This article was first published in the Outsourcing Focus issue, December 2021.
Given that outsourcing tends to involve the transfer of operational responsibility for a core business function to a third party (instead of keeping that function in-house), it almost invariably raises complexities around where date is transferred to or accessed from for processing.
With recent (and ongoing) parallel developments in both the EU and UK regarding international transfers of personal data, those complexities are only going in one direction - leading to ever increasing challenges for businesses and their advisers to formulate appropriate risk-based strategies to address the shifting sands of the regulations involved.
In this article we set out the background to some of those complexities, the practical challenges raised by them, and some of the potential solutions available to businesses.
What is the current position under the EU GDPR and the UK GDPR?
The Brexit implementation period came to an end at 11pm GMT on 31 December 2020 which made the EU GDPR and UK GDPR separate bodies of law. A high-level overview of the current general position under both is as follows:
How can we lawfully transfer personal data internationally?
International transfers can either be consciously undertaken as a core part of a project in their own right (like in the above data migration example) or more incidentally, like where data is merely accessed from another country for urgent IT support (perhaps from the US or India) even though the data is hosted in a local data centre (for example, in the EEA or UK). A service provider need only access the data in order to activate the relevant data transfer rules.Under both the EU GDPR and UK GDPR, restricted transfers are permitted, without additional safeguards, if the data importer is in a third country that has received an adequacy decision. On 28 June 2021 the European Commission adopted its adequacy decision in favour of the UK, permitting the free flow of personal data from the EEA into the UK. The adequacy decision has a sunset clause and automatically expires on 27 June 2025, though renewal is possible as long as the UK continues to ensure an adequate level of data protection (although this will also be largely subject to the political environment of the time and is by no means guaranteed). Likewise, but with no sunset clause, the UK has made a reciprocal adequacy decision in favour of the EEA member states. However, neither adequacy decision removes the need for additional safeguards in relation to the onward transfer of personal data from the EEA and UK to a third country (such as the US).
The combined effect of the EU and UK adequacy decisions is that personal data may be transferred, without restriction or additional safeguards, between the EEA and UK, but, if the data is subsequently onward-transferred to another third country, then this must be assessed to determine whether the importer will be in a third country with an adequacy decision. If personal data is transferred to a country with no adequacy decision, then the restricted transfer is permitted only if measures are taken to ensure that the level of protection afforded to data subjects is not undermined (and a Transfer Risk Assessment has been carried out for Schrems II purposes). In practice, this means adopting one of the following appropriate safeguards: Standard Contractual Clauses (SCCs) issued by the European Commission (EU/EEA) and/or the ICO (UK), and supported where necessary by technical and organisational measures.
What are the compliance challenges for businesses transferring data from both the EEA and UK across several outsourcings?
The position on the use of SCCs is different under the EU GDPR and the UK GDPR:In June 2021 the European Commission formally approved a new, modular set of SCCs which lets the data exporter choose from the following options: (a) controller- to-controller transfers (Module 1); (b) controller-to-processor transfers (Module 2); (c) processor-to-processor transfers (Module 3); and (d) processor-to-controller transfers (Module 4).
On 11 October 2021, the ICO closed a consultation which set out its proposals for an International Data Transfer Agreement (IDTA) (effectively the UK’s equivalent to the EU’s new SCCs) and also included the possibility of using the new EU SCCs together with a UK Addendum, which would help create a single, streamlined compliance process for data flows that involve restricted transfers from both the EEA and UK. The outcome of the consultation is to be clarified in the upcoming months, but, for current UK GDPR purposes, the pre-Brexit SCCs (that is, the old EU SCCs) should be used (although changes may be made to them so that they make sense in a UK context provided that their legal meaning is not changed, e.g. changing references from EU laws and institutions to their UK equivalents). The new EU SCCs are not valid for UK use even though they offer greater protection due to them being drafted to meet the requirements of the GDPR, unlike the old EU SCCs.
This means that, for now, restricted transfers under the EU GDPR require the new EU SCCs whereas restricted transfers under the UK GDPR require the old EU SCCs until the UK’s post-consultation position is finalised. This creates a number of practical challenges for businesses in the meantime, including the following:
What do we need to know about the ICO’s IDTA consultation?The UK GDPR’s legal requirements for international transfers will be uncertain for the foreseeable future (whilst the IDTA remains in the consultation phase), although they are drafted to mirror and accommodate their EU equivalent. The ICO’s consultation covered three topics:
What potential options are available for businesses?It is clear then that the current landscape is becoming increasingly complex, with gaps emerging between the EU and UK regulatory regimes as well as differing timescales. That all poses additional challenges to be addressed >when putting in place or renewing international outsourcing arrangements, particularly in the absence of any meaningful guidance on how to deal with the EU/UK grey areas. What is called for then is a clear and informed strategy with appropriate prioritisation and a considered approach for addressing the current gaps, including the potential deployment of drafting options to cover the various permutations for compliance which are expected to arise over the coming months.Some of the potentially available provisional options for businesses to consider are as follows:
Which option should we choose?Which options are appropriate will ultimately depend on a detailed analysis of the transfers in question and the risk appetite of the business involved. That said, a pragmatic approach does seem possible, provided that careful consideration is given to the issues and appropriate documentation of decisions made is put in place, should things end up under the microscope in the future.This article was first published in the Outsourcing Focus issue, December 2021.