International data transfers in a dynamic regulatory environment

In an outsourcing context, dual concurrent regulation of restricted transfers by both the EU GDPR and UK GDPR will be far more likely

for sophisticated businesses with EEA/UK operations. For example, a UK-headquartered business with operations in the EEA and the UK that is seeking to migrate group-wide data to a US-based cloud services provider as part of its digital transformation would need to map its data flows to check if its restricted transfers were subject to the EU GDPR, the UK GDPR or both.

How can we lawfully transfer personal data internationally?

International transfers can either be consciously undertaken as a core part of a project in their own right (like in the above data migration example) or more incidentally, like where data is merely accessed from another country for urgent IT support (perhaps from the US or India) even though the data is hosted in a local data centre (for example, in the EEA or UK). A service provider need only access the data in order to activate the relevant data transfer rules.

Under both the EU GDPR and UK GDPR, restricted transfers are permitted, without additional safeguards, if the data importer is in a third country that has received an adequacy decision.  On 28 June 2021 the European Commission adopted its adequacy decision in favour of  the UK, permitting the free flow of personal data from the EEA into the UK. The adequacy decision has a sunset clause and automatically expires on 27 June 2025, though renewal is possible as long as the UK continues to ensure an adequate level of data protection (although this will also be largely subject to the political environment of the time and is by no means guaranteed). Likewise, but with no sunset clause, the UK has made a reciprocal adequacy decision in favour of the EEA member states. However, neither adequacy decision removes the need for additional safeguards in relation to the onward transfer of personal data from the EEA and UK to a third country (such as the US).

The combined effect of the EU and UK adequacy decisions is that personal data may be transferred, without restriction or additional safeguards, between the EEA and UK, but, if the data is subsequently onward-transferred  to another third country, then this must be assessed to determine whether the importer will be in a third country with an adequacy decision.  If personal data is transferred to a country with no adequacy decision, then the restricted transfer is permitted only if measures are taken to ensure that the level of protection afforded to data subjects is not undermined (and a Transfer Risk Assessment has been carried out for Schrems II purposes). In practice, this means adopting one of the following appropriate safeguards: Standard Contractual Clauses (SCCs) issued by the European Commission (EU/EEA) and/or the ICO (UK), and supported where necessary by technical and organisational measures.

• Binding Corporate Rules (BCRs) authorised by a supervisory authority (EU/ EEA) and/or the ICO (UK) – a potentially costly and protracted exercise. BCRs can be used by multinational businesses to regulate intra-group international data transfers but cannot be used for “arm’s length” transactions such as outsourcings (unless, of course, it is an intra-group outsourcing for one of the limited number of businesses that have approved BCRs, or for intra-group transfers between the service provider’s different group companies).
• Bespoke contractual clauses authorised by a supervisory authority (EU/EEA) and/or the ICO (UK) to govern a specific restricted transfer.
• Approved codes of conduct, which are not yet in use.
• Certifications under an approved certification scheme, which are not yet in use.

SCCs remain the “go to” option for most businesses due to their familiarity with them, flexibility and the lack of need for regulatory authorisation (unlike the bespoke contractual clauses).

What are the compliance challenges for businesses transferring data from both the EEA and UK across several outsourcings?

The position on the use of SCCs is different under the EU GDPR and the UK GDPR:In June 2021 the European Commission formally approved a new, modular set of SCCs which lets the data exporter choose from the following options: (a) controller- to-controller transfers (Module 1); (b)  controller-to-processor transfers (Module 2);  (c) processor-to-processor transfers (Module 3); and (d) processor-to-controller transfers (Module 4).

On 11 October 2021, the ICO closed a consultation which set out its proposals for an International Data Transfer Agreement (IDTA) (effectively the UK’s equivalent to the EU’s new SCCs) and also included the possibility of using the new EU SCCs together with a UK Addendum, which would help create a single, streamlined compliance process for data flows that involve restricted transfers from both the EEA and UK. The outcome of the consultation is to be clarified in the upcoming months, but, for current UK GDPR purposes, the pre-Brexit SCCs (that is, the old EU SCCs) should be used (although changes may be made to them so that they make sense in a UK context provided that their legal meaning is not changed, e.g. changing references from EU laws and institutions to their UK equivalents). The new EU SCCs are not valid for UK use even though they offer greater protection due to them being drafted to meet the requirements of the GDPR, unlike the old EU SCCs.

This means that, for now, restricted transfers under the EU GDPR require the new EU SCCs whereas restricted transfers under the UK GDPR require the old EU SCCs until the UK’s post-consultation position is finalised. This creates a number of practical challenges for businesses in the meantime, including the following:

• For an outsourcing involving restricted transfers under both the EU GDPR and the UK GDPR, businesses will need to put in place both sets of SCCs. This presents an interesting challenge for businesses seeking to balance the burden of dual requirements with pragmatic solutions (especially so for sophisticated businesses managing data transfers across a number of outsourcings and also their non-outsourcing third party suppliers).
• A potential quirk of the current regulatory position arises where personal data is both: (a) transferred from the EEA to the UK, or from the UK to the EEA; then (b) subsequently onward-transferred to  another third country (the US, for example). Given that this same transfer of personal data would ultimately be treated as both a restricted transfer and an onward transfer under the EU GDPR and UK GDPR  (as applicable), it would appear strictly necessary for it to also be governed by both the new and old EU SCCs. Equally, any subsequent onward transfer would  require the parallel flow down of contractual obligations by written agreement under both the new and old EU SCCs to ensure continued strict compliance with both the EU GDPR and UK GDPR. The impractical and uncommercial nature of this dual requirement has been raised in several responses to the ICO’s consultation on the mechanisms for international transfers under the UK GDPR, with responses strongly favouring an approach that would allow use of the new EU SCCs together with the proposed UK Addendum in order to limit documentary requirements.
• The new EU SCCs cover processor-to- processor transfers and processor-to- controller transfers, which the old EU SCCs do not. Businesses will therefore need to carefully consider how to address related compliance gaps and monitor developments in this area.

The current discrepancy between the EU GDPR and UK GDPR requirements in relation to SCCs and international data transfers more generally is a significant compliance challenge for businesses, especially for sophisticated businesses managing several of each of the following concurrently:

• Data-heavy outsourcings.
• Other non-outsourcing third party services.
• Data migration projects.
• Wider digital transformation across the business requiring each of the above and more.

Not to mention that international data transfers will for most (if not all) businesses be one of many in-flight key compliance projects. For example, UK banks and insurers will need to ensure that their outsourcings not only comply with the relevant data transfer rules, but also comply with the recent statements issued by the FCA, PRA and BoE on operational resilience, outsourcing and third-party risk management (as well as any corresponding requirements issued by other relevant  regulators). Getting the data transfer right is therefore often one complex part of a much larger puzzle.

What do we need to know about the ICO’s IDTA consultation?

The UK GDPR’s legal requirements for international transfers will be uncertain for the foreseeable future (whilst the IDTA remains  in the consultation phase), although they are drafted to mirror and accommodate their EU equivalent. The ICO’s consultation covered three topics:

• Proposed updates to international transfers guidance.
• Transfer Risk Assessments (TRA): following Schrems II, risk assessments are a necessary step for international transfers of personal data. TRAs prompt businesses to assess whether an IDTA alone would provide sufficient protection or whether any additional safeguards should be implemented.
• Proposals for a UK IDTA (to cover data transfers from the UK only) and a UK Addendum to be added to the new EU SCCs (to cover data transfers from both the EEA and UK), which, if adopted, would offer a welcome and simplified mechanism for data compliance, and cut down on the burden for businesses. It is likely that the outcome of the ICO consultation and implementation of the UK’s compliance mechanism will not be in place until at least Q2 2022.

What potential options are available for businesses?

It is clear then that the current landscape is becoming increasingly complex, with gaps emerging between the EU and UK regulatory regimes as well as differing timescales. That all poses additional challenges to be addressed >when putting in place or renewing international outsourcing arrangements, particularly in the absence of any meaningful guidance on how to deal with the EU/UK grey areas. What is called for then is a clear and informed strategy with appropriate prioritisation and a considered approach for addressing the current gaps, including the potential deployment of drafting options to cover the various permutations for compliance which are expected to arise over the coming months.

Some of the potentially available provisional options for businesses to consider are as follows:

• Strict compliance with the EU GDPR and UK GDPR. For outsourcings involving transfers of personal data from both the EEA and UK to third countries, this would require businesses to use both the new and old EU SCCs, then change tack and repaper once the UK’s position is finalised (e.g. if it adopts the currently proposed UK Addendum).
• Using only the new EU SCCs along the contractual chain for the time being – from our recent experience there appears to be an emerging market trend for cloud service providers to be favouring this option. As part of this option businesses might also produce a detailed internal document explaining the reasons for the decision to adopt only the new EU SCCs and wait for the ICO to publish guidance on how to strictly comply with UK GDPR following the consultation. The reasons why businesses may be reluctant to pursue two parallel sets of SCCs could be based on, amongst other things: (a) the considerable costs of implementing short- term measures whilst the ICO is considering a way forward; and (b) that the compliance gap can be readily addressed once the UK position is clarified. The practice of fully and properly documenting such decisions, and having a clear project plan in place for the timely implementation of the UK solution (once finalised), will all contribute to show to the ICO, if ever needed, intelligent engagement with the GDPR and that the business has ultimately thought about protecting data subjects when transferring their data.
• As part of the above two options businesses could also seek to future-proof contracts with drafting that incorporates the UK IDTA or UK Addendum by reference, potentially avoiding the need to repaper for UK GDPR restricted transfers at a later date.
• Adopt a risk-based hybrid approach, that takes into account the materiality of the outsourcing, the volumes/sensitivity of the personal data, issues identified during the due diligence and ongoing management of the service provider (e.g. previous personal data breaches suffered), rights and remedies available under the outsourcing agreement, priority third countries requiring strict compliance, etc.

Crucially, recent enforcement actions by EU supervisory authorities and the ICO have emphasised that contractual protection alone will in most cases be insufficient. The legal minimum standard for adequate safeguards include technical and organisational measures  to be put in place when handling personal data. In practice: (a) contractual protection can be pursued via the adoption of the SCCs;  (b) specific technical security measures might include encryption and hashing of personal data, as well as current awareness of emerging threats to cybersecurity; and (c) organisational measures can include appropriate governance, policies, procedures and processes to be put in place to assess and monitor security threats to personal data (possibly including the testing of security systems through “motivated intruder” attacks).

Which option should we choose?

Which options are appropriate will ultimately depend on a detailed analysis of the transfers in question and the risk appetite of the business involved. That said, a pragmatic approach does seem possible, provided that careful consideration is given to the issues and appropriate documentation of decisions made is put in place, should things end up under the microscope in the future.

This article was first published in the Outsourcing Focus issue, December 2021.