CONTACT US 0131 226 8200

Latest Blogs

Current status of international data transfer rules

Within the last 12 months or so, two recent privacy law developments have had tremendous implications for companies controlling, processing and transferring data between the UK, EU and elsewhere: (i) the European Court of Justice Schrems II decision, and (ii) of course, Brexit. Both have thrown new challenges and questions into the mix for companies transferring data across the Atlantic, and involved in cross-border investment activities.

The steps that the United Kingdom will take that diverge from the EU privacy regime will continue to be discovered as time passes. The UK Government is insistent that its goal is to “work globally to remove unnecessary barriers to cross-border data flows”, which will be welcomed by companies both within the UK, and in the list of ‘third countries’: those countries where neither the UK nor the EU has published an adequacy decision (that the country’s privacy regime provides an equivalent level of data protection to the GDPR); the US being one.

Whether companies can continue to transfer data between the UK and the EU has been resolved since the EC made an adequacy decision in respect of the UK on 28 June 2021, and so the free flow of data between the UK and the EU can continue so long as data transfers are otherwise compliant with GDPR (although note, that you may require to appoint an EU representative in some circumstances). However, if you are transferring data from the EU, or the UK, to the US, or any of the other countries which the EC or the ICO has not published an adequacy decision, then businesses should bear in mind additional measures that will have to be taken to meet the standards required of the ECJ in the Schrems II judgment. 

The difficulty is that whilst the Schrems II is still applicable to the interpretation of the UK GDPR (that portion of the EU GDPR that has been retained post-Brexit), the implementing measures do not apply in the UK, and so – as a result – the rules concerning international data transfer rules are lacking in clarity. This is clearly frustrating for companies who are attempting to bring themselves in line with the Schrems II decision now, including those that are engaging in transatlantic investment deals.   

Schrems II Recap

So what did Schrems II say? The ECJ expressed concern about, in particular, section 702 of the US Foreign Intelligence Surveillance Act (FISA), which allows the National Security Agency to obtain intelligence on non-US citizens by farming data transferred via underwater cables on the floor of the Atlantic. Due to the potential for widespread surveillance, the ECJ indicated that the US simply does not afford a sufficiently protective privacy regime, and the EU/US Privacy Shield (which allowed EU companies to transfer data to US companies that had signed up without taking any additional measures) was invalid, and companies could not rely on this as a means to compliantly transfer data between the EU and the US.

Following this, it is clear that the most appropriate way to transfer data between the EU/UK and the US (or other third countries) for most data transfers is via incorporating the EU approved Standard Contractual Clauses into the contract between importer and exporter. However, the decision cast a doubt on whether that was enough, suggesting that since the nature of those SCCS are inherently contractual, supplementary additional measures may require to be taken to ensure that the level of protection is essentially equivalent to that of the GDPR, including – for example – enhanced pseudonymisation and encryption.

EU Response

On 4 June 2021, the European Commission adopted updated Standard Contractual Clauses (‘new SCCs) and it was about time given that the last updates were in 2004 (for controller to controller transfers) and 2010 (for controller to processor transfers) (both ‘old SCCs’). The new SCCs now take account of both the coming into force of the GDPR in 2018, and the Schrems II ruling. The EC has also published a transfer risk assessment (‘TIA’), which provides companies with guidance on how they can assess the need to supplement the SCCs.

UK Response

The problem for companies that are transferring data to third countries from the UK, where they need to incorporate the SCCs into their contracts, is that the new SCCs are not applicable in the UK, since they have been adopted post-Brexit. The UK needs its own version, but as yet these have not been finalised. In the meantime, the ICO has advised that companies transferring data to third countries should continue to use the old SCCs, until such time that the UK publishes its own.

Promisingly, the ICO launched a Consultation for its own version of the SCCs (renamed International Data Transfer Agreement (‘IDTA’)) on 11 August 2021, which closed on 7 October 2021. The consultation is split into three parts:

  • proposal and plans for updates to guidance on international transfers;
  • proposed transfer risk assessment and tool;
  • the proposed international data transfer agreement.

Compliance

  1. If you are transferring data between the EU and the US (or other third country), then you should:
  • make sure that all of your new contracts incorporate the new SCCs from now on, and undertake a transfer risk assessment to determine whether you may require to adopt additional measures or safeguards;
  • begin reviewing your existing contracts, and take steps to update those with reference to the new SCCs, and any additional measures necessary following a transfer risk assessment before the 27 December 2022 deadline.
  1. If you are transferring data between the UK and the US, then you should:
  • continue to use the old EU SCCs, and undertake a transfer risk assessment to determine whether it is necessary to adopt additional supplementary measures to ensure the adequate protection of data; and
  • await the outcome of the ICO Consultation, and thereafter take steps to carry out a transfer risk assessment, and update your contracts as necessary with reference to the IDTA, and any additional safeguards deemed necessary.
  1. If you are transferring data anywhere, and require to review your contractual arrangements, this is a good time to also review your Record of Processing Activities (RoPA) to make sure that they are complete, and up-to date, because this will form a good starting point for the transfer risk assessments that you will inevitably have to undertake in future.

Transfer Risk Assessment

The trickiest part in the above compliance exercise for most companies is likely to be determining whether it is necessary to adopt supplementary measures to safeguard data. The ICO has also published an international transfer risk assessment and tool (‘TRA’), and although this is not in finalised form, it is a helpful starting point for understanding the ICO’s expectations. The assessment is in three steps, and indicates that you should:

  • assess the transfer:
    1. does the data transfer otherwise satisfy the key requirements under the UK GDPR, including data minimisation, security measures, lawful basis, requirement for contract, and transparency?; and
    2. is the TRA suitable, i.e. is the destination country covered by an adequacy decision already; is there an exception to the rule; or is the data transfer too high risk or complex for the TRA?; and
    3. map out the data flows and specific circumstances of the transfer.
  • assess whether the IDTA is likely to be enforceable in the destination country, and if you have concerns about the enforceability of the IDTA, whether there is a risk of harm to data subjects if it is not enforceable, and whether there are any steps or protections you can take to safeguard the data and reduce the perceived risk; and
  • assess whether there is appropriate protection from third party access, including
    1. assessing the destination country surveillance regime;
    2. assessing whether there is a likelihood of third-party access to the data;
    3. assessing the overall risk of harm arising from third party access; and
    4. whether any supplementary measures are necessary and appropriate to reduce that risk of harm.

Helpfully, if you are a UK company exporting data, as part of the IDTA, the importer of personal data must provide the exporter with the following:

  • all relevant information about the local data protection and privacy laws applicable, any risks which may apply;
  • verification that it is not aware of any local laws which contradict its obligations under the agreement;
  • it must ensure that it cooperates with the exporter to ensure compliance with the agreement; and
  • it must review local laws on a regular basis, and thereafter notify the exporter of any changes to the local laws which may prevent or limit their compliance with the agreement.

This should make exporter’s jobs easier in carrying out their transfer risk assessment, but is not such good news if you are a data importer in a third country.

If you have any further questions about international data transfers then please contact our Data Privacy Partner, Andy Harris (andy.harris@mbmcommercial.co.uk) or any member of our IP, Data and Contracts team.

Entrepreneurial Journeys
UK Innovation Strategy - A report card

Contact us today