.S..  Pending the adequacy determination, the new safeguards confirmed in the EO are already helpful to EU organisations carrying out a transfer impact assessment to assess whether they can use SCCs to transfer EU personal data to the U.S..

On the same day as the EO was signed, Michelle Donelan and the US Secretary of Commerce, issued a joint statement announcing ‘significant progress on UK-US data adequacy discussions’. In particular, the UK will continue to work to conclude its adequacy determination for the U.S., and the U.S. will work to designate the UK as a qualifying state under the EO, which would give UK data subjects equivalent protections to those that are now afforded to EU data subjects.  No indication was given how long this work will take, but it will almost certainly be months rather than weeks.  In the meantime, UK organisations proposing to export personal data to the U.S. will want to consider the progress being made on the UK-U.S. data adequacy discussions when carrying out their Transfer Risk Assessments.

Replacing the GDPR

Michelle Donelan’s announcement that the government will be replacing the GDPR, adding for good measure that ‘it is time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business’, went down well with the audience at the Conservative party conference.  It’s perhaps unlikely however that many people in the audience were familiar with the detail of the GDPR, and the challenges of creating a data protection regime which achieves the right balance between freedom to use individuals’ personal information and the privacy rights of those individuals.

The reality is that the GDPR is now considered internationally to be the gold standard for data protection and privacy, with the GDPR model being adopted by a number of countries implementing or updating their own data protection laws (at least 17 countries according to one commentator).  Having a data protection regime which is ‘essentially equivalent’ to the EU GDPR is also a condition for securing (or in the case of the UK maintaining) an EU adequacy status, which in turn allows the free flow of personal data to and from the EU.  Any new ‘British data protection system’ which diverges significantly from the EU GDPR would jeopardise the renewal of the UK’s EU adequacy status in 2025.  So whilst Michelle Donelan’s announcement may have gone down well with the pro-Brexit diehards, and we may see further adjustments along the lines of those proposed in the DPDI Bill, I expect the GDPR will be with us for a while yet.

Tags: , , , , ,
Posted in Privacy, Updates | No Comments »

UK IDTA comes into force

21/03/22 – As expected, the International Data Transfer Agreement (IDTA), as well as the Addendum to EU SCCs, came into force today as appropriate safeguards for transfers of personal data from the UK to third countries under Article 46 of the UK GDPR.  As part of the transitional arrangements the old EU SCCs (with appropriate modifications to make them ‘work’ for UK exporters) can continue to be used as an appropriate safeguard until 21 September 2022 and, if the processing remains unchanged, are capable of remaining valid until 21 March 2024.  If you’re not sure what I’m talking about, have a look at my 01/02/22 update.

We are still waiting for the ICO to publish a final version of their new Transfer Risk Assessment (TRA) precedent and tool.  In the meantime prospective exporters’ best bet is like to be to use the draft version from the ICO’s consultation last year.   More information about TRAs here.  I will you keep you updated.

Tags: , , ,
Posted in Privacy, Updates | No Comments »

What’s happening with UK international data transfers?

01/02/22 – If you or your organisation transfers, or may transfer, personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection (which currently includes the U.S.), then read on.  If not, then feel free to skip.

Back in August last year we looked at a brand new international data transfer agreement (‘IDTA’) template, together with a new international data transfer addendum to be used with EU SCCs (‘Addendum’), that the ICO published as part of its consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK’.

The ICO’s consultation closed on 7th October 2021, and on 28th January 2022 the Department for Culture, Media and Sport (DCMS) laid the final versions of the IDTA, the Addendum, plus the transitional provisions before Parliament.  Unless the relevant statutory instrument is ‘objected to’ (which, given its subject matter, is very unlikely), the IDTA, the Addendum and the transitional provisions will come into force on 21 March 2022.

UK data exporters who enter into agreements with their data importers based on the old EU SCCs (i.e. Standard Contractual Clauses issued under European Commission Decisions 2001/497/EC and 2010/87/EU) on or before 21st September 2022 may, if the subject matter of the processing remains unchanged, continue to rely on those agreements until 21st March 2024.  Note that this only applies where the agreements based on the old EU SCCs were modified to ‘fit’ post-Brexit UK data protection laws, and will not apply to EU SCCs entered into prior to Brexit.

Although the ICO have not yet published the responses from the consultation, the changes to the IDTA are limited with the main ones being:

Tags: , , , , , ,
Posted in Privacy, Updates | No Comments »

What’s happening with SCCs? – Part 3 (UK SCCs)

Part 1 and Part 2 of the What’s been happening with SCCs? updates have tracked the EU’s and the UK’s progress in developing standard contractual clauses (SCCs) to deal with the transfer of personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection, as well as the publication of the new EU SCCs.  This update focuses on the UK SCCs.

On 11th August 2021 the ICO launched a  consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK‘.  As part of the consultation the ICO published its proposal for UK standard contractual clauses in the form of a brand new international data transfer agreement (IDTA), as well as its new Transfer Risk Assessment (TRA) and tool.  The ICO is also requesting comments on an update of its existing guidance on international transfers.  The consultation closes on 7th October 2021.

All very interesting I’m sure.  But is any of this relevant to me?

Short version is that if you’re transferring UK citizens’ personal data to a ‘third country’ (i.e. a country which is not considered by the UK to have ‘adequate’ data protection laws (full list here), then yes. You will need to use one of the transfer mechanisms (or ‘appropriate safeguards‘) set out in Article 46 of the GDPR (now incorporated into UK law as the UK GDPR, as amended).  And although the UK GDPR provides for a variety of transfer mechanisms, for most businesses the only practical option in these circumstances will be for both the (UK) data exporter and (third country) data importer to enter into an IDTA, having first completed a Transfer Risk Assessment (TRA).

Bear in mind that for these purposes:

Ah, ok.  So what do I need to know?

The new IDTA and TRA requirements will not not become law until the end of 2021 or, more likely, spring 2022.  Between now and then the situation is a bit of a mess.  UK law provides that the old EU SCCs must continue to be used as the Article 46 transfer mechanism, even after 27 September 2021 when they cease to be lawful for new EU cross-border data transfers.  Although some commentators have suggested that, in a post-Schrems II world, a better approach is for UK data exporters to use the new EU SCCs until the new IDTA is adopted, my view is that for the time being most UK data exporters should stay compliant with UK law and either make Brexit-required changes to their existing SCCs or, for new transfers, put in place a data transfer agreement based on the old EU SCCs.

The timelines for UK data exporters being legally required to use the new IDTA for international data transfers will be 3 months for new transfers and 21 months for existing transfers, each period running 40 days from the date on which the IDTA is laid before Parliament as a regulation.

Some high-level comments on the IDTA:

  1. In contrast to the modular new EU SCCs (which will need quite a bit of copying and pasting), the IDTA is a single agreement, made up of four parts:
    • Part 1 (Parties and signature) sets out a series of tables which capture the variables, including the status of the parties (i.e. controller, processor etc), details of the proposed data transfers, details of the data to be transferred, purposes of the transfers, and the security requirements.  If the IDTA forms part of an MSA or other commercial agreement between the exporter and importer, the MSA can be recorded as a ‘Linked Agreement’.
    • Part 2 (Extra Protection Clauses) is optional, but enables the parties to include any additional security, organisational and/or contractual protections that are considered necessary following the TRA.
    • Part 3 (Commercial Clauses) is also optional, enabling the parties to include any commercial terms that they have agreed.
    • Part 4 (Mandatory Clauses) constitutes the bulk of the IDTA, and sets out the parties’ rights and obligations in relation the data transfers.
  2. The ICO have done their best to use plain English and avoid legal terminology, and generally to keep the IDTA as user-friendly as possible.  But the IDTA template (excluding guidance notes and Q&A) runs to 43 pages, and putting one in place will require a fair bit of work.
  3. For organisations putting in place new EU SCCs for EEA-to-third country data transfers,  the ICO has helpfully produced a short addendum which, once completed and signed, will enable the EU SCCs to be used also for transfers from the UK.
  4. In contrast to the new EU SCCs, which need to be reviewed ‘at appropriate intervals’ the IDTA (and associated TRA) should be reviewed annually, which is perhaps overly onerous for low-risk transfers.
  5. A more detailed analysis of the Mandatory Clauses of the IDTA to follow once the ICO consultation is completed.

And some comments on the TRA:

  1. The TRA precedent is intended to be use for medium and low risk transfers.  High risk transfers, such as transfers to countries with poor human rights records, are likely to require more sophisticated transfer risk assessments.  The TRA is not mandatory – data exporters are free to use what form of risk assessment they consider appropriate.
  2. As with the IDTA, the ICO have done their best to make the TRA accessible and user friendly.  It contains numerous, ‘real life’ practical examples showing when transfers may be permitted.  It also explains what constitutes high, medium and low risk in the context of international transfers, and (helpfully) confirms that where the risk of harm that the transfer causes to data subjects is minimal then the transfer is permitted by default.
  3. But the TRA is 49 pages long, and will constitute a significant undertaking for all but the most well-resourced data exporters.  And although the ICO recognises the challenge that data exporters face in obtaining information about the legal framework of the data importer’s country, suggesting that information may be available via ‘reports issued by the Foreign Commonwealth and Development Office and charitable organisations‘, the ICO does not address the obvious question why this information cannot be provided by the ICO (and/or appropriate government department), instead suggesting that data exporter may need to obtain ‘expert advice‘.
  4. On a positive note, and unlike the new EU SCCs, the objective of the TRA is not necessarily to ensure that the legal framework of the data importer’s country is ‘essentially equivalent’, but whether it provides ‘very similar protections’ to those in the UK.  The TRA also makes the point that countries which have surveillance regimes may in fact be more legitimate than countries whose lack of surveillance laws may suggest a lack of safeguards.
  5. The findings from the TRA must be documented to ensure there a record of the assessment. If a data exporter uses its best efforts to complete the TRA, the ICO will take this into account in any regulatory action resulting from a later GDPR breach.

Hmm… 49-page risk assessments and 43-page data transfer agreements.  Doesn’t exactly sound ‘agile’?

You’re referring to the comments of the UK culture secretary, Oliver Dowden, who suggested in his article in the FT last February that that the UK can now be more ‘agile’ when it comes to ‘[striking] our own international data partnerships with some of the world’s fastest growing economies’.

If we accept the importance of ensuring a meaningful level of protection for UK citizens’ data when shared with third parties outside the UK then we either have to provide a mechanism which gives organisations the ability to put in place a framework to ensure a meaningful level of protection, or we go down the data localisation route and make it unlawful for personal data to be transferred from the UK to any ‘third country’.

Despite the reservations mentioned above, the ICO have in my view done a good job striking a balance between the need for ‘agility’, and the need to provide meaningful protection of personal data in a world which, for the most part, falls far behind the ‘gold standard’ of EU and now UK data protection.  But the elephant in the room remains why the ICO (or appropriate government department) cannot provide UK data exporters carrying out a TRA with guidelines regarding each third country’s legal framework, third-party surveillance rights and safeguards, and their similarity to those in the UK.  It will be interesting to see if this is addressed by the consultation.

 

 

 

Tags: , , , , , , , , , ,
Posted in Privacy, Updates | No Comments »

Get in touch

  • Your email address will only be used to respond to your message