Transfer Impact Assessments – divergence between EDPB and ICO approaches

23 January 2023

Now that the deadlines have passed for implementing:

  • EU Standard Contractual Clauses (“EU SCCs”) into all new and existing contractual arrangements involving restricted transfers of data under the EU GDPR; and
  • the UK equivalent to the EU SCCs (the UK specific International Data Transfer Agreement (“IDTA“) or the EU SCCs in combination with the UK International Data Transfer Addendum (“UK Addendum“) into new contractual arrangements involving restricted transfers of data under the UK GDPR (the deadline for implementing the IDTA or UK Addendum into contractual arrangements entered into before 21 September 2022 is not until 21 March 2024),

organisations subject to the EU and UK GDPR must work to fulfil all of the obligations set out in the EU SCCs, IDTA and UK Addendum, including the requirement to conduct Transfer Impact Assessments (“TIAs”).

By way of a recap, TIAs need to be conducted to assess the legal environment of the third country into which personal data is to be sent, taking into account the circumstances of the transfer. In order for a third country to be considered adequate to receive the personal data, the TIA must find that the legal environment into which the data that is the subject of the transfer is to be sent offers essentially equivalent protection to that of the EU under the EU GDPR and UK under the UK GDPR.

The EDPB approach

The EDPB has published guidance to help businesses conduct TIAs, recommending that a TIA should document a detailed assessment of the following:

  1. the details and circumstances of the transfer;
  2. enforceability of contractual safeguards in the third country;
  3. the third country’s data protection legal framework;
  4. the level of risk associated with third party access (including surveillance); and
  5. supplementary measures to protect the data being transferred.

The ICO approach

The ICO has more recently published its own separate guidance on international transfers and has created its own Transfer Risk Assessment (“TRA”) tool as an alternative to the approach for conducting TIAs recommended by the EDPB. The ICO has stated that its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

Comparing the EDPB and ICO approaches

In comparison to the approach recommended by the EDPB, the ICO’s TRA tool for conducting TIAs is relatively light touch, focussing on whether the circumstances of the data transfer significantly increase the risk to the privacy and other human rights of the individuals and whether the transfer mechanism will be enforceable against the third country importer. This contrasts with the EDPB approach which requires organisations to conduct an in-depth examination of the legal environment to which personal data will be sent.

In addition, the ICO’s TRA tool allows organisations to proceed with carrying out what it refers to as low harm risk transfers without needing to conduct any local law assessment at all unlike the EDPB approach, which requires local law assessment to be conducted in all scenarios and only allows organisations to take the circumstances of a proposed transfer into account when identifying effective supplementary measures to protect the data being transferred.

The ICO’s lighter touch approach is clearly intended to be more business friendly and is potentially a preview for what is to come in the UK following the implementation of the Data Protection and Digital Information Bill.

The ICO has indicated that it is happy for organisations exporting data from the UK to carry out an assessment using either the ICO’s TRA tool or by following the (more rigorous) EDPB approach. However, it remains to be seen as to whether EU supervisory authorities will be as amenable to organisations using the ICO’s TRA tool when exporting data out of the EU or whether they will insist that such organisations follow the EDPB guidance. If the latter proves to be the case, the ICO’s TRA tool will be of most use to UK-centric organisations that only export data out of the UK as organisations exporting data from both the EU and UK will either need to apply a two-track approach or adhere to the EDPB guidance in relation to all transfers.

Duc Tran
Duc Tran
Of Counsel, London
+44 20 7466 2954
Katie Reid
Katie Reid
Paralegal, London
+44 20 7466 2962

President Biden’s Executive Order implements EU-US data privacy framework

12 October 2022

President Biden recently issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Privacy EO) outlining steps that the US Government is taking to implement the US commitments under the European Union-US Data Privacy Framework (the Privacy Framework) that the US and the European Commission (EC) announced in March 2022 to address concerns previously raised by the Court of Justice of the European Union when it invalidated the 2016 EU-US Privacy Shield regime via the 2020 Schrems II ruling (please see our previous blog post on the Privacy Framework here).  Although the EU-US Privacy Shield was designed with the EU’s 2018 General Data Protection Regulation (GDPR) in mind, the court in Schrems II held that the Privacy Shield was inadequate to meet GDPR data privacy standards.  Since Schrems II, companies transferring data between the EU and US have had to rely upon case-by-case assessments and standard contractual clauses (SCCs).  The Privacy EO is designed to address the concerns identified in Schrems II, given the significant economic value of trans-Atlantic data exchanges.

Among other items, Schrems II highlighted (i) the lack of binding safeguards in place under US law to limit the access to personal data by US intelligence agencies to only data which is necessary and proportionate to protect national security, and (ii) the lack of an effective means for redress to replace the “Ombudsman” under the EU-US Privacy Shield.  In summary, the Privacy EO addresses both of these points:

  • It strengthens US privacy safeguards and sets parameters around US “signals intelligence” activities, which refer to the US intelligence community’s collection and analysis of foreign (non-US) electronic, digital and related communications and data.  Notably, the Privacy EO requires collection to be “necessary” and “proportionate” to US national security needs, see Privacy EO § 2(a)(ii)(A), (B), which differs from the “reasonableness” standard under the EU-US Privacy Shield.
  • The Privacy EO also creates a tiered redress mechanism to review privacy-related complaints concerning US signals intelligence activities.  In response to the Privacy EO, the EC announced it would begin preparation of a draft “adequacy” decision and commence its adoption procedures, which could result in a final adequacy decision around March 2023, while also noting that in the EC’s view the Privacy EO would implement “significant improvements” over the Privacy Shield, particularly in respect of avenues to address privacy concerns about US collection activities.  As of this writing, the European Commission has recognized 14 countries as providing an adequate level of data protection for purposes of the GDPR.

The following provides a brief overview of certain requirements that the Privacy EO imposes on the US intelligence community:

Additional safeguards.  The Privacy EO requires that signals intelligence activities must be authorized by and undertaken in accordance with US law or Presidential directive, which will “ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities.”  Intelligence gathering may be conducted only in pursuit of 12 “legitimate objectives,” which are defined to include (among various matters) understanding the capabilities, intentions, or activities of a foreign government, a foreign military or a foreign organization (including criminal or terrorist organizations) in order to protect US national security and US allies and partners, as well as guarding against cybersecurity threats.  Signals intelligence activities may be conducted only in a manner “that is proportionate to the validated intelligence priority for which they have been authorized.”  Among other activities expressly prohibited by the Privacy EO (and as noted in an accompanying White House fact sheet) is the collection of “foreign private commercial information or trade secrets to afford a competitive advantage” to US businesses, although such information may be lawfully collected to protect US or allied national security interests.

Targeted vs. bulk collection.  Signals intelligence collection, per the Privacy EO, is to be “as tailored as feasible to advance a validated intelligence priority” and may not disproportionately impact privacy and civil liberties.  Targeted collection is the standard, and bulk collection of signals intelligence will not be permitted unless there is a US Government determination that the information necessary to advance a validated intelligence priority “cannot reasonably be obtained by targeted collection.”  Even then, bulk collection may be used only to protect against: (i) terrorism and hostage taking; (ii) foreign espionage, sabotage, assassination, or other intelligence activities; (iii) threats from/proliferation of weapons of mass destruction; (iv) foreign cybersecurity threats or malicious cyber activities; (v) threats to US or allied personnel; and (vi) international criminal threats, including from financial crimes and sanctions evasion.

Handling of personal information.  US intelligence agencies that collect personal information (PI) via signals intelligence must establish procedures to minimize the dissemination and retention of such PI.  Among other restrictions, the Privacy EO limits PI dissemination within the US Government only on a need-to-know basis and only if such information will be “appropriately protected.”  Non-US persons’ PI may be retained “only if the retention of comparable information concerning United States persons would be permitted under applicable [US] law,” and foreign PI will be subject to the same retention periods that would apply to comparable information concerning US persons.

Updated signals intelligence policies and procedures.  The US intelligence community is directed to update their respective policies and procedures, after consultation with the US Attorney General, the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board, in order to implement the privacy and civil liberties safeguards of the Privacy EO.  The policies/procedures are to be published to the extent intelligence and national security factors allow.  Among other requirements, US intelligence entities that collect signals intelligence must provide compliance training to all employees that intersect with such intelligence, and must have in place senior-level legal and oversight officials, including an Inspector General and a Privacy and Civil Liberties Officer, to ensure compliance with the Privacy EO and related laws.

Signals intelligence redress mechanism.  The Privacy EO creates a two-tiered mechanism to investigate and address complaints that PI collected via US signals intelligence activities was collected or handled by the US Government in violation of US law.  At the first level, the CLPO would initially conduct an investigation of the complaint to determine whether US laws were violated, “taking into account both relevant national security interests and applicable privacy protections,” and if so, would determine the “appropriate remediation” for any violation.  CLPO determinations are binding on the US intelligence community, subject to a contrary determination by the newly established Data Protection Review Court.

The second redress level involves review by that Data Protection Review Court (DPRC).  Shortly after the Privacy EO issued, and as directed by the Privacy EO, the US Department of Justice issued regulations establishing the DPRC (see 28 C.F.R. Part 201) in a Final Rule published on October 7, 2022 (the DPRC Regulations).  The preamble to the DPRC Regulations provides that the DPRC will review determinations made by the CLPO in response to qualifying complaints that allege certain violations of US law in connection with US signals intelligence activities.  The DPRC Regulations impose a standard of proof of “substantial evidence,” which is applied by US administrative agencies.  It generally represents a lower standard than, for example, the “preponderance of the evidence” standard used in the civil context.

To facilitate independent and impartial review, DPRC judges are not subject to the day-to-day supervision of the US Attorney General, and have certain protections against removal from office. DPRC decisions, including as to remedial measures to be imposed on US intelligence agencies, will be deemed final and binding.  To assist the DPRC’s review, the Privacy EO and attendant regulations provide for the selection of a “special advocate” to press the complainant’s interests and make sure that the DPRC panel is “well informed of the issues and the law” with respect to the matter under review.

Finally, the White House issued a National Security Memorandum dated October 7, 2022, which partially revokes Presidential Policy Directive 28 (PPD-28) dated January 17, 2014.  The court in Schrems II specifically cited PPD-28 as a key component of its finding that the United States lacked adequate protections, noting that PPD-28 does not create actionable rights for data subjects in US courts and allows for “bulk” data collection.

The US Secretary of Commerce will transmit letters from the relevant US government agencies regarding the operation and enforcement of the Framework and the Privacy EO in the coming weeks and will work with Privacy Shield participants (i.e., the more than 5000 companies currently registered under the EU-US Privacy Shield) to facilitate the transition to the new Framework).  A number of additional steps will be required before the Privacy EO and DPRC Regulations are fully implemented, including, but not limited to, an adequacy decision from the EU.

We will continue to monitor developments.

 

Joseph Falcone
Joseph Falcone
Partner
+1 917 542 7805
Christopher Boyd
Christopher Boyd
Associate
+1 917 542 7821

 

WHAT WE KNOW SO FAR ABOUT THE NEW TRANS-ATLANTIC DATA PRIVACY FRAMEWORK

20 July 2022

Summary

Following the European Commission’s (“EC”) announcement of the new Trans-Atlantic Data Privacy Framework (the “Framework”) earlier this year, Lawyer and privacy activist Max Schrems’ organisation, NOYB, recently issued an open letter to EU and US officials arguing that the proposed framework is unlikely to withstand legal challenge and overly resembles its predecessor, the now-defunct Privacy Shield.

In this article, we set out what we know about the Framework so far.

Background

The Framework is intended to enable data transfers to be made from the EU to participating US companies in a safe and secure manner, presumably without the need for additional safeguards (e.g. entry into standard contractual clauses (“SCCs“) and the more recent accompanying requirement to conduct transfer impact assessments (“TIAs“)) and in a way that was possible when the Safe Harbour scheme and Privacy Shield were still valid.

By way of a recap, the Safe Harbour scheme allowed US participating companies to self-certify that they adhered to seven key data protection principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and complied with various EU-focussed data privacy requirements. However, in 2015, the Court of Justice for the European Union (“ECJ“) ruled that the US Safe Harbour Scheme was invalid (Schrems v DPC) on the grounds that it did not provide EU citizens with a clear mechanism of redress for data privacy concerns and permitted excessive access by US authorities to the personal data of such EU citizens.

After the Safe Harbour scheme was invalidated, the EC and US Department of Commerce passed the EU-US Privacy Shield, which built upon the Safe Harbour scheme in a number of ways with the aim of improving the level of protection afforded to the personal data of EU citizens. However, following the Schrems II decision in 2020, the Privacy Shield regime was also ruled invalid on the basis of, amongst other things, its failure to limit data surveillance powers by US authorities and to provide data subjects with the means to seek effective judicial remedy before an independent body that could offer guarantees in line with EU law.

What will the new framework include?

The Framework will reportedly build upon the structure of the Privacy Shield regime and will focus on several key principles and actions. The Framework will:

  • apply new safeguarding measures to ensure that access to data by US intelligence authorities is limited to what is necessary and proportionate and will only be used in pursuit of defined national security objectives (this has, however, been challenged by NOYB, which highlighted the finding in the Schrems I and II judgments that practices under US surveillance laws are rarely limited to what is necessary and proportionate);
  • establish a two-tier redress mechanism, providing EU citizens with direct remedial measures through a newly established Data Protection Review Court (“DPRC”) to resolve complaints regarding access of data by U.S. intelligence authorities (this has also been challenged by NOYB which contends that this only provides the illusion of redress as US authorities will likely review the DPRC’s decisions and it is unlikely that the US will be required to disclose any surveillance operations which amount to ‘state secrets’, leaving data subjects unaware of these activities and unable to challenge them);
  • require US intelligence agencies to implement effective procedures to ensure oversight over new privacy and civil liberties standards; and
  • require organisations that wish to rely on the Framework to legally protect data flows to continue to follow the Privacy Shield principles including by self-certifying their adherence to these principles through the U.S. Department of Commerce.

How does the new framework interact with the current issues surrounding the transfer of personal data to the US in the context of services provided by US tech companies?

The development of the Framework is taking place against the backdrop of a growing number of data protection authorities across the EU ruling (or at the very least warning) against the use of data processing tools operated by large US-based tech companies which involve the transfer of personal data to the US. These rulings were triggered in part by NOYB, who filed the underlying complaint.

These rulings centre around the use of such tools (e.g. web analytics tools) resulting in user data, including device IP addresses, being transferred to the US in the absence of necessary safeguards, with EU data protection authorities finding the protections applied insufficient for the purposes of addressing the requirements of EU data protection legislation. One of the key reasons cited for this is the ability of US intelligence agencies to access transferred personal data under US surveillance laws.

The addition of the requirement to conduct TIAs and obligations on third country recipients of personal data to provide information about government access requests (where legally possible) to the new SCCs should assist organisations with the identification of supplementary measures to address the risks associated with transferring personal data to the US in the course of using these tools (e.g. activation of IP anonymisation features, obtaining consent from users for the use of their data for analytics purposes and making international transfers of their data in a cookie banner). However, putting these measures in place might not serve to fully mitigate the risks associated with transferring personal data to the US in the eyes of EU data protection authorities.

In light of this, a new data transfer framework that addresses these concerns and all of the issues that caused both the Safe Harbour scheme and Privacy Shield regime to be struck down will be a welcome development for US-based tech companies and the extremely broad base of EU-based customers that use their tools.

Conclusion

Currently, the US Government and the EC are working towards translating the proposed Framework into legal documents that can be adopted on both sides. Until the substantive terms of the agreement reached between the US and the EC have been published, there is still a degree of uncertainty as to whether it will sufficiently address issues raised by the Schrems II ruling (and whether NOYB’s concerns are founded) or the concerns expressed by data protection authorities across the EU in relation to the transfer of personal data to the US. As such, it remains to be seen whether this latest EU-US transfer mechanism will amount to an effective data transfer mechanism or whether it will meet the same fate as its predecessors. However, some form of legal challenge in the future seems almost inevitable.

Duc Tran
Duc Tran
Of Counsel, London
+44 20 7466 2954
Katie Reid
Katie Reid
Paralegal, London
+44 20 7 4662962

The UK’s International Data Transfer Agreement is laid before Parliament

3 February 2022

Following the conclusion of the Information Commissioner’s Office (“ICO“) 2021 consultation on the UK’s draft international data transfer agreement and accompanying methodology, the Secretary of State laid before Parliament the final version of the transfer documents on 28 January 2022.

Collectively, the following documents are intended to be used by organisations transferring personal data outside of the UK in order to comply with their obligations under the UK GDPR:

  1. the finalised international data transfer agreement (“IDTA“) (available here);
  2. the addendum to the European Commission’s standard contractual clauses for the international transfer of personal data to third countries (the “UK Addendum“) (available here); and
  3. transitional provisions guidance covering the use of both documents (available here).

Unless any opposition is received by Parliament, these new measures will come into force on 21 March 2022. For further information about the August 2021 ICO consultation and the legal background informing it, see our blog post here.

The documents

The new IDTA and the UK Addendum are intended to replace the existing version of the European Commission’s standard contractual clauses (the “Old SCCs“) for the purposes of making restricted transfers of personal data out of the UK. The UK Addendum in particular is intended to be appended to the new EU standard contractual clauses, which came into force on 27 September 2021 (the “New EU SCCs“). For further detail on this update and the practical effects, please see our previous blog post here.

The IDTA includes appropriate safeguards capable of legitimising restricted transfers to other countries outside the UK. Crucially, the IDTA seeks to incorporate the ‘supplementary measures’ required pursuant to the ECJ’s judgement in Schrems II in order to protect personal data being sent to countries which, without these measures in place, would otherwise not provide adequate protection. The IDTA will likely be most useful for UK-centric organisations who transfer data out of the UK only.

Comparatively, the UK Addendum will be useful for multi-national organisations spanning both the EEA and the UK. It is designed to be used in combination with the New EU SCCs, to which it applies a range of non-controversial amendments in order to adapt the New EU SCCs for use in a UK context. The UK Addendum consequently provides an alternative to the IDTA route whereby the New EU SCCs, in combination with the UK Addendum, can be used to validate a transfer from the UK, in a similar way to which the Old SCCs are currently used.

For multi-national organisations whose transfer arrangements are already predicated upon the use of the New EU SCCs to transfer data outside of the EEA but will also be making restricted transfers out of the UK, the UK Addendum means that effectively only one transfer regime needs to be negotiated for transfers out of both jurisdictions. The UK Addendum and the IDTA can therefore be considered an “either/or” mechanism, dependent upon the requirements of the organisation concerned.

Timeframes for implementation

Provided that no objections are raised by Parliament, both the IDTA and the UK Addendum will be available to organisations to use from 21 March 2022 onwards.

According to the ICO documentation, for any agreements entered into on or before 21 September 2022 incorporating the Old SCCs, organisations can still rely on the Old SCCs to validate restricted transfers of personal data out of the UK until 21 March 2024, a generous grace period compared to the timeframes imposed by the EU in relation to the New EU SCCs.

It is worth noting that only arrangements which involve a restricted transfer out of the UK alone will be subject to this grace period i.e. if an organisation has an arrangement in place which involves making restricted transfers out of both the EEA and UK, the longer grace period will only apply to the UK restricted transfer and the EEA element will need to be addressed in accordance with the deadlines set by the EU. By way of a reminder, existing agreements (entered into before 27 September 2021) incorporating the Old SCCs remain valid and provide appropriate safeguards for the purposes of the EU GDPR until 27 December 2022.

Following 21 March 2024, organisations will no longer be able to rely upon the old SCCs for making restricted transfers out of the UK and contractual arrangements incorporating the Old SCCs will need to be have been repapered to incorporate either the IDTA or the New EU SCCs coupled with the UK Addendum.

The ICO is also set to publish further supporting materials to assist organisations to navigate these new arrangements in due course. Such materials should include explanatory notes to both the IDTA and the Addendum and guidance on transfer risk assessments and on international transfers more generally. These materials will provide welcome interpretative guidance to assist organisations to incorporate these new documents into their existing transfer arrangements.

Miriam Everett
Miriam Everett
Partner, Digital TMT, Sourcing and Data, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Rob Brereton
Rob Brereton
Trainee Solicitor, London
+44 20 7466 3000

HAPPY INTERNATIONAL DATA PRIVACY DAY: OUR PREDICTIONS FOR 2022

28 January 2022

Happy International Data Privacy Day! And what better day than today, to explore what 2022 is likely to have in store for data and privacy?

One year on from the introduction of the UK GDPR in a post-Brexit Britain. Two years on from the start of a global pandemic which forced a discussion around the tension between public health and data privacy. And over three years on from the GDPR coming into force across Europe, and by extension the world. But the passing of time does not appear to have diminished the worldwide focus on data and privacy issues.

In this post, we set out some predictions for data protection and privacy UK and EU developments in the year to come.

UK Data Protection Reform

2021 was the year that the UK Government hinted that it might think outside of the box in terms of data protection regulation. In September 2021, the UK Department for Digital, Culture, Media and Sport (“DCMS“) published its wide-ranging consultation on data protection reform. The DCMS Consultation is the first step in the Government’s plan to deliver on ‘Mission 2’ of the National Data Strategy, underpinned by a desire to boost innovation and economic growth for UK businesses while strengthening public trust in the use of data. The proposals were expansive, seeking to create an adaptable and dynamic set of data protection rules that underpin the trustworthy use of data. They mark a move away from a rigid set of rules, towards a more outcome focussed regime, in order to reduce burdens on business. The consultation closed in November 2021 and the results are expected in Spring 2022. For further detail about the reform proposals, please see our blog post, available here.

A new regulator for the UK

On 4 January 2022, John Edwards began his new role as UK Information Commissioner today, on a five year term. The new regulator spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeded Elizabeth Denham CBE, whose term as UK Information Commissioner ended last year. The new Information Commissioner’s agenda/approach/priorities will become clearer during his first full year in the role. However, it seems likely that one of his top priorities for 2022 will likely be the introduction of the Age Appropriate Design Code to better protect children online, together with the Online Safety Bill.

The fallout from enforcement – privacy notices and cookies

2021 saw some significant enforcement action – including fines of EUR 746 million, EUR 225 million and EUR 150 million. Interestingly, these significant fines haven’t resulted from big data security breaches but rather we have seen a regulatory focus on data protection principles –particularly transparency – and cookies. Whilst in the UK at least, it is possible that current rules around cookie consents may be ‘relaxed’ as a result of the data reform proposals described above, its seems likely that this kind of significant enforcement could result in widespread updates to privacy notices and cookies practices in 2022. For further details regarding the likely impact on privacy notices in particular, please see our summary, available here[1].

Testing the EU cooperation mechanism

Although 2021 has seen significant EU GDPR enforcement action as described above, it has also shone a spotlight on the apparent differences of opinion between Member State regulators when it comes to enforcement. In the 2021 WhatsApp enforcement action, objections raised by the EU regulators to the Irish Commissioner’s proposed enforcement resulted a referral to the EDPB for resolution. In December 2021, concerned MEPs also sent a letter to EU Commissioner Reynders to raise concerns about how the Irish Commissioner enforces the GDPR and applies the GDPR’s cooperation mechanism. The MEPs reportedly asked Commissioner Reynders to initiate infringement proceedings against the Irish Commissioner. What is clear is that there is a significant discrepancy between EU supervisory authorities regarding enforcement and the appropriate approach to the same. Could 2022 be the year that the GDPR’s cooperation mechanism is tested to its limits? Or could we see individual Member State regulators forging their own path?

International data transfers – Volume 1 (EU SCC re-papering)

On 27 September 2021, the new EU standard contractual clauses (“New EU SCCs“) came into force for the transfer of personal data from the EEA to third countries under the EU GDPR. From that date, the New EU SCCs have been used for any new agreements entered into that rely on model EU data transfer clauses to legitimise the transfer of personal data from the EEA to third countries under the EU GDPR. Existing Agreements incorporating the old EU SCCs remain valid and provide appropriate safeguards until 27 December 2022, meaning that for many organisations 2022 is likely to involve the not insignificant task of “re-papering” agreements relying on the old EU SCCs and replacing them with the new EU SCCs. For further details regarding the New EU SCCs, please see our blog posts, available here and here.

International data transfers – Volume 2 (the UK position)

In August 2021, the UK Information Commissioner published a consultation on international data transfers. The regulator published a draft international data transfer agreement to address transfers of personal data outside of the UK; a draft international transfer risk assessment guidance note and tool; and a draft UK addendum for inclusion to the European Commission’s standard contractual clauses. The consultation closed on 7 October 2021 and we expect to see legislative proposals in 2022, which will finally give organisations certainty on the approach that the UK is taking to international data transfers, although it is unlikely to be the end of the data transfer saga depending upon the results of the DCMS data protection reform consultation described above. For further details regarding the ICO’s international data transfer proposals, please see our blog post, available here.

International data transfers – Volume 3 (Safe Harbor 3.0?)

Shortly after the Schrems II judgment, the US Department of Commerce and the European Commission initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the ruling. However, discussions do not seem to have obviously progressed much during 2021 and, without root and branch reform of US surveillance law, it remains unclear how any such framework would avoid the fate of its predecessors the Privacy Shield and US Safe Harbor. Could 2022 be the year that governments in multiple jurisdictions manage to find a way through the legal complexities raised by the Schrems II judgment in order to allow the international transfer of data on a practical level?

ePrivacy and cookies

We have covered the proposed ePrivacy Regulation in our previous data protection predictions and yet the question remains as to whether 2022 is going to be the year that this legislation makes it through the process. Even without the proposed new EU Regulation, some EU regulators have made their focus on cookies very clear – the CNIL has recently taken significant enforcement action against both Google and Facebook for breaches of the cookie rules. The recent DCMS data protection reform consultation also focussed in part on cookies and questioned the appropriateness of the current rules relating to cookie consents. As a result, whether via legislative or reform or regulator action, it seems clear that cookies will be a special dish in 2022.

Tech vs data regulation – the race continues

2021 has seen a continued focus from organisations and regulators alike on innovative technologies and, in particular, AI. Uptake of AI by organisations appears to have increased alongside attempts by data protection regulators to keep pace, protect the privacy of individuals, and ensure fairness in an increasingly AI-driven world. An example of this was the UK Information Commissioner’s 2021 consultation in relation to the use of the beta version of its AI and data protection risk mitigation and management toolkit. We expect to see even more focus in 2022 on the use of AI and innovative technologies against the backdrop of data privacy legislation. For further details on the ICO AI consultation, please see our blog post, available here.

Class actions reborn?

In November 2021, the Supreme Court overturned the Court of Appeal’s decision in the high profile Lloyd v Google case, which could have opened the floodgates for class actions for compensation for loss of control of personal data to be brought on behalf of very large numbers of individuals without identifying class members. The case was brought under the DPA 1998, rather than the GDPR which superseded it. Whilst there may be read across to the current UK GDPR regime, Lord Leggatt specifically stated that he was not considering the later legislation and this could potentially leave the door open for future loss of control claims under the current law. After Morrisons and now Lloyd v Google, could 2022 be the year that we see another attempted data class action reach the courts? For further details regarding the Supreme Court judgment in the Lloyd v Google case, please see our blog post available here.

[1] First published by LexisNexis in October 2021

Miriam Everett
Miriam Everett
Partner, Digital TMT, Sourcing and Data, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Angela Chow
Angela Chow
Senior Associate, London
+44 20 7466 2853
Chloe Kite
Chloe Kite
Associate, London
+44 20 7466 2540

ICO issues draft International Data Transfer Agreement and guidance on undertaking risk assessments for consultation on ensuring compliance for data transfers from the UK

13 August 2021

The UK has taken its first big data protection step in a post-Brexit world with the Information Commissioner’s Office (“ICO“) publishing its own version of an international data transfer agreement and accompanying methodology for conducting international risk assessments on 11 August 2021.

The ICO has published the following documents, which all inter-relate with one another:

  1. a draft international data transfer agreement to address transfers of personal data outside of the UK (“IDTA“) (available here);
  2. an international transfer risk assessment guidance note and tool (the “Risk Assessment Guidance“) (available here); and
  3. a UK addendum for inclusion to the European Commission’s standard contractual clauses (the “Addendum“) (available here).

The ICO has launched a consultation seeking views on the IDTA, the Risk Assessment Guidance, and the Addendum which will close on 7 October 2021, following which proposals will be laid before Parliament.

This follows in the footsteps of a busy period for the EU regarding the issue of international transfers of personal data. Over the past few months, we have seen:

  • the European Commission publish its final version standard contractual clauses for the international transfer of personal data to third countries (the “New EU SCCs“) (see our blog post here) and Article 28 clauses (see our blog post here);
  • the European Commission adopt two adequacy decisions for the UK (under both the GDPR and the Law Enforcement Directive); and
  • the EDPB issue its finalised guidance on supplementary tools resulting from the Schrems II judgment from the Court of Justice of the European Union (see our blog post here).

Key Takeaways

  • The UK’s approach – The ICO has adopted a user-friendly, business-focused and streamlined approach to implementing an updated set of Standard Contractual Clauses to address transfers of personal data outside of the UK and has devised a similarly user-oriented and pragmatic mechanism for conducting risk assessments in relation to these transfers (each a “TRA“), required as a result of the Schrems II decision. In addition, the Addendum provides an effective mechanism for UK organisations to interface with EU requirements in relation to transferring personal data outside of the EU and the scope of the consultation highlights the ICO’s willingness to integrate with global privacy positions.
  • The IDTA – The IDTA diverges from the approach of the New EU SCCs in its nature and structure in that it is formed of a combination of tables, free text, and mandatory clauses in order to provide organisations with flexibility to adapt it to their circumstances and any pre-existing contractual arrangements, as well as being a relatively simple document for organisations (particularly smaller ones) to contend with. Notably it caters for C2C, C2P, and P2P scenarios but not P2C (each defined below) and does not follow a modular format in the same manner as the New EU SCCs. The mandatory provisions of the IDTA are broadly reasonable in placing obligations on both exporting and importing parties, however they do take on a distinctly English law flavour and include some potentially controversial clauses, for example in relation to incorporating TRAs and commercial positions, English language requirements, and the introduction of an IDTA-specific arbitration scheme.   
  • The TRA The Risk Assessment Guidance is a helpful and detailed attempt by the ICO to support organisations with their obligation to undertake a TRA. It adopts a solution-oriented and risk-focused approach that suggests a range of considerations, decision trees, and mitigations which organisations can apply when undertaking a TRA and will form an integral part of putting in place an IDTA.   
  • Timeline – The ICO has issued the IDTA, Risk Assessment Guidance, and Addendum for consultation to seek industry stakeholder views, notably in the context of legal, economic or policy considerations. The consultation closes on 7 October 2021 following which consultation analysis and finalisation will occur before putting the proposals before Parliament. A finalised IDTA, Risk Assessment Guidance, and Addendum could be expected in late 2021 or early 2022 and, in the consultation, the ICO is also seeking views on transition periods post-implementation, namely: a 3 month grace period for organisations to introduce IDTAs for new arrangements, with a further 21 months (i.e. 24 months in total) to repaper existing arrangements.

Legal Background

Chapter V of the UK GDPR prohibits the transfer of personal data out of the UK to a third country or international organisation unless one of a number of available conditions under the UK GDPR is satisfied.

One of the conditions most often relied upon to legitimise the international transfer of personal data is the use of so-called Standard Contractual Clauses (effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties).

Prior to Brexit, the UK utilised two different sets of SCCs which had been approved by the European Commission to cover transfers from: (i) a controller to another controller (“C2C“); and (ii) a controller to a processor (“C2P“) (the “Old EU SCCs“).

Following Brexit, the European Commission has published the New EU SCCs to update the Old EU SCCs in light of GDPR, the Schrems litigation, and to remediate a number of weaknesses in the drafting. However the New EU SCCs do not apply to transfers from the UK to jurisdictions outside the UK, and UK-based organisations have in the meantime needed to rely on the Old EU SCCs when transferring personal data outside of the UK.

As a result, the ICO has been working to establish the UK’s position in relation to legitimising international transfers of personal data out of the UK from a contractual and logistical perspective and the IDTA and Risk Assessment Guidance is the result.

Given the interplay with the New EU SCCs, the UK’s approach has been keenly awaited and in this blog we “summarise” (the IDTA and Risk Assessment Guidance are lengthy) some of the key changes and considerations for organisations and international data flows.

The UK’s approach to standard contractual clauses

In this section, we look at each of the IDTA, Risk Assessment Guidance, and Addendum in more detail.

IDTA

IDTA Overview

The IDTA is the document which UK organisations will need to put in place when transferring personal data outside of the UK.

The ICO has adopted a distinct approach to the IDTA, in particular:

  • Nature of the agreement: The IDTA has been developed as an agreement which can either act as a standalone data transfer agreement between parties, or be incorporated into a broader commercial agreement or other arrangement (termed “Linked Agreements” by the ICO).
  • Structure: We discuss the structure in more detail below, but broadly it consists of a combination of tables alongside a set of mandatory operative provisions and free text sections. This appears to have been designed to enable the parties to it to adapt it to their particular needs and broader contracting arrangements.  
  • Controller and processor data flows: As with the New EU SCCs, the ICO has ensured that the IDTA is appropriate for use in C2C, C2P, and processor to processor (“P2P“) scenarios. The IDTA does not, however, contain any clauses to address cross-border transfers from processors to controllers (“P2C“), which the European Commission controversially introduced in the New EU SCCs.
  • Application of the relevant provisions: The IDTA does not follow a strictly modular structure (as per the New EU SCCs) and has instead developed provisions which are designed to be applicable depending on the factual circumstances of the parties (e.g. if the importer’s processing is subject to UK data protection law, then the importer does not need to comply with clauses regarding data subject rights (on the basis that they will be directly applicable)). The IDTA does provide that non-applicable provisions can be removed but, as discussed below, this does not appear to be mandatory and therefore is unlikely to happen in practice when organisations start implementing the IDTA.

The approach taken by the ICO appears to provide a more streamlined, flexible, and business-friendly mechanism for organisations to deploy the IDTA where necessary, certainly in terms of its non-modular nature and accessible manner in detailing the necessary elements of a transfer. In comparison to the New EU SCCs, the removal of a potentially complex and time-consuming analysis to implement the appropriate combination of modules is to be welcomed, although the ‘if applicable’ approach of the IDTA mandatory clauses does present its own challenges of interpretation, not only to the uninitiated.

IDTA Structure

Considering the IDTA at a more granular level, it has been arranged in four parts:

  1. A series of four tables to detail the nature of the transfer and any further protections (this includes population of the relevant details of the importer and exporter, a string of check-boxes to document information on the transfer itself and data involved, and a free text area to including additional security requirements which have been identified as necessary further to a TRA).
  2. A section where additional technical, organisational, and contractual protections can be set out which have been identified as necessary following a TRA (and for which the ICO’s TRA tool provides examples). This section envisages being able to cross-refer to relevant other areas (e.g. relevant parts of a Linked Agreement or the security requirements sections of the first part of the IDTA).
  3. A section for commercial clauses which, while perhaps useful for smaller organisations and low-risk arrangements, is likely to have limited utility with parties almost certainly having a distinct commercial arrangement (i.e. a Linked Agreement) and requiring one in a C2P scenario in order to have in place appropriate Article 28 clauses.
  4. The mandatory clauses which, ultimately, are the most important, operative part of the IDTA and are discussed in detail below.

This structure provides an adaptable model which organisations should find relatively simple to both populate and review, which should assist organisations will putting in place, and feeling comfortable about, a compliant international data transfer arrangement.

Mandatory Clauses

The fourth part of the IDTA is an area which will attract a significant amount of scrutiny given the mandatory nature of the clauses, and indeed it proposes some particularly notable positions:

  • Amendments: The IDTA does not permit any amendments other than: to update cross-references where amendments to parts one to three of the IDTA require it; in order to render the IDTA multi-party; and to dis-apply any non-applicable provisions.

In relation to the latter point, as noted above, the IDTA is not strictly modular, however the mandatory clauses contain a range of caveat drafting across them which dis-applies certain clauses depending on the nature of the party (controller, processor). While simplifying the approach in terms of incorporating the IDTA (i.e. rather than choosing specific modules as per the EU’s mechanism), the interoperability of clauses is not always clear. Additionally, where parties do dis-apply provisions, given it would appear that dis-applied provisions will apply regardless if they were incorrectly dis-applied, there is perhaps little utility to undertaking such a task. The publication by the ICO of worked versions of amended mandatory clauses would perhaps be useful in this regard.

  • Precedence: The terms of the IDTA will take precedence over any Linked Agreement or other agreement (which could include the New EU SCCs), unless there is greater protection provided by other terms or the other terms are a requirement due to Article 28 of UK GDPR. A potential conflict between EU and UK positions (each of the IDTA and New EU SCCs claim precedence) has, from a UK perspective, been to some extent fudged in leaving it to a consideration of the relative level of a protection of a term.
  • TRAs: There is a somewhat unsatisfactory circular contractual position whereby the exporter is under a duty to provide the importer with a copy of any TRA the exporter has undertaken, but the importer is bound to a contractual promise that prior to entering the IDTA it has provided the exporter with “all relevant information” which is “complete and accurate” (a high bar) regarding the local laws of the importing country in order to enable the importer to undertake the TRA. The importer is also under a continuing obligation to verify whether local laws change and inform an exporter if such change would impact its ability to comply with its obligations under the IDTA.

Given the broad definition of ‘local laws’ under the IDTA, this raises several issues including the implications for pre-contractual representations and information provision, the quality of knowledge of an importer, and the extent to which importers will or can comply with such an onerous obligation.

  • ICO involvement: The IDTA provides that both importer and exporter agree to provide the ICO with certain information (including the IDTA, any TRA, and the importer’s information regarding local laws) where it reasonably requests it. As well as providing the ICO with an avenue to access a substantial amount of information on local law requirements and risk assessments, these provisions place a direct obligation on an importing entity who perhaps might have no other link to the UK, to provide information to a UK-based regulatory information request (of particular relevance to entities further down in a chain of processors).
  • Data subject requests: The IDTA provides that, where a data subject requests a copy of the IDTA from the exporter or importer, this must be provided to them. It is accepted that Linked Agreements do not need to be provided however, if the commercial clauses section of the IDTA is used, while they can be redacted for the purposes of sending to a data subject, a summary of the information must be provided. As such it seems unlikely that parties would complete this section of the IDTA given the potential for disclosure.
  • English language requirement: Where a controller is the importer, there is an obligation on them to be able to easily communicate with data subjects in English and without undue delay, which is a potentially onerous expectation.
  • Commercial provisions: The IDTA incorporates a range of commercial positions and provisions which, given the precedence of the IDTA over a Linked Agreement, could have broader implications as, depending on the importance of the data transfer element to the agreement, commercially agreed positions may be frustrated by positions under the IDTA:
    • Liability: There is an uncapped liability regime in relation to a party’s breach of the IDTA causing damage to a data subject, with a fairly high bar for proving non-involvement in an incident causing damage.
    • Significant Harmful Impact: The IDTA introduces the concept of ‘Significant Harmful Impact’ whereby, if there is more than a minimal risk of a breach to the IDTA which may cause indirect or direct significant damage to a data subject or a party, this will be a trigger for various termination rights. This appears to be looking to align with the approach to data breaches, however the various rights to terminate resulting from this make this a material contractual consideration.
    • Third party rights: Data subjects have a range of provisions under the IDTA under which they can bring a claim against either the exporter or importer (as applicable) and the ICO also has more limited direct rights under the IDTA.
    • Boilerplate: Provisions regarding notice, assignment, sub-contracting, and severance (amongst others) have been included and this could cause issues, for example where a Linked Agreement permits unrestricted assignment, this would not be able to occur as the IDTA requires the consent of the other party.
  • Arbitration: The IDTA suggests that a specific IDTA arbitration scheme could be introduced as an optional dispute resolution mechanism for use in claims between the parties or involving the ICO or data subjects. A data transfer-specific arbitration scheme would be a novel mechanism in this context.

Risk Assessment Guidance and TRA

The ICO has produced the Risk Assessment Guidance in light of the decision in Schrems II in order to assist organisations with carrying out a TRA as part of putting in place an IDTA. It consists of guidance pertaining to general considerations for organisations conducting a TRA, as well as a detailed TRA tool.

Some of the key points emerging from this are:

  • Not an adequacy assessment: The Risk Assessment Guidance contains a disclaimer that a TRA should not amount to a mini-adequacy assessment, but rather a consideration of whether the destination jurisdiction “shares certain key principles which underpin [their] law and practice“, and should focus on two key aspects: (i) enforceability of the IDTA’s provisions; and (ii) third party access to data. If these aspects are sufficiently similar, then the IDTA’s provisions should provide sufficient protection within that jurisdiction.

The Risk Assessment Guidance further notes that the assessment should not involve a consideration of the whole country’s legal regime, but only the aspects which are relevant to the transfer. The extent to which this is practicable is perhaps questionable, particularly in light of the factors that the ICO suggests need to be considered, although the narrow focus of the assessment, which is supplemented by the detailed information in the ICO’s TRA tool, provides some comfort (see below).

  • Factors to consider: The ICO highlights a range of factors to consider in relation to: (i) the particular facts of the transfer (type of data, purpose, movement, etc.); (ii) the facts of the jurisdiction destination (human rights record, legal system, laws and practices regarding third party access); and (iii) the potential impact on data subjects and any risk of harm. The ICO notes that some jurisdictions should be obvious, for instance where there is rule of law or robust regulation of third party access to data (although there is no “shortcut” TRA approach for obvious jurisdictions), but there will likely be a range of liminal countries where a granular analysis will be technical and time consuming, even more so in complex multijurisdictional transfer scenarios.
  • Assessment and reassessment: The Risk Assessment Guidance (and the IDTA) make clear that ongoing review of a transfer arrangement will be required both where the context changes (such as due to a change in law, nature of the transfer evolves, or there are technical developments) and periodically. Indeed, given that the ICO will have both a regulatory and contractual mechanism for requesting TRAs, ensuring that there is an internal, operational mechanism to undertake the necessary TRAs, and ensure that they do not become historic, will be important.
  • The TRA tool: The ICO’s TRA tool is structured around a three part process (transfer assessment followed by consideration of an IDTA’s enforceability and the protection from third party access to data which are afforded in the importing jurisdiction) in order to ascertain whether and how, in routine transfer scenarios, any supplemental measures need to be incorporated into the IDTA:
    • Analysis support: Each stage of the TRA has been designed with decision trees and detailed guidance which will assist organisations with considering and developing their documented TRAs.

Of particular assistance are a range of tables which: detail the types of data and context within which a red, amber, green risk rating can be applied (e.g. basic contact details of consumers would likely be low risk/green); note considerations to inform whether enforceability and access are sufficiently similar to the UK; and highlight factors which may develop and adjust an organisation’s consideration of a risk level (e.g. an intra-group transfer lowering the risk, versus a large volume of data about an individual likely increasing the risk).

    • Supplementary measures: Following each step of the analysis, the Risk Assessment Guidance provides practical technical, organisational, and contractual steps which can be taken depending on the level of risk identified (e.g. a spectrum of encryption or more robust contractual complaint mechanisms).
    • Risk: Notably the tool highlights the importance of focusing on “risk” where an opinion on a jurisdiction is difficult to form. This approach, allied to the pragmatic risk mitigations given, provides practical and considered support which recognises the importance of maintaining data flows while providing sufficient protections, which organisations will likely find very helpful.
  • Complex scenarios: More complex transfer scenarios will require a more forensic analysis and the ICO highlights situations such as multijurisdictional arrangements, novel technology usage, and countries with a questionable human rights record that could produce a high risk and where relying on the tool will not be sufficient. That said, the range of user-friendly and focused guidance and considerations in the tool will no doubt assist organisations with undertaking a more complex analysis.

Addendum

The ICO has produced an Addendum which is designed to be used in combination with the New EU SCCs in order to validate international transfers to a third country and provides for a range of non-controversial amendments to the New EU SCCs to adapt them to apply in a UK context.  The intention appears to be to provide an alternative to the IDTA route whereby a UK organisation could utilise the New EU SCCs in combination with the Addendum in order to validate a transfer from the UK (i.e. in a similar way to which the Old EU SCCs are currently used).

Should this route be taken instead of, or in addition to, that of the IDTA, for organisations with an EU and UK nexus it would simplify the contractual process (for both new contracts and any repapering exercise) in that a single, consistent approach could be taken (i.e. implement the New EU SCCs incorporating as necessary the Addendum). However if only the Addendum route was taken, then UK organisations would need to adopt the modular mechanism and become cognisant of the complexities regarding the New EU SCCs.

Indeed it is interesting to note that the ICO’s consultation document is seeking views on the adoption of the Addendum in the context of the New EU SCCs, but also whether there are any other model data transfer agreements for which such a path could be taken (calling out also New Zealand and the Association of Southeast Asian Nations’ model clauses). It may be then that the result of the consultation brings about various routes by which a transfer from the UK can be legitimised for UK organisations (perhaps based on the importing jurisdiction), which would be consistent with the UK’s stated business-friendly, flexible approach to international data flows.

Final Thoughts

The ICO has devised a detailed and well-considered approach to address international transfers of personal data out of the UK in a post-Brexit world which has clearly been designed to interface with EU and global data protection and privacy laws and practice. As such, early concerns raised in relation to the UK adopting a drastically different mechanism to that of the EU (with the potential to cause chaos for multi-national organisations transferring personal data in and out of both the UK and EU), have been somewhat quelled.

Certainly the TRA is a document which will likely provide great assistance to UK (and potentially EU-based) organisations as they grapple with the risk assessment requirement brought about by Schrems II. Indeed it is perhaps difficult to see what more the ICO could have done in this regard as the TRA is practical, solution-oriented, and user-friendly.

The IDTA does diverge from the approach taken by the EU in relation to the New EU SCCs, but the IDTA’s combination of tables, free text, and mandatory clauses is once again more business-focused and streamlined. The format enables parties to be flexible depending on their current and future arrangements and, by way of the Addendum, provide effective interoperability with the New EU SCCs. The mandatory clauses of the IDTA do, however, raise some questions, in particular those which have a distinctly English contract law flavour, and may result in some robust discussions with non-English counterparties.

It will be fascinating to see what responses the ICO will receive as part of the consultation and what ICO’s final approach (including in relation to timeframes for implementation) will be.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Claire Wiseman
Claire Wiseman
Professional Support Lawyer, London
+44 20 7466 2540
Alasdair McMaster
Alasdair McMaster
Associate, London
+44 20 7466 2194

European Commission publishes final Article 28 clauses

22 June 2021

Simultaneous with the European Commission publishing its final standard contractual clauses for the international transfer of personal data (see our blog post here for further information) (the “New SCCs“), they have now published a final set of standalone Article 28 clauses for use between controllers and processors in the EU, also termed ‘standard contractual clauses’ (the “Final Article 28 Clauses“) (available here). Continue reading

European Commission publishes final Standard Contractual Clauses

9 June 2021

Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs“) for consultation (see our blog post here (the “Draft SCCs Blog“)), they have now published a finalised set of Standard Contractual Clauses (“Final SCCs“) with little fanfare (available here).

It should also be noted that alongside the Final SCCs, the European Commission have published a finalised set of non-mandatory Article 28 clauses for use between controllers and processors in the EU (see our blog post here on the draft version) in relation to which we will be publishing a follow-up shortly.

It will be mandatory, however, for organisations to implement and comply with the Final SCCs and in this blog post we consider the movement from the Draft SCCs to the Final SCCs (as well as the key points raised by them), the practical impact that this will have on organisations and the UK’s position.

Key Takeaways

  • The Draft SCCs and the Final SCCs In comparison to the Draft SCCs, the Final SCCs provide some cause for hope, in particular an extended grace period of 18 months, a 3 month window during which organisations may continue to put in place the current SCCs to address international transfers of personal data, and the softening of some provisions such as the approach to challenging public authority access. However, other aspects of the Final SCCs may cause increased friction, notably a more nebulous approach to the warranty regarding impact assessments.
  • Practical Considerations from the Final SCCs – The Final SCCs serve to confirm that a repapering exercise is looming for most organisations and that a re-evaluation of current agreements, training, and contracting support will be required so as to have in place mechanisms to implement agreements with appropriate iterations of the Final SCCs on an ongoing basis. Beyond this, more granular considerations including the interplay of the Final SCCs with negotiated clauses will require some more careful, context-specific scrutiny.
  • The UK’s Way Forward – The current SCCs will continue to apply for transfers of data from the UK to third countries while the ICO prepares a set of its own standard contractual clauses, independent of the Final SCCs. The extent to which these deviate will inform how much more complex putting in place and maintaining the necessary contractual provisions will be for organisations, particularly those with multifaceted data flows between the UK, EU and third countries.

Legal Background

Please refer to the Draft SCCs Blog for more detailed background, but by way of summary, the GDPR prohibits the transfer of personal data from the EEA to a third country or international organisation outside of the EEA unless an available condition under the GDPR is satisfied.

One of these conditions is the use of Standard Contractual Clauses (“SCCs“) which are effectively a contract ‘pre-approved’ by the European Commission to be entered into between the data exporter and the data importer and which impose certain data protection obligations on both parties. However, the current SCCs had some issues including the fact that they were not updated when the GDPR came into force (referencing the old EU Data Protection Directive rather than GDPR) and there were only two sets of SCCs (covering transfers from one controller to another controller (“C2C“) or from a controller to a processor (“C2P“) which meant that they did not cover situations such as processor to processor (“P2P“) or processor to controller (“P2C“) transfers).

The Draft SCCs looked to address these issues, as well as the impact of the Schrems II decision (see our blog post on the Schrems II case here). The Schrems II judgment made it clear that where SCCs are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. In parallel, to help data exporters in that assessment, on 10 November 2020 the EDPB issued draft guidance on how to carry out the due diligence exercise in practice (see our blog post on the draft guidance here). We are imminently expecting the finalised EDPB guidance on these supplementary measures, potentially as early as next week if the authorities are able to agree them during this month’s plenary meeting on 15 June 2021.

Following a period of consultation and some delay to finalisation, the European Commission published the Final SCCs in final working documents on 4th June with publication in the Official Journal expected swiftly.

The Draft SCCs and the Final SCCs

The Final SCCs broadly adopt the same approach as the Draft SCCs, although there is some deviation both to soften provisions and provide more flexibility to organisations than originally envisioned by the Draft SCCs, although in some instances the approach has been toughened. We detail the material deviations and summarise the changes from the Draft SCCs below.

  • Extended Grace Period and Limited Grandfathering Period

The Draft SCCs contemplated a one year grace period within which organisations had to ensure compliance and the Final SCCs have both extended this period and made it more nuanced by introducing a limited grandfathering period during which organisations may continue to implement the current SCCs. From the date of publication in the Official Journal (plus 20 days), organisations will now:

    • have 3 months to continue to put in place the current SCCs; and
    • have 15 months from the end of the 3 month period within which they must implement the Final SCCs and can continue to rely on the current SCCs (provided there is no change to the processing activities during this time and any necessary supplemental measures are in place).

While the extended grace period is positive in the context of the EU-US Privacy Shield being immediately invalidated as a result of the Schrems II decision and thereby requiring instant contractual and organisational remediation, the result of the Final SCCs is that organisations will still be required to re-paper their existing contracts in the medium term (by likely December 2022) and put in place mechanisms to begin incorporating the Final SCCs into new agreements in the short term (likely starting from June 2021 but by no later than September 2021) (see ‘practical considerations’ section below).

  • Modular Structure and Scope

The Final SCCs have retained the modular format allowing for adaptation to different factual scenarios covering both C2C and C2P transfers already provided for under the current SCCs. They now also cater for P2P and P2C situations which were not provided for and enable other parties to ‘dock’ into the Final SCCs (of particular importance where sub-processors are introduced to a pre-existing arrangement).

Additionally the set of processor clauses required by Article 28 GDPR remains incorporated into the Final SCCs, continuing not as a separate module and explicitly prevailing over any conflicting provisions.

While elements of the modules have been somewhat rearranged, materially they provide the same flexibility, but also issues, as discussed in the ‘structure’ and ‘scope’ sections of the Draft SCCs Blog.

  • Extraterritoriality

The requirement for data importers who are controllers to notify a competent EU supervisory authority (discussed in the ‘extraterritoriality’ section of the Draft SCCs Blog) remains but rather than the threshold being a ‘significant adverse effect’, this has been lowered to ‘a risk to the rights and freedoms of natural persons’ (with an attendant notification obligation to data subjects where there is a ‘high risk’). This aligns with the thresholds in the GDPR, but arguably makes notification a more likely requirement for importers.

Additionally, the approach of the Final SCCs imposes on data importers requirements that will be familiar to those already subject to the GDPR, such as obligations of transparency, security, limits to the purpose of processing, complying with data subject rights amongst others. In binding importers to obligations similar in nature to the requirements of the GDPR, the Final SCCs can be seen as further step in extending the reach of GDPR.

  • Schrems

Like the Draft SCCs, the Final SCCs to include provisions which address the challenges of the Schrems II case (discussed in the ‘Schrems’ section of the Draft SCCs Blog) with only minor changes made to the Final SCCs in this regard.

Perhaps most notably, however, the warranty that the parties are required to provide that they have no reason to believe that the ‘laws’ of the importer country prevent the importer from fulfilling its obligations under the Final SCCs, has been expanded to make reference to ‘laws and practices’. The Final SCCs contain a footnote which provides some examples of the elements which may be considered as part of this impact assessment, but this more nebulous phrasing further emphasises the difficultly organisations are likely to have in being able to confidently undertake and document such an assessment and warrant such a claim.

One position that has been softened from the Draft SCCs is that the requirement on importers to exhaust all available legal remedies when challenging a public authority access request has been amended to grant the importer a degree of discretion in circumstances when it believes that there are ‘reasonable grounds to consider that the request is unlawful…’ and so challenge it. This caveat (underlining added) gives importers some leeway in approaching such requests.

  • Liability

The more detailed liability provisions set out in the Draft SCCs remain in the Final SCCs, as does the uncapped liability position. Given the precedence taken by the Final SCCs over any other terms in an agreement to which the Final SCCs are attached, it would have been helpful if the European Commission had provided some clarity in relation to these points. Unfortunately, however, it is still unclear as to how both the detailed liability provisions and uncapped liability position set out in the Final SCCs are supposed to align with any pre-existing liability provisions set out in an agreement to which the Final SCCs are attached, especially if such pre-existing liability provisions include a cap on data protection liability, as they often do.

Absent further guidance, It would appear that attempts to limit or exclude liability would conflict with, and then be subordinate to, the approach taken by the Final SCCs.

Practical Considerations from the Final SCCs

Despite the positive and negative changes brought about by the Final SCCs, they do at least provide some clarity for organisations regarding what next steps they should take and what thinking should be done:

  • In-Flight Projects

While there is a limited 3 month period within which organisations can continue to put the current SCCs in place, they will only be able to be rely on them for a further 15 months from the end of that 3 month window. As such, where the contractual arrangements for an in-flight project are likely to last beyond December 2022, it may make most sense for organisations to consider and implement the Final SCCs during this window.

For contracts with a duration likely to end before this window ends, or which will come up for renewal, then in the interests of expediency it would perhaps be preferable to implement the current SCCs at this stage and begin implementing and, where necessary, repapering the Final SCCs over the subsequent 15 months whereupon further guidance is likely to have been published and the market is more likely to have adopted a more settled approach.

  • Repapering and Expertise

As noted in the ‘repapering (again)’ section of the Draft SCCs Blog, the Final SCCs confirm that a further, more complex repapering exercise is required.

As well as requiring organisations to analyse the perhaps thousands of contractual arrangements in place to determine the data flows and relationships between parties to replace them with the appropriate combination of Final SCC modules, organisations will also need to ensure that they have in place the appropriate expertise, support, and training to be able to begin putting in place the appropriate combinations by the end of the 3 month grandfathering period.

The earlier organisations begin to engage with the approach taken by the Final SCCs and put in place mechanisms sufficient to prepare and implement combinations of modular Final SCCs, the easier the transition will be.

  • Final SCCs and Negotiated Clauses

As well as the repapering exercise (which will not be a ‘rip and replace’ exercise of the current SCCs to the Final SCCs), at a more granular level organisations will also need to consider the interplay between the Final SCCs and negotiated operative clauses in the main body of agreements incorporating the Final SCCs. For example:

    • Operative provisions which refer out to the Final SCCs will need to be appropriately tailored to ensure that there is no conflict in multifaceted relationships (e.g. where various parties may be acting as controllers, processors, and sub-processors in relation to different data as part of the same arrangement) to enable the operative provisions and relevant modules to align.
    • The Final SCCs contain embedded Article 28 provisions and so, where negotiated and bespoke operative Article 28 provisions are in place, ensuring alignment between them so as not to produce a conflict resulting in the inapplicability of tailored positions will be necessary to preserve commercial certainty.
    • Contradictions may also arise for which straightforward resolution may not be possible, such as the apparent conflict between uncapped liability under the Final SCCs and commonly capped negotiated positions, or where a tailored Article 28 provision cannot be aligned with those in the Final SCCs.
    • The imposition of obligations on importers will also mean that they may seek more protection from operative contractual clauses, for example the importer’s transparency obligation will likely necessitate the inclusion of operative provisions to detail the responsibility between the parties of discharging such obligations (i.e. certainty of the provision of information).
    • The European Commission’s decision to address P2P transfers in the Final SCCs will finally allow parties to simplify the operative clauses that controllers enter into with processors that engage subprocessors based outside of the EU. The absence of any P2P mechanism in the current SCCs has long required parties to shoehorn in the C2P clauses to address transfers between processors and subprocessors, often to unsatisfactory effect given that there is usually an absence of direct contractual nexus between controller and subprocessor. The new P2P module should serve to simplify and speed up the drafting and negotiation of these operative provisions going forward.

Where contracts are remediated, or standard template agreements will be updated, a careful approach will need to be taken to ensure regulatory compliance while also achieving an appropriate balance of commercial risk, depending on the particular factual matrix.

  • The Data Importer’s Position

Where a data importer contracts with an exporter on the basis of the Final SCCs, the fact that the Final SCCs impose a range of substantive obligations on importers (see ‘extraterritoriality’ section above) will require importers to take considerable care to determine whether they do in fact have the technical, organisational, and contractual means to satisfy the various obligations placed upon them.

The potential risks of litigation and cost of simply signing and doing what has always been done have never been higher.

The UK’s Way Forward 

The ICO has stated that it has been drafting its own standard contractual clauses during the course of 2021 (with a period of consultation also expected) (the “UK SCCs“), in a process distinct from the Final SCCs. It will be interesting to see the extent to which, if at all, the UK SCCs leverage the positions in the current SCCs, Draft SCCs, and Final SCCs, or whether a completely novel route is taken.

While some mood music suggests that the UK will pursue a more relaxed, business-minded approach to data (and so the UK SCCs can perhaps be expected to impose less stringent requirements on organisations), such an approach will need to be carefully balanced against the UK’s position on data vis-à-vis the EU, in particular to ensure the UK SCCs are seen as sufficiently protective if the UK is to benefit from an adequacy decision from the EU.

In addition, the ICO has also previously emphasised that international data transfers would need to account for the impact of the Schrems II decision and in their response to the UK’s National Data Strategy highlighted the importance of building on the rights, principals, and protections of data which are currently in place. Therefore a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) may be unlikely.

From a practical perspective, the Final SCCs are not currently regarded as an “adequate safeguard” for UK GDPR purposes for transfers from the UK to third countries and will therefore not be officially compliant from a UK GDPR perspective at the moment. Absent the UK SCCs and / or approval of the Final SCCs, the current SCCs may therefore continue to be relevant.

Furthermore, for organisations with data flows between the EU, UK and third countries, the implementation of a further set of standard contractual clauses which may deviate from or potentially conflict with the Final SCCs would be a headache that they could do without, with further repapering and more complex contractual arrangements to introduce and align the Final SCCs with UK SCCs potentially required. That is unless the ICO approves the Final SCCs (in addition to any UK SCCs), giving organisations the option of which set of clauses to select based on their respective data flows and contracting approach to international data transfers to third countries.

The UK’s approach will therefore be important to monitor over the coming months and until such time as UK SCCs are brought into force, the current SCCs continue to remain relevant.

Conclusions

The publication of the Final SCCs provides organisations with a long-awaited update to the current SCCs and, for better or worse, provides clarity in relation to the steps and considerations that organisations will need to take if they are to continue making international transfers of personal data, as well as time (by way of the grace period and limited grandfathering period) to take these steps.

Most organisations will have been through this process before and, while it may be slightly more complex in execution, the principles of previous repapering exercises, as well as more developed processes regarding records of processing, data audits, and data mapping in the years since the GDPR came into force, should provide organisations with many of the tools needed to adopt and implement the Final SCCs (although for importers that are not used to the GDPR, the increased GDPR rigour of the Final SCCs may make this more challenging).

The most important step for organisations will be to understand the new modular approach to the Final SCCs, the most material departure from the current SCCs, as organisations will need to start the process of implementing the Final SCCs in 3 months’ time. Organisations that have template agreements and processes in place which include data protection provisions incorporating the current SCCs will also need to update these template agreements and processes and provide appropriate training to those tasked with maintaining these arrangements. In the longer term, repapering will be flavour of the month once more.

 

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Data Protection and Privacy, London
+44 20 7466 2954

Claire Wiseman
Claire Wiseman
Professional Support Lawyer
+44 20 7466 2267

Alasdair McMaster
Alasdair McMaster
Associate, London
+44 20 7466 2194