There are some updates for any business that holds personal data subject to the GDPR in the UK or EU and which exports the data to countries outside the UK/EU.
Transfers out of the EU to non-approved countries
For businesses subject to the EU GDPR i.e. those that process personal data of individuals in the EU for the purpose of offering goods/services or to monitor their behaviour – the deadline of 27 December 2022 will apply re the European Commission’s (“EC”) new Standard Contractual Clauses (“EU SCCs”). The new EU SCCs replace the previous version and contain modular content applicable to the specific type of transfers, creating a more tailored approach. Unless alternative EU GDPR safeguards have been implemented, the EU SCCs must be implemented by each data controller/processor that makes “restricted transfers” of personal data to a controller/processor located outside of the EU and in a territory not subject to an adequacy decision by the EC.
Upon the 27 December deadline, it is no longer permitted to conclude contracts incorporating the earlier sets of SCCs. Controllers and processors may only continue to rely on the earlier SCCs if a) the relevant contract was concluded prior to 27 September 2021 and b) the processing operations that are the subject matter of the contract remain unchanged.
Transfers out of the UK to non-approved countries
For businesses subject to the UK GDPR, the UK has implemented its own International Data Transfer Agreement (“IDTA”) for restricted transfers outside of the UK to non-EU or non-“adequate” territories, which came into force on 21 March 2022. In line with the EC’s approach, the UK has recognised the following territories as being adequate for the purpose of data transfers under the UK GDPR:
Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.
In August 2021, the UK Government announced that it is working in partnership with a number of priority destinations which may be the subject of adequacy regulations in the future, including Australia, Brazil, Colombia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the US.
For those businesses subject to both the UK and EU GDPR carrying out international transfers, the UK has also implemented an International Data Transfer Addendum (“Addendum”), which can be signed alongside the EU SCCs in order to comply with both sets of legislation (and eliminating the requirement to sign the UK IDTA). The IDTA and the Addendum take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”, which invalidated the Privacy Shield as the basis for sending restricted transfers to the US.
ICO new guidance – international transfers
The UK Information Commissioner’s Office (“ICO”) has also recently published updated guidance on international transfers, which can be found here. The guidance applies mainly to controllers and processors located in the UK and includes a number of checklists and examples of scenarios that would or would not be deemed as a restricted transfer for UK GDPR purposes.
A section on Transfer Risk Assessments (“TRA”) is also included in the guidance; a TRA must be carried out before relying on any safeguard for restricted transfers (under Article 46 UK GDPR).
The ICO’s guidance offers two types of TRA: an assessment which matches that mandated by the EC for transfers out of the EU, and a ‘homegrown’ test (which could be used if the transfer was UK data only) looking at ‘additional risk’ for privacy if the transfer proceeds. The latter is the approach taken in the ICO’s “TRA Tool”, which is a template document with questions and guidance that sets out one way to undertake and satisfy the TRA requirement. The TRA Tool requires organisations to consider the specific circumstances of the restricted transfer, including whether any “significant risk data” would be involved in the transfer.
Notably, the guidance states that a TRA must be carried out by organisations relying on an Article 46 transfer mechanism, suggesting that this applies to all restricted transfers of data. This means that a TRA should be completed by all controllers/processors carrying out restricted transfers (i.e. even where SCCs/an IDTA/other safeguards have already been implemented) rather than in respect of prospective/new transfers only.
The ICO has also expressed its intention to issue further guidance to assist organisations in implementing the IDTA and the Addendum, which will include clause-by-clause guidance. This will come as a welcome addition given that confusion has arisen since their implementation, particularly in respect of the vague nature of the security requirements and extra protection elements of the IDTA.