ICO issues draft International Data Transfer Agreement and guidance on undertaking risk assessments for consultation on ensuring compliance for data transfers from the UK

The UK has taken its first big data protection step in a post-Brexit world with the Information Commissioner's Office ("ICO") publishing its own version of an international data transfer agreement and accompanying methodology for conducting international risk assessments on 11 August 2021.

The ICO has published the following documents, which all inter-relate with one another:

1. a draft international data transfer agreement to address transfers of personal data outside of the UK ("IDTA") (available here);
2. an international transfer risk assessment guidance note and tool (the "Risk Assessment Guidance") (available here); and
3. a UK addendum for inclusion to the European Commission's standard contractual clauses (the "Addendum") (available here).

The ICO has launched a consultation seeking views on the IDTA, the Risk Assessment Guidance, and the Addendum which will close on 7 October 2021, following which proposals will be laid before Parliament.

This follows in the footsteps of a busy period for the EU regarding the issue of international transfers of personal data. Over the past few months, we have seen:

• the European Commission publish its final version standard contractual clauses for the international transfer of personal data to third countries (the "New EU SCCs") (see our blog post here) and Article 28 clauses (see our blog post here);
• the European Commission adopt two adequacy decisions for the UK (under both the GDPR and the Law Enforcement Directive); and
• the EDPB issue its finalised guidance on supplementary tools resulting from the Schrems II judgment from the Court of Justice of the European Union (see our blog post here).

Key Takeaways

• The UK's approach - The ICO has adopted a user-friendly, business-focused and streamlined approach to implementing an updated set of Standard Contractual Clauses to address transfers of personal data outside of the UK and has devised a similarly user-oriented and pragmatic mechanism for conducting risk assessments in relation to these transfers (each a "TRA"), required as a result of the Schrems II decision. In addition, the Addendum provides an effective mechanism for UK organisations to interface with EU requirements in relation to transferring personal data outside of the EU and the scope of the consultation highlights the ICO's willingness to integrate with global privacy positions.
• The IDTA - The IDTA diverges from the approach of the New EU SCCs in its nature and structure in that it is formed of a combination of tables, free text, and mandatory clauses in order to provide organisations with flexibility to adapt it to their circumstances and any pre-existing contractual arrangements, as well as being a relatively simple document for organisations (particularly smaller ones) to contend with. Notably it caters for C2C, C2P, and P2P scenarios but not P2C (each defined below) and does not follow a modular format in the same manner as the New EU SCCs. The mandatory provisions of the IDTA are broadly reasonable in placing obligations on both exporting and importing parties, however they do take on a distinctly English law flavour and include some potentially controversial clauses, for example in relation to incorporating TRAs and commercial positions, English language requirements, and the introduction of an IDTA-specific arbitration scheme.   
• The TRA - The Risk Assessment Guidance is a helpful and detailed attempt by the ICO to support organisations with their obligation to undertake a TRA. It adopts a solution-oriented and risk-focused approach that suggests a range of considerations, decision trees, and mitigations which organisations can apply when undertaking a TRA and will form an integral part of putting in place an IDTA.   
• Timeline - The ICO has issued the IDTA, Risk Assessment Guidance, and Addendum for consultation to seek industry stakeholder views, notably in the context of legal, economic or policy considerations. The consultation closes on 7 October 2021 following which consultation analysis and finalisation will occur before putting the proposals before Parliament. A finalised IDTA, Risk Assessment Guidance, and Addendum could be expected in late 2021 or early 2022 and, in the consultation, the ICO is also seeking views on transition periods post-implementation, namely: a 3 month grace period for organisations to introduce IDTAs for new arrangements, with a further 21 months (i.e. 24 months in total) to repaper existing arrangements.

Legal Background

Chapter V of the UK GDPR prohibits the transfer of personal data out of the UK to a third country or international organisation unless one of a number of available conditions under the UK GDPR is satisfied.

One of the conditions most often relied upon to legitimise the international transfer of personal data is the use of so-called Standard Contractual Clauses (effectively a contract entered into between the data exporter and the data importer and impose certain data protection obligations on both parties).

Prior to Brexit, the UK utilised two different sets of SCCs which had been approved by the European Commission to cover transfers from: (i) a controller to another controller ("C2C"); and (ii) a controller to a processor ("C2P") (the "Old EU SCCs").

Following Brexit, the European Commission has published the New EU SCCs to update the Old EU SCCs in light of GDPR, the Schrems litigation, and to remediate a number of weaknesses in the drafting. However the New EU SCCs do not apply to transfers from the UK to jurisdictions outside the UK, and UK-based organisations have in the meantime needed to rely on the Old EU SCCs when transferring personal data outside of the UK.

As a result, the ICO has been working to establish the UK's position in relation to legitimising international transfers of personal data out of the UK from a contractual and logistical perspective and the IDTA and Risk Assessment Guidance is the result.

Given the interplay with the New EU SCCs, the UK's approach has been keenly awaited and in this blog we "summarise" (the IDTA and Risk Assessment Guidance are lengthy) some of the key changes and considerations for organisations and international data flows.

The UK's approach to standard contractual clauses

In this section, we look at each of the IDTA, Risk Assessment Guidance, and Addendum in more detail.

IDTA

IDTA Overview

The IDTA is the document which UK organisations will need to put in place when transferring personal data outside of the UK.

The ICO has adopted a distinct approach to the IDTA, in particular:

• Nature of the agreement: The IDTA has been developed as an agreement which can either act as a standalone data transfer agreement between parties, or be incorporated into a broader commercial agreement or other arrangement (termed "Linked Agreements" by the ICO).
• Structure: We discuss the structure in more detail below, but broadly it consists of a combination of tables alongside a set of mandatory operative provisions and free text sections. This appears to have been designed to enable the parties to it to adapt it to their particular needs and broader contracting arrangements.  
• Controller and processor data flows: As with the New EU SCCs, the ICO has ensured that the IDTA is appropriate for use in C2C, C2P, and processor to processor ("P2P") scenarios. The IDTA does not, however, contain any clauses to address cross-border transfers from processors to controllers ("P2C"), which the European Commission controversially introduced in the New EU SCCs.
• Application of the relevant provisions: The IDTA does not follow a strictly modular structure (as per the New EU SCCs) and has instead developed provisions which are designed to be applicable depending on the factual circumstances of the parties (e.g. if the importer's processing is subject to UK data protection law, then the importer does not need to comply with clauses regarding data subject rights (on the basis that they will be directly applicable)). The IDTA does provide that non-applicable provisions can be removed but, as discussed below, this does not appear to be mandatory and therefore is unlikely to happen in practice when organisations start implementing the IDTA.

The approach taken by the ICO appears to provide a more streamlined, flexible, and business-friendly mechanism for organisations to deploy the IDTA where necessary, certainly in terms of its non-modular nature and accessible manner in detailing the necessary elements of a transfer. In comparison to the New EU SCCs, the removal of a potentially complex and time-consuming analysis to implement the appropriate combination of modules is to be welcomed, although the 'if applicable' approach of the IDTA mandatory clauses does present its own challenges of interpretation, not only to the uninitiated.

IDTA Structure

Considering the IDTA at a more granular level, it has been arranged in four parts:

1. A series of four tables to detail the nature of the transfer and any further protections (this includes population of the relevant details of the importer and exporter, a string of check-boxes to document information on the transfer itself and data involved, and a free text area to including additional security requirements which have been identified as necessary further to a TRA).
2. A section where additional technical, organisational, and contractual protections can be set out which have been identified as necessary following a TRA (and for which the ICO's TRA tool provides examples). This section envisages being able to cross-refer to relevant other areas (e.g. relevant parts of a Linked Agreement or the security requirements sections of the first part of the IDTA).
3. A section for commercial clauses which, while perhaps useful for smaller organisations and low-risk arrangements, is likely to have limited utility with parties almost certainly having a distinct commercial arrangement (i.e. a Linked Agreement) and requiring one in a C2P scenario in order to have in place appropriate Article 28 clauses.
4. The mandatory clauses which, ultimately, are the most important, operative part of the IDTA and are discussed in detail below.

This structure provides an adaptable model which organisations should find relatively simple to both populate and review, which should assist organisations will putting in place, and feeling comfortable about, a compliant international data transfer arrangement.

Mandatory Clauses

The fourth part of the IDTA is an area which will attract a significant amount of scrutiny given the mandatory nature of the clauses, and indeed it proposes some particularly notable positions:

• Amendments: The IDTA does not permit any amendments other than: to update cross-references where amendments to parts one to three of the IDTA require it; in order to render the IDTA multi-party; and to dis-apply any non-applicable provisions.

In relation to the latter point, as noted above, the IDTA is not strictly modular, however the mandatory clauses contain a range of caveat drafting across them which dis-applies certain clauses depending on the nature of the party (controller, processor). While simplifying the approach in terms of incorporating the IDTA (i.e. rather than choosing specific modules as per the EU's mechanism), the interoperability of clauses is not always clear. Additionally, where parties do dis-apply provisions, given it would appear that dis-applied provisions will apply regardless if they were incorrectly dis-applied, there is perhaps little utility to undertaking such a task. The publication by the ICO of worked versions of amended mandatory clauses would perhaps be useful in this regard.

• Precedence: The terms of the IDTA will take precedence over any Linked Agreement or other agreement (which could include the New EU SCCs), unless there is greater protection provided by other terms or the other terms are a requirement due to Article 28 of UK GDPR. A potential conflict between EU and UK positions (each of the IDTA and New EU SCCs claim precedence) has, from a UK perspective, been to some extent fudged in leaving it to a consideration of the relative level of a protection of a term.
• TRAs: There is a somewhat unsatisfactory circular contractual position whereby the exporter is under a duty to provide the importer with a copy of any TRA the exporter has undertaken, but the importer is bound to a contractual promise that prior to entering the IDTA it has provided the exporter with "all relevant information" which is "complete and accurate" (a high bar) regarding the local laws of the importing country in order to enable the importer to undertake the TRA. The importer is also under a continuing obligation to verify whether local laws change and inform an exporter if such change would impact its ability to comply with its obligations under the IDTA.

Given the broad definition of 'local laws' under the IDTA, this raises several issues including the implications for pre-contractual representations and information provision, the quality of knowledge of an importer, and the extent to which importers will or can comply with such an onerous obligation.

• ICO involvement: The IDTA provides that both importer and exporter agree to provide the ICO with certain information (including the IDTA, any TRA, and the importer's information regarding local laws) where it reasonably requests it. As well as providing the ICO with an avenue to access a substantial amount of information on local law requirements and risk assessments, these provisions place a direct obligation on an importing entity who perhaps might have no other link to the UK, to provide information to a UK-based regulatory information request (of particular relevance to entities further down in a chain of processors).
• Data subject requests: The IDTA provides that, where a data subject requests a copy of the IDTA from the exporter or importer, this must be provided to them. It is accepted that Linked Agreements do not need to be provided however, if the commercial clauses section of the IDTA is used, while they can be redacted for the purposes of sending to a data subject, a summary of the information must be provided. As such it seems unlikely that parties would complete this section of the IDTA given the potential for disclosure.
• English language requirement: Where a controller is the importer, there is an obligation on them to be able to easily communicate with data subjects in English and without undue delay, which is a potentially onerous expectation.
• Commercial provisions: The IDTA incorporates a range of commercial positions and provisions which, given the precedence of the IDTA over a Linked Agreement, could have broader implications as, depending on the importance of the data transfer element to the agreement, commercially agreed positions may be frustrated by positions under the IDTA:
  • Liability: There is an uncapped liability regime in relation to a party's breach of the IDTA causing damage to a data subject, with a fairly high bar for proving non-involvement in an incident causing damage.
  • Significant Harmful Impact: The IDTA introduces the concept of 'Significant Harmful Impact' whereby, if there is more than a minimal risk of a breach to the IDTA which may cause indirect or direct significant damage to a data subject or a party, this will be a trigger for various termination rights. This appears to be looking to align with the approach to data breaches, however the various rights to terminate resulting from this make this a material contractual consideration.
  • Third party rights: Data subjects have a range of provisions under the IDTA under which they can bring a claim against either the exporter or importer (as applicable) and the ICO also has more limited direct rights under the IDTA.
  • Boilerplate: Provisions regarding notice, assignment, sub-contracting, and severance (amongst others) have been included and this could cause issues, for example where a Linked Agreement permits unrestricted assignment, this would not be able to occur as the IDTA requires the consent of the other party.
• Arbitration: The IDTA suggests that a specific IDTA arbitration scheme could be introduced as an optional dispute resolution mechanism for use in claims between the parties or involving the ICO or data subjects. A data transfer-specific arbitration scheme would be a novel mechanism in this context.

Risk Assessment Guidance and TRA

The ICO has produced the Risk Assessment Guidance in light of the decision in Schrems II in order to assist organisations with carrying out a TRA as part of putting in place an IDTA. It consists of guidance pertaining to general considerations for organisations conducting a TRA, as well as a detailed TRA tool.

Some of the key points emerging from this are:

• Not an adequacy assessment: The Risk Assessment Guidance contains a disclaimer that a TRA should not amount to a mini-adequacy assessment, but rather a consideration of whether the destination jurisdiction "shares certain key principles which underpin [their] law and practice", and should focus on two key aspects: (i) enforceability of the IDTA's provisions; and (ii) third party access to data. If these aspects are sufficiently similar, then the IDTA's provisions should provide sufficient protection within that jurisdiction.

The Risk Assessment Guidance further notes that the assessment should not involve a consideration of the whole country's legal regime, but only the aspects which are relevant to the transfer. The extent to which this is practicable is perhaps questionable, particularly in light of the factors that the ICO suggests need to be considered, although the narrow focus of the assessment, which is supplemented by the detailed information in the ICO's TRA tool, provides some comfort (see below).

• Factors to consider: The ICO highlights a range of factors to consider in relation to: (i) the particular facts of the transfer (type of data, purpose, movement, etc.); (ii) the facts of the jurisdiction destination (human rights record, legal system, laws and practices regarding third party access); and (iii) the potential impact on data subjects and any risk of harm. The ICO notes that some jurisdictions should be obvious, for instance where there is rule of law or robust regulation of third party access to data (although there is no "shortcut" TRA approach for obvious jurisdictions), but there will likely be a range of liminal countries where a granular analysis will be technical and time consuming, even more so in complex multijurisdictional transfer scenarios.
• Assessment and reassessment: The Risk Assessment Guidance (and the IDTA) make clear that ongoing review of a transfer arrangement will be required both where the context changes (such as due to a change in law, nature of the transfer evolves, or there are technical developments) and periodically. Indeed, given that the ICO will have both a regulatory and contractual mechanism for requesting TRAs, ensuring that there is an internal, operational mechanism to undertake the necessary TRAs, and ensure that they do not become historic, will be important.
• The TRA tool: The ICO's TRA tool is structured around a three part process (transfer assessment followed by consideration of an IDTA's enforceability and the protection from third party access to data which are afforded in the importing jurisdiction) in order to ascertain whether and how, in routine transfer scenarios, any supplemental measures need to be incorporated into the IDTA:
  • Analysis support: Each stage of the TRA has been designed with decision trees and detailed guidance which will assist organisations with considering and developing their documented TRAs.

Of particular assistance are a range of tables which: detail the types of data and context within which a red, amber, green risk rating can be applied (e.g. basic contact details of consumers would likely be low risk/green); note considerations to inform whether enforceability and access are sufficiently similar to the UK; and highlight factors which may develop and adjust an organisation's consideration of a risk level (e.g. an intra-group transfer lowering the risk, versus a large volume of data about an individual likely increasing the risk).

• • Supplementary measures: Following each step of the analysis, the Risk Assessment Guidance provides practical technical, organisational, and contractual steps which can be taken depending on the level of risk identified (e.g. a spectrum of encryption or more robust contractual complaint mechanisms).
  • Risk: Notably the tool highlights the importance of focusing on "risk" where an opinion on a jurisdiction is difficult to form. This approach, allied to the pragmatic risk mitigations given, provides practical and considered support which recognises the importance of maintaining data flows while providing sufficient protections, which organisations will likely find very helpful.

• Complex scenarios: More complex transfer scenarios will require a more forensic analysis and the ICO highlights situations such as multijurisdictional arrangements, novel technology usage, and countries with a questionable human rights record that could produce a high risk and where relying on the tool will not be sufficient. That said, the range of user-friendly and focused guidance and considerations in the tool will no doubt assist organisations with undertaking a more complex analysis.

Addendum

The ICO has produced an Addendum which is designed to be used in combination with the New EU SCCs in order to validate international transfers to a third country and provides for a range of non-controversial amendments to the New EU SCCs to adapt them to apply in a UK context.  The intention appears to be to provide an alternative to the IDTA route whereby a UK organisation could utilise the New EU SCCs in combination with the Addendum in order to validate a transfer from the UK (i.e. in a similar way to which the Old EU SCCs are currently used).

Should this route be taken instead of, or in addition to, that of the IDTA, for organisations with an EU and UK nexus it would simplify the contractual process (for both new contracts and any repapering exercise) in that a single, consistent approach could be taken (i.e. implement the New EU SCCs incorporating as necessary the Addendum). However if only the Addendum route was taken, then UK organisations would need to adopt the modular mechanism and become cognisant of the complexities regarding the New EU SCCs.

Indeed it is interesting to note that the ICO's consultation document is seeking views on the adoption of the Addendum in the context of the New EU SCCs, but also whether there are any other model data transfer agreements for which such a path could be taken (calling out also New Zealand and the Association of Southeast Asian Nations' model clauses). It may be then that the result of the consultation brings about various routes by which a transfer from the UK can be legitimised for UK organisations (perhaps based on the importing jurisdiction), which would be consistent with the UK's stated business-friendly, flexible approach to international data flows.

Final Thoughts

The ICO has devised a detailed and well-considered approach to address international transfers of personal data out of the UK in a post-Brexit world which has clearly been designed to interface with EU and global data protection and privacy laws and practice. As such, early concerns raised in relation to the UK adopting a drastically different mechanism to that of the EU (with the potential to cause chaos for multi-national organisations transferring personal data in and out of both the UK and EU), have been somewhat quelled.

Certainly the TRA is a document which will likely provide great assistance to UK (and potentially EU-based) organisations as they grapple with the risk assessment requirement brought about by Schrems II. Indeed it is perhaps difficult to see what more the ICO could have done in this regard as the TRA is practical, solution-oriented, and user-friendly.

The IDTA does diverge from the approach taken by the EU in relation to the New EU SCCs, but the IDTA's combination of tables, free text, and mandatory clauses is once again more business-focused and streamlined. The format enables parties to be flexible depending on their current and future arrangements and, by way of the Addendum, provide effective interoperability with the New EU SCCs. The mandatory clauses of the IDTA do, however, raise some questions, in particular those which have a distinctly English contract law flavour, and may result in some robust discussions with non-English counterparties.

It will be fascinating to see what responses the ICO will receive as part of the consultation and what ICO's final approach (including in relation to timeframes for implementation) will be.