The end of 2022 saw some significant changes in the field of data protection, particularly for those who wish to transfer personal data out of the UK and the EEA.
For many businesses, it may come as a surprise to learn that they may be affected by these new rules. For example, if the hosting or other service provider for the business has its servers based in the USA or elsewhere and personal data (relating to employees or customers) is transferred, the business is likely to be subject to the new rules.
So a necessary first step for a business is to audit its data flows and identify any international data transfers (which will be referred to as “restricted transfers”).
The main way to comply with the UK GDPR requirements on restricted transfers is to adopt one of the transfer mechanisms identified in Article 46, which will count as “appropriate safeguards”.
These include the ICO’s International Data Transfer Agreement (IDTA), the combination of the EU’s standard contractual clauses (SCCs) with the ICO’s International Data Transfer Addendum and Binding Corporate Rules (BCRs).
Transfer Risk Assessment
If a business plans to rely on an Article 46 transfer mechanism, the ICO requires the business to carry out a transfer risk assessment. This will help the business to decide if its chosen transfer mechanism maintains the required protections for data subjects under the UK data protection regime.
The ICO has identified two broad types of risk that the business must consider in its assessment. The first is the risk to people’s rights arising in the third country from third parties accessing the information, who are not bound by the Article 46 transfer mechanism (such as Governments or their intelligence services). The second is the risk to people’s rights arising from difficulties enforcing the chosen Article 46 transfer mechanism.
There are two potential options for carrying out this assessment. The first option (preferred by the ICO) is to compare the position of the data subjects, in the specific circumstances of the transfer, (a) if the personal data remains in the UK and (b) if the restricted transfer is made.
The second option (recommended by the European Data Protection Board (EDPB) is to compare the law and practices of the UK regarding data protection with those of the importing country, in order to assess the risks outlined above.
The ICO has developed a useful transfer risk assessment tool (based on the first option), which businesses can use to assist with their assessment (see www.ico.org.uk).
There are a number of countries around the world who have had their data protection regimes approved by the EU or the UK. A transfer of personal data to these countries does not require a specific transfer mechanism under Article 46.
As regards the UK, they are currently all EU member states, Iceland, Norway and Liechtenstein, Gibraltar, Andorra, Argentina, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and South Korea. Japan and Canada only currently have partial adequacy.
Standard Data Protection Clauses
If a business wishes to make a restricted transfer to a country other than one covered by an adequacy decision, after having carried out its transfer risk assessment, it must adopt an appropriate transfer mechanism. In the UK this will either be the ICO’s International Data Transfer Agreement or (what seems to be preferred) the International Data Transfer Addendum in conjunction with the EU standard contractual clauses (the Addendum). The Addendum needs to be considered and completed – it is not just a tick box exercise.
Where it is not possible to use one of the approved transfer mechanisms, there are some very limited exceptions. However, these cannot be used for regular data transfers and so will not be appropriate in many cases.
The exceptions are (a) you have the explicit consent of the data subject (b) you have or are entering a contract with the data subject and it is necessary to make the restricted transfer so you can carry out your obligations (c) you are entering or have a contract with a third party for the benefit of the data subject and the transfer is necessary (d) important reasons of public interest (e) to establish or defend a legal claim (g) where it is necessary to protect someone’s vital interests (h) the transfer is from a public register and (i) the transfer is one off and necessary for your compelling legitimate interests.
Businesses should not be misled into thinking that “necessary” will be an easy hurdle to jump. The ICO has made clear that “it is not enough to argue that the transfer is necessary because you have chosen to operate your business in a particular way. The question is whether the transfer is objectively necessary and proportionate for the stated purpose, not whether it is a necessary part of your chosen methods.”
The Perennial Problem of the USA
One of the main reasons for the heightened activity in the field of international data transfers was the decision of the European Court in the Schrems II case. In essence that case decided that the US/EU privacy shield regime did not comply with EU data protection requirements and so was invalid.
The UK, EU and USA have been struggling for some time to find a way to comply with the court’s findings. Even now, in 2023, we do not have a complete answer.
In order to address the issue, there have been a number of recent developments.
In the USA, President Biden has signed a new Presidential executive order, which provides for binding safeguards, which limit access to personal data by the US intelligence authorities and which establishes a two tier redress mechanism (being a Civil Liberties Protection Officer and an independent Data Protection Review Court).
In the light of these steps the EU has published a draft adequacy decision for the USA, which should lead to a new transfer mechanism to replace the defunct privacy shield system.
For further information or advice on any of the issues identified in this overview please contact the following members of our Commercial Team:
Peter James, Partner
Diane Yarrow, Partner