Introduction
Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance).
The Transfer Guidance acknowledges the complexities of conducting business across borders and provides a range of practical examples of the key issues that international organizations encounter when transferring personal data to recipients located outside of the United Kingdom (Restricted Transfers).
The Transfer Guidance clarifies what constitutes a Restricted Transfer, who is responsible for complying with Restricted Transfer obligations, and the exceptions that may be relied upon to transfer personal data in the absence of safeguards. Importantly (and somewhat frustratingly to those addressing transfer restrictions under both the EU GDPR and the UK GDPR), while the Transfer Guidance reflects the ICO’s more pragmatic approach to international transfers, it also takes certain positions which diverge from those adopted by the ICO’s EU counterparts.
Restricted Transfers and responsibility for complying with transfer obligations
The Transfer Guidance confirms that a Restricted Transfer involves the following three cumulative factors:
1. The UK GDPR applies. An organization must be subject to the UK GDPR in order for its transfer of personal data to be a Restricted Transfer. The Transfer Guidance clarifies that consumers are out of scope of the UK GDPR (meaning that there is no Restricted Transfer if, for example, UK consumers submit their personal data to a U.S.-based online store that ships to the United Kingdom), and organizations based outside of the United Kingdom may not be making a Restricted Transfer merely through their receipt of personal data directly from UK consumers (i.e. unless they are offering goods or services to UK consumers or otherwise monitoring their behaviour).
2. The organization “initiates and agrees” to send or make personal data accessible to a recipient located outside of the United Kingdom. Only the data controller or processor that “initiates and agrees” to the transfer will be responsible for complying with the obligations regarding Restricted Transfers under the UK GDPR. The organization that enters into a contract with the receiver will typically be deemed to be the organization initiating and agreeing to the transfer and will thus be responsible for complying with the transfer rules.
The Transfer Guidance notes that data flows do not necessarily dictate responsibility for Restricted Transfers and addresses uncertainties in the context of international (sub)processing using several examples, including the following:
- Where a non-UK controller instructs a non-UK processor to process personal data subject to the UK GDPR. The non-UK controller will be responsible for complying with the Restricted Transfer, as it has initiated and agreed to the transfer. For example, an Australian controller that instructs an Australian processor to operate its website (that offers goods to UK consumers) on its behalf will be responsible for compliance, even if data flow directly from UK consumers to the Australian processor. In this case, the Restricted Transfer is deemed to be from the Australian controller to the Australian processor.
- Where a UK controller instructs its UK processor to transfer data to a non-UK controller or one of its other non-UK processors. The UK controller (rather than the UK processor) is responsible for complying with the Restricted Transfer requirements. The presence of a contract between the UK controller and a non-UK processor or controller is typically determinative of this responsibility. In this case, the Restricted Transfer is deemed to be from the UK controller (rather than the UK processor) to the non-UK controller or processor. For example, if a UK controller appoints a UK processor to provide HR payroll services and, separately, a processor in India for HR analytics purposes and instructs the UK processor to send personal data to the Indian processor, the UK controller will be responsible for compliance even though data flow from the UK processor to the Indian processor.
- Where a UK controller authorizes its UK processor to appoint sub-processors, and the UK processor initiates and transfers data to a non-UK sub-processor. The UK processor (rather than the UK controller) is responsible for complying with the Restricted Transfer given that the contractual nexus is between the UK processor and the non-UK sub-processor. For example, a UK processor that appoints a U.S. sub-processor will be responsible for compliance, even if the data may flow directly from the UK controller to the U.S. sub-processor.
The Transfer Guidance notes that these examples are illustrative, and the particular circumstances of the transfer should be considered on a case-by-case basis. The Transfer Guidance also reminds organizations that even if the transfer rules do not apply, other obligations under the UK GDPR may still be applicable (i.e. Article 28 obligations between a controller and processor).
3. The recipient is a separate and legally distinct controller or processor. A Restricted Transfer does not occur if the recipient is not a separate and legally distinct entity (however, a transfer within the same corporate group will still constitute a Restricted Transfer if the recipient is a separate third-country corporate entity). This means, for example, that if a UK controller transfers data to its overseas branch office (which has no separate legal personality), this will not amount to a Restricted Transfer. For example, a UK controller that transfers personal data to employees located in the United States will not be deemed to be making a Restricted Transfer.
Further clarification of concepts
The Transfer Guidance further clarifies the following concepts:
- Making data accessible may constitute a Restricted Transfer. An organization that makes personal data subject to the UK GDPR accessible (i.e. by permitting access to such data on the organization’s UK-based systems or website) to a separate and legally distinct non-UK organization will be deemed to be making a Restricted Transfer.
- Processor-to-controller transfers. A UK processor that returns data to their non-UK controller will never constitute a Restricted Transfer. Conceptually, the ICO views this as a transfer within the same legal entity; as personal data provided by the controller is being returned to the same controller, there is no transfer of data to a separate and legally distinct entity.
- Exceptions. Exceptions in Article 49 of the UK GDPR (such as the transfer of personal data required to enter into a contract or to carry out obligations under a contract) may be relied upon in conjunction with an appropriate data transfer safeguard, such as the IDTA. For example, if an organization determines, through a transfer risk assessment, that the use of the IDTA does not provide appropriate safeguards for all risks presented by a proposed transfer, the organization may rely on an exception for the data that are not sufficiently safeguarded.
The Transfer Guidance also clarifies what may constitute necessity for certain exceptions. Under the UK GDPR, the general position is that necessity is required in order for an exception to apply. For example, Restricted Transfers are permitted where the transfer is necessary for the performance of a contract between a controller and the data subject. The Transfer Guidance notes that while this does not mean that the transfer has to be absolutely essential, it must be a “targeted and proportionate way” of achieving a specific purpose that is “more than just useful and standard practice”, and the relevant considerations to take into account include the following: (i) the reason why the transfer is needed; (ii) the alternatives available; (iii) the protections which will be in place; and (iv) the potential harm to individuals. This means that, for example, a UK controller may not be able to justify its use of an exception to transferring personal data to a U.S. processor in order to perform a contract with a data subject if there are alternative (albeit more expensive) UK processors available.
Commentary
The Transfer Guidance mostly aligns with the European Data Protection Board’s (EDPB) guidance on data transfers, as the EDPB’s guidance also stipulates that Restricted Transfers under the EU GDPR involve either a controller or a processor subject to the GDPR that transfers personal data to a separate entity located in a third country. However, one major point of divergence arises with regards to processor-to-controller transfers. Unlike the Transfer Guidance, the EDPB’s guidance states that when an EU processor sends personal data back to its non-EU controller, it will still be making a Restricted Transfer under the EU GDPR. Two further uncertainties also result:
- It is unclear how the Transfer Guidance interacts with the IDTA regarding processor-to-controller transfers. The IDTA functions under Article 46 of the UK GDPR as a safeguard for Restricted Transfers and has clearly been designed to apply to processor-to-controller transfers: the Agreement includes a table that permits organizations to identify the status of the data exporter and importer as a processor and controller, respectively, and the Addendum may be used with all modules of the EU SCCs, including Module 4, which sets forth certain clauses to be used in the event of a processor-to-controller Restricted Transfer of data under the EU GDPR.
- It is also unclear whether the Transfer Guidance stipulates that processor-to-controller transfers will not constitute a Restricted Transfer in all circumstances. Module 4 of the EU SCCs permit organizations to be exempt from certain obligations requiring an assessment of local laws if the EU processor does not combine personal data received from a third-country controller with data collected by the processor in the European Union on the basis that such personal data are already subject to the third country’s domestic framework. However, this will still constitute a Restricted Transfer under the EU GDPR. The Transfer Guidance appears to indicate that a UK processor that combines personal data received from a non-UK controller with personal data collected by the processor in the United Kingdom (such as personal data collected from UK data subjects) will not be making a Restricted Transfer, although no further granularity on the point was provided.
Next steps
The ICO will be issuing further clarification on the IDTA, and we expect that it will involve clause-by-clause guidance, although the exact content of such guidance remains to be seen. It also remains uncertain as to whether such guidance will address the uncertainties relating to processor-to-controller transfers. We are watching this space for developments.