Posts Tagged ‘transfer impact assessment’

|

What’s happening with SCCs? – Part 3 (UK SCCs)

Part 1 and Part 2 of the What’s been happening with SCCs? updates have tracked the EU’s and the UK’s progress in developing standard contractual clauses (SCCs) to deal with the transfer of personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection, as well as the publication of the new EU SCCs.  This update focuses on the UK SCCs.

On 11th August 2021 the ICO launched a  consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK‘.  As part of the consultation the ICO published its proposal for UK standard contractual clauses in the form of a brand new international data transfer agreement (IDTA), as well as its new Transfer Risk Assessment (TRA) and tool.  The ICO is also requesting comments on an update of its existing guidance on international transfers.  The consultation closes on 7th October 2021.

All very interesting I’m sure.  But is any of this relevant to me?

Short version is that if you’re transferring UK citizens’ personal data to a ‘third country’ (i.e. a country which is not considered by the UK to have ‘adequate’ data protection laws (full list here), then yes. You will need to use one of the transfer mechanisms (or ‘appropriate safeguards‘) set out in Article 46 of the GDPR (now incorporated into UK law as the UK GDPR, as amended).  And although the UK GDPR provides for a variety of transfer mechanisms, for most businesses the only practical option in these circumstances will be for both the (UK) data exporter and (third country) data importer to enter into an IDTA, having first completed a Transfer Risk Assessment (TRA).

Bear in mind that for these purposes:

Ah, ok.  So what do I need to know?

The new IDTA and TRA requirements will not not become law until the end of 2021 or, more likely, spring 2022.  Between now and then the situation is a bit of a mess.  UK law provides that the old EU SCCs must continue to be used as the Article 46 transfer mechanism, even after 27 September 2021 when they cease to be lawful for new EU cross-border data transfers.  Although some commentators have suggested that, in a post-Schrems II world, a better approach is for UK data exporters to use the new EU SCCs until the new IDTA is adopted, my view is that for the time being most UK data exporters should stay compliant with UK law and either make Brexit-required changes to their existing SCCs or, for new transfers, put in place a data transfer agreement based on the old EU SCCs.

The timelines for UK data exporters being legally required to use the new IDTA for international data transfers will be 3 months for new transfers and 21 months for existing transfers, each period running 40 days from the date on which the IDTA is laid before Parliament as a regulation.

Some high-level comments on the IDTA:

  1. In contrast to the modular new EU SCCs (which will need quite a bit of copying and pasting), the IDTA is a single agreement, made up of four parts:
    • Part 1 (Parties and signature) sets out a series of tables which capture the variables, including the status of the parties (i.e. controller, processor etc), details of the proposed data transfers, details of the data to be transferred, purposes of the transfers, and the security requirements.  If the IDTA forms part of an MSA or other commercial agreement between the exporter and importer, the MSA can be recorded as a ‘Linked Agreement’.
    • Part 2 (Extra Protection Clauses) is optional, but enables the parties to include any additional security, organisational and/or contractual protections that are considered necessary following the TRA.
    • Part 3 (Commercial Clauses) is also optional, enabling the parties to include any commercial terms that they have agreed.
    • Part 4 (Mandatory Clauses) constitutes the bulk of the IDTA, and sets out the parties’ rights and obligations in relation the data transfers.
  2. The ICO have done their best to use plain English and avoid legal terminology, and generally to keep the IDTA as user-friendly as possible.  But the IDTA template (excluding guidance notes and Q&A) runs to 43 pages, and putting one in place will require a fair bit of work.
  3. For organisations putting in place new EU SCCs for EEA-to-third country data transfers,  the ICO has helpfully produced a short addendum which, once completed and signed, will enable the EU SCCs to be used also for transfers from the UK.
  4. In contrast to the new EU SCCs, which need to be reviewed ‘at appropriate intervals’ the IDTA (and associated TRA) should be reviewed annually, which is perhaps overly onerous for low-risk transfers.
  5. A more detailed analysis of the Mandatory Clauses of the IDTA to follow once the ICO consultation is completed.

And some comments on the TRA:

  1. The TRA precedent is intended to be use for medium and low risk transfers.  High risk transfers, such as transfers to countries with poor human rights records, are likely to require more sophisticated transfer risk assessments.  The TRA is not mandatory – data exporters are free to use what form of risk assessment they consider appropriate.
  2. As with the IDTA, the ICO have done their best to make the TRA accessible and user friendly.  It contains numerous, ‘real life’ practical examples showing when transfers may be permitted.  It also explains what constitutes high, medium and low risk in the context of international transfers, and (helpfully) confirms that where the risk of harm that the transfer causes to data subjects is minimal then the transfer is permitted by default.
  3. But the TRA is 49 pages long, and will constitute a significant undertaking for all but the most well-resourced data exporters.  And although the ICO recognises the challenge that data exporters face in obtaining information about the legal framework of the data importer’s country, suggesting that information may be available via ‘reports issued by the Foreign Commonwealth and Development Office and charitable organisations‘, the ICO does not address the obvious question why this information cannot be provided by the ICO (and/or appropriate government department), instead suggesting that data exporter may need to obtain ‘expert advice‘.
  4. On a positive note, and unlike the new EU SCCs, the objective of the TRA is not necessarily to ensure that the legal framework of the data importer’s country is ‘essentially equivalent’, but whether it provides ‘very similar protections’ to those in the UK.  The TRA also makes the point that countries which have surveillance regimes may in fact be more legitimate than countries whose lack of surveillance laws may suggest a lack of safeguards.
  5. The findings from the TRA must be documented to ensure there a record of the assessment. If a data exporter uses its best efforts to complete the TRA, the ICO will take this into account in any regulatory action resulting from a later GDPR breach.

Hmm… 49-page risk assessments and 43-page data transfer agreements.  Doesn’t exactly sound ‘agile’?

You’re referring to the comments of the UK culture secretary, Oliver Dowden, who suggested in his article in the FT last February that that the UK can now be more ‘agile’ when it comes to ‘[striking] our own international data partnerships with some of the world’s fastest growing economies’.

If we accept the importance of ensuring a meaningful level of protection for UK citizens’ data when shared with third parties outside the UK then we either have to provide a mechanism which gives organisations the ability to put in place a framework to ensure a meaningful level of protection, or we go down the data localisation route and make it unlawful for personal data to be transferred from the UK to any ‘third country’.

Despite the reservations mentioned above, the ICO have in my view done a good job striking a balance between the need for ‘agility’, and the need to provide meaningful protection of personal data in a world which, for the most part, falls far behind the ‘gold standard’ of EU and now UK data protection.  But the elephant in the room remains why the ICO (or appropriate government department) cannot provide UK data exporters carrying out a TRA with guidelines regarding each third country’s legal framework, third-party surveillance rights and safeguards, and their similarity to those in the UK.  It will be interesting to see if this is addressed by the consultation.

 

 

 

Tags: , , , , , , , , , ,
Posted in Privacy, Updates | No Comments »

Transfer Impact Assessment – what is it, and do I need to do one?

In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield.  In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned”.

Following the Schrems II judgment, the European Data Protection Board (EDPB) issued two pieces of guidance to help data exporters with the analysis required by the ECJ: Measures that supplement transfer tools (Recommendations 01/2020); and European Essential Guarantees (Recommendations 02/2020).  In addition, the European Commission published updated draft SCCs for consultation, which are expected to be adopted in March 2021.

In practice, this means that businesses which propose to transfer – or to continue to transfer – personal data using SCCs (or another transfer tool) to a third country must first carry out a transfer impact assessment (TIA) with a successful outcome in accordance with the six-step process set out in the EDPB’s Measures that supplement transfer tools (Recommendations 01/2020):

Step 1:  Map your data flow, i.e. the scope and categories of personal data to be transferred, the data subjects concerned, and the purposes for which the data is being transferred.

Step 2: Identify your transfer tool, which will usually be SCCs but could be for example Binding Corporate Rules (BCRs).

Step 3: Assess the laws of the third country for the purpose of identifying any respects in which those laws may not permit the data importer to comply with its obligations under the SCCs (or other transfer tool), and therefore not provide protection which is essentially equivalent to that provided by EU law.  The EDPB’s European Essential Guarantees (Recommendations 02/2020) sets out the minimum standards by which the third country’s laws can be assessed.

Step 4: Identify appropriate supplementary measures to remedy any shortcomings disclosed by the assessment in Step 3.  Supplementary measures may contractual, technical or organisational in nature.

Step 5: Implement your supplementary measures.

Step 6: Re-evaluate your assessment at appropriate intervals.

Also, note that the TIA must be properly documented, and include appropriate supporting documentation such as data mapping records and legal opinions from local counsel.  And if the TIA discloses the existence of local laws which impinge on the effectiveness of the SCCs (or other transfer tool), and no supplementary measures are available to mitigate the risk, then the transfer cannot proceed/must be suspended immediately.

Reaction to the brave new, post-Schrems II world of data transfers has been mixed… Ensuring EU-standard privacy protection for data that is transferred outside the EEA is of course commendable, at least in principle.  But requiring all businesses to not only put in place comprehensive contractual protections (e.g by way of SCCs) but also to carry out a time consuming, technically difficult and potentially very costly TIA for each type of transfer is arguably so onerous that many businesses, particularly SMEs, will take a risk-based view and simply dispense with the TIA.  Other businesses may take the view that exporting data outside the EEA is simply too difficult, and replace its existing service providers with EEA-based providers.

The European Commission (EC) is of course aware of the difficulties that Schrems II has created for EEA organisations, including those which already have established global data sharing networks, and those looking to transfer data to non-EEA service providers for which are no equivalents available in the EEA.  But while we wait for the EC to come up with some more workable alternative options, businesses which are exporting, or looking to export, personal data to third countries may now want to start:

Tags: , , , ,
Posted in Privacy, Updates | No Comments »

Demise of the EU-U.S. Privacy Shield

23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)

Tags: , , , , , , ,
Posted in Privacy, Updates | No Comments »

Get in touch

  • Your email address will only be used to respond to your message