The way international data transfers are made from the UK is about to change. This is part of a series of measures to make UK laws fit for purpose now that we have left the EU. The new legal mechanism is based on a very different criteria to the EU version. The new measures are complex and likely to cause uncertainty and a greater level of risk to non-compliance.
Up until now if you needed to transfer data including storing data outside of the UK/EU/EEA your most likely remedy would be to use the EU Standard Contractual Clauses (SCCs). In more recent times the EU revised such safeguards and issued three new versions. The ICO pointed out at the time that UK Data Controllers should not use the new clauses and wait until it announced the UK arrangements. So in short we have been waiting for further direction.
It has now been announced that from the 21st March 2022 the UK will use International Data Transfer Agreements (IDTA) to support transfers outside of the UK. They will not be required if the country to which you are sending the data is EU Adequate, although the UK is developing its own Adequacy Regime. So as it stands, this includes all of the EU countries and the EEA countries until further notice. However, most likely if you use a CRM system the country of concern will be the US. If this is the case this information will apply.
There is a transition period allowing for the existing arrangements to be in place until 21st September 2022. Thereafter, if you or your Data Processor (Service provider) are still relying on the old SCCs, there is an Addendum which will effectively allow this to continue and these arrangements will be in force until the 21st March 2024. Thereafter, you will be bound to adopt the new IDTA.
It is of the utmost importance that we ensure we have these legally binding arrangements in place in good time. The IDTA must sit alongside the Art 28 Data Processor Agreement. This agreement is sometimes found within the Principal agreement you have with the provider.
However, we are also required to conduct a Transfer Risk Assessment (TRA), the guidance to which is yet to be published by the regulator. What we do know is that we will need to assess the risk based on the potential impact on the data subject should something go wrong. It appears that the guidance may suggest that ‘Regular’ data categories will not be a concern. But, Special Category (including children’s data) data will be high risk. Unlike the EU approach where the ‘Possibility’ of a breach can attract sauctions, the UK approach is based on the impact should it happen. Therefore, if you are processing sensitive information the risk assessment will be more challenging to complete.
Importantly, the data importer (Service provider) must be bound by UK laws no matter where they are located. This will cause some concerns for some providers. The IDTA also states that any legal action must be conducted in an English Court. Effectively, nobody wants to be sued in a foreign court, so this too may be a barrier for some providers. Finally, all agreements must be written in English which is contrary to the Welsh Language Act.
The risk assessment puts the onerous on the controller to establish the security arrangements that are in place, whether the service provider is experienced in such activities, whether they have been subject to failures in such circumstances in the past and establish clauses designed to minimise the potential for harm to individuals. This might be to insist upon encryption or to limit access to such data. It requires the country to which you are sending the data to have adopted the EU Convention 108 (The protection of personal data). Unfortunately, the US has not yet adopted the Convention.
Finally and very unusually, the new arrangements allow for the ICO to take civil action against organisations that do not adopt the agreement or infringe it (whether they are controllers or processors) or that do not cooperate with the ICO. This power sits outside of their normal powers and it is a new risk to every organisation. It appears that the EU will be taking a very different approach in the future. Due to the Schrems Cases, it seems increasingly likely that the EU will not permit transfers of data to the US. This will likely cause friction with the UK if we, as is suggested, make the US an Adequate country under our own regime. Therefore, one longer term consideration will be how our future relationship with the EU may affect your processing activities. For example, this may interrupt onward transfers of data from the EU.
If you have any concerns please get in touch we would be delighted to assist you.