This article was originally published by CIO Applications.
International data transfers have long been a thorny issue, but they currently take the crown for the greatest cause of data protection headaches for privacy professionals. Birketts take a look at why data transfers have become so challenging and considers whether legal reform might provide a solution.
There are currently three clearly identifiable factors contributing to data transfer difficulties:
- Schrems II;
- The introduction of new standard contractual clauses; and
- The increasing divergence in approach for transfers subject to EU GDPR and UK GDPR.
When it comes to Schrems II, negotiations for new UK-US and EU-US data transfer mechanisms are now well in hand, albeit much uncertainty remains as to whether any resulting solutions will be sufficiently robust to withstand fresh legal challenges. However, the issue of greatest practical impact for most privacy professionals is the transfer risk assessment (TRA) requirement.
Whilst there is guidance available from the European Data Protection Board (see Recommendations 01/2020) and pending from the Information Commissioner’s Office, this is proving to be of little practical assistance to the average SME. Knowing that a requirement exists to “assess whether the standard contractual clauses or binding corporate rules are effective in light of all the circumstances of the transfer” is easy. Meeting the requirement is more problematic.
Identifying relevant legislation and practice in another jurisdiction, assessing whether it is necessary and proportionate in a democratic society, and determining whether (and what) supplemental measures may be needed to enhance the protections afforded by the Article 46 transfer tool, is far from easy. One has to query how many organisations have access to the level of legal and technical expertise required to undertake an effective TRA. Without such expertise, does the TRA actually play any meaningful role in protecting personal data or is it reduced to a mere box ticking exercise?
In the absence of a practical solution to assist organisations in completing TRAs, is it possible that the solution may lie in legal reform?
The Retained Law (Revocation and Reform) Bill 2022 sets out a clear timetable for the revocation of retained EU legislation, but the future status of EU case law (such as Schrems II) is less clear. It is overly optimistic to assume that Schrems II will simply cease to have effect upon the arrival of a designated date.
The Data Protection and Digital Information Bill specifically seeks to minimise the impact of the Schrems II decision (at least, so said the Government when it introduced the Bill). It brings a more proportionate, risk-based approach to data transfers but, ultimately, still requires organisations to complete a pre-transfer “data protection test”. The question arises therefore as to whether this is simply a TRA under a different name. Speculation may be premature. Progress of the Bill has stalled with Culture Secretary, Michelle Donelan, indicating that it may be significantly rewritten.
Organisations are also grappling with the introduction of new standard contractual clauses (SCCs).
New EU SCC’s were launched in June 2021. These became mandatory for any new data transfer arrangements entered into from 27 September 2021, but organisations which had already entered into transfer agreements using the old SCCs prior to that date have until 27 December 2022 to update existing agreements.
The new EU SCCs cover a broader range of transfers than the old SCCs and are user friendly with a modular form that makes producing the documentation reasonably straightforward. They also incorporate the Article 28 data processing clauses meaning there is no need to execute separate data processing agreements. Overall, they have been well received. However, they have one major drawback: they don’t apply to transfers subject to UK GDPR.
Transfers subject to UK GDPR still had to be made under the old SCCs until March 2022 when the new UK International Data Transfer Agreement (IDTA) and Addendum came into effect. Until 21 September 2022 organisations could chose whether to use the old SCCs or the new IDTA/Addendum when entering into new transfer arrangements, but from the 22 September 2022 the IDTA/Addendum must be used.
The IDTA is a stand-alone transfer agreement. It covers an even broader range of transfer scenarios than the new EU SCCs but, unlike the EU SCCs, it does not incorporate Article 28 clauses or follow the same user-friendly modular approach.
The Addendum is a short-form document that supplements the EU SCCs to cover transfers under UK GDPR, and is particularly helpful to organisations whose data transfers are subject to both EU and UK GDPRs. Note that the Addendum cannot be used with the old SCCs.
Organisations making transfers under UK GDPR have until 21 March 2024 to update any transfer agreements made prior to 22 September using the old SCCs and implement the IDTA or EU SCCs plus Addendum.
The biggest challenge in using the IDTA and Addendum is the ICO’s continuing failure to produce its promised guidance. Many organisations are undoubtedly dragging their heels and delaying updating their data transfer agreements until such time as this becomes available.
It seems likely that we will be working with the new EU SCCs, IDTA and Addendum for some time to come, so time spent in becoming familiar with the documents and guidance (once available) will be a worthwhile investment.
The fact that we are now required to use different instruments for transfers subject to the EU and UK GDPRs speaks directly to the third and final factor behind the increasing complexity of data transfers: the divergence of approach between the UK and EU.
Not only do we have two materially different sets of instruments (with entirely different timetables for implementation), but we also now have different adequacy decisions in place. The EU’s adequacy decision in respect of the Republic of Korea does not apply in the UK and nor will any other EU decisions made going forwards. Likewise, any adequacy regulations made by the UK will not apply to transfers subject to EU GDPR.
More significantly, privacy practitioners are starting to note differences between EU and UK guidance as to when transfers actually fall within Chapter V. Any potential differences here are likely to come to the fore once the ICO publishes its guidance on the IDTA and Addendum.
Discussions around UK data law reform have tended to focus on how limited our ability is to depart too far from the EU GDPR for fear of losing coveted EU adequacy status. Looked at through the lens of data transfers, it becomes apparent that even a moderate degree of divergence can cause significant practical compliance challenges, prompting the question: at what point does it become easier to simply abandon the quest for EU adequacy?
For more information on the contents of this article, please contact Mark Gipson.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2023.