Given that outsourcing tends to involve the transfer of operational responsibility for a core business function to a third party (instead of keeping that function in-house), it almost invariably raises complexities around where date is transferred to or accessed from for processing.
With recent (and ongoing) parallel developments in both the EU and UK regarding international transfers of personal data, those complexities are only going in one direction - leading to ever increasing challenges for businesses and their advisers to formulate appropriate risk-based strategies to address the shifting sands of the regulations involved.
In this article we set out the background to some of those complexities, the practical challenges raised by them, and some of the potential solutions available to businesses.
What is the current position under the EU GDPR and the UK GDPR?
The Brexit implementation period came to an end at 11pm GMT on 31 December 2020 which made the EU GDPR and UK GDPR separate bodies of law. A high-level overview of the current general position under both is as follows:
- Restricted transfers of personal data from the EEA and/or UK to a third country are subject to certain data transfer rules under the EU GDPR and UK GDPR (a applicable). A third country is any country falling outside the zone of the relevant GDPR and would include countries such as the US and India as well as the EEA member states (under the UK GDPR) and the UK (under the EU GDPR).
- Under both the EU GDPR and UK GDPR, businesses will usually be making a restricted transfer if the following three conditions are satisfied: (a) the relevant GDPR governs the data exporter’s processing of the transferred data; (b) the data is being sent, or made accessible, to a data importer whose data processing is not governed by the relevant GDPR; and (c) the data importer is a legally distinct separate business.
- Under both the EU GDPR and UK GDPR, businesses should put in place appropriate safeguards before making restricted transfers to protect data subjects’ rights and freedoms (more on this in the following section), unless the European Commission (for EU GDPR restricted transfers) and/or ICO (for UK GDPR restricted transfers) have decided that the level of data protection in the data importer’s country is “essentially equivalent” to the EU/UK and has granted an adequacy decision in favour of that third country (like the European Commission has done for the UK and the ICO has done for the EEA member states).
In an outsourcing context, dual concurrent regulation of restricted transfers by both the EU GDPR and UK GDPR will be far more likely
for sophisticated businesses with EEA/UK operations. For example, a UK-headquartered business with operations in the EEA and the UK that is seeking to migrate group-wide data to a US-based cloud services provider as part of its digital transformation would need to map its data flows to check if its restricted transfers were subject to the EU GDPR, the UK GDPR or both.
How can we lawfully transfer personal data internationally?
International transfers can either be consciously undertaken as a core part of a project in their own right (like in the above data migration example) or more incidentally, like where data is merely accessed from another country for urgent IT support (perhaps from the US or India) even though the data is hosted in a local data centre (for example, in the EEA or UK). A service provider need only access the data in order to activate the relevant data transfer rules.
Under both the EU GDPR and UK GDPR, restricted transfers are permitted, without additional safeguards, if the data importer is in a third country that has received an adequacy decision. On 28 June 2021 the European Commission adopted its adequacy decision in favour of the UK, permitting the free flow of personal data from the EEA into the UK. The adequacy decision has a sunset clause and automatically expires on 27 June 2025, though renewal is possible as long as the UK continues to ensure an adequate level of data protection (although this will also be largely subject to the political environment of the time and is by no means guaranteed). Likewise, but with no sunset clause, the UK has made a reciprocal adequacy decision in favour of the EEA member states. However, neither adequacy decision removes the need for additional safeguards in relation to the onward transfer of personal data from the EEA and UK to a third country (such as the US).
The combined effect of the EU and UK adequacy decisions is that personal data may be transferred, without restriction or additional safeguards, between the EEA and UK, but, if the data is subsequently onward-transferred to another third country, then this must be assessed to determine whether the importer will be in a third country with an adequacy decision. If personal data is transferred to a country with no adequacy decision, then the restricted transfer is permitted only if measures are taken to ensure that the level of protection afforded to data subjects is not undermined (and a Transfer Risk Assessment has been carried out for Schrems II purposes). In practice, this means adopting one of the following appropriate safeguards: Standard Contractual Clauses (SCCs) issued by the European Commission (EU/EEA) and/or the ICO (UK), and supported where necessary by technical and organisational measures.
Binding Corporate Rules (BCRs) authorised by a supervisory authority (EU/ EEA) and/or the ICO (UK) – a potentially costly and protracted exercise. BCRs can be used by multinational businesses to regulate intra-group international data transfers but cannot be used for “arm’s length” transactions such as outsourcings (unless, of course, it is an intra-group outsourcing for one of the limited number of businesses that have approved BCRs, or for intra-group transfers between the service provider’s different group companies).Bespoke contractual clauses authorised by a supervisory authority (EU/EEA) and/or the ICO (UK) to govern a specific restricted transfer.Approved codes of conduct, which are not yet in use.Certifications under an approved certification scheme, which are not yet in use.
SCCs remain the “go to” option for most businesses due to their familiarity with them, flexibility and the lack of need for regulatory authorisation (unlike the bespoke contractual clauses).
What are the compliance challenges for businesses transferring data from both the EEA and UK across several outsourcings?
The position on the use of SCCs is different under the EU GDPR and the UK GDPR:In June 2021 the European Commission formally approved a new, modular set of SCCs which lets the data exporter choose from the following options: (a) controller- to-controller transfers (Module 1); (b) controller-to-processor transfers (Module 2); (c) processor-to-processor transfers (Module 3); and (d) processor-to-controller transfers (Module 4).
- On 11 October 2021, the ICO closed a consultation which set out its proposals for an International Data Transfer Agreement (IDTA) (effectively the UK’s equivalent to the EU’s new SCCs) and also included the possibility of using the new EU SCCs together with a UK Addendum, which would help create a single, streamlined compliance process for data flows that involve restricted transfers from both the EEA and UK. The outcome of the consultation is to be clarified in the upcoming months, but, for current UK GDPR purposes, the pre-Brexit SCCs (that is, the old EU SCCs) should be used (although changes may be made to them so that they make sense in a UK context provided that their legal meaning is not changed, e.g. changing references from EU laws and institutions to their UK equivalents). The new EU SCCs are not valid for UK use even though they offer greater protection due to them being drafted to meet the requirements of the GDPR, unlike the old EU SCCs.
This means that, for now, restricted transfers under the EU GDPR require the new EU SCCs whereas restricted transfers under the UK GDPR require the old EU SCCs until the UK’s post-consultation position is finalised. This creates a number of practical challenges for businesses in the meantime, including the following:
- For an outsourcing involving restricted transfers under both the EU GDPR and the UK GDPR, businesses will need to put in place both sets of SCCs. This presents an interesting challenge for businesses seeking to balance the burden of dual requirements with pragmatic solutions (especially so for sophisticated businesses managing data transfers across a number of outsourcings and also their non-outsourcing third party suppliers).
- A potential quirk of the current regulatory position arises where personal data is both: (a) transferred from the EEA to the UK, or from the UK to the EEA; then
(b) subsequently onward-transferred to another third country (the US, for example). Given that this same transfer of personal data would ultimately be treated as both a restricted transfer and an onward transfer under the EU GDPR and UK GDPR (as applicable), it would appear strictly necessary for it to also be governed by both the new and old EU SCCs. Equally, any subsequent onward transfer would require the parallel flow down of contractual obligations by written agreement under both the new and old EU SCCs to ensure continued strict compliance with both the EU GDPR and UK GDPR. The impractical and uncommercial nature of this dual requirement has been raised in several responses to the ICO’s consultation on the mechanisms for international transfers under the UK GDPR, with responses strongly favouring an approach that would allow use of the new EU SCCs together with the proposed UK Addendum in order to limit documentary requirements.
- The new EU SCCs cover processor-to- processor transfers and processor-to- controller transfers, which the old EU SCCs do not. Businesses will therefore need to carefully consider how to address related compliance gaps and monitor developments in this area.
The current discrepancy between the EU GDPR and UK GDPR requirements in relation to SCCs and international data transfers more generally is a significant compliance challenge for businesses, especially for sophisticated businesses managing several of each of the following concurrently:
- Data-heavy outsourcings.
- Other non-outsourcing third party services.
- Data migration projects.
- Wider digital transformation across the business requiring each of the above and more.
Not to mention that international data transfers will for most (if not all) businesses be one of many in-flight key compliance projects. For example, UK banks and insurers will need to ensure that their outsourcings not only comply with the relevant data transfer rules, but also comply with the recent statements issued by the FCA, PRA and BoE on operational resilience, outsourcing and third-party risk management (as well as any corresponding requirements issued by other relevant regulators). Getting the data transfer right is therefore often one complex part of a much larger puzzle.
What do we need to know about the ICO’s IDTA consultation?
The UK GDPR’s legal requirements for international transfers will be uncertain for the foreseeable future (whilst the IDTA remains in the consultation phase), although they are drafted to mirror and accommodate their EU equivalent. The ICO’s consultation covered three topics:
- Proposed updates to international transfers guidance.
- Transfer Risk Assessments (TRA): following Schrems II, risk assessments are a necessary step for international transfers of personal data. TRAs prompt businesses to assess whether an IDTA alone would provide sufficient protection or whether any additional safeguards should be implemented.
- Proposals for a UK IDTA (to cover data transfers from the UK only) and a UK Addendum to be added to the new EU SCCs (to cover data transfers from both the EEA and UK), which, if adopted, would offer a welcome and simplified mechanism for data compliance, and cut down on the burden for businesses. It is likely that the outcome of the ICO consultation and implementation of the UK’s compliance mechanism will not be in place until at least Q2 2022.
What potential options are available for businesses?
It is clear then that the current landscape is becoming increasingly complex, with gaps emerging between the EU and UK regulatory regimes as well as differing timescales. That all poses additional challenges to be addressed >when putting in place or renewing international outsourcing arrangements, particularly in the absence of any meaningful guidance on how to deal with the EU/UK grey areas. What is called for then is a clear and informed strategy with appropriate prioritisation and a considered approach for addressing the current gaps, including the potential deployment of drafting options to cover the various permutations for compliance which are expected to arise over the coming months.
Some of the potentially available provisional options for businesses to consider are as follows:
- Strict compliance with the EU GDPR and UK GDPR. For outsourcings involving transfers of personal data from both the EEA and UK to third countries, this would require businesses to use both the new and old EU SCCs, then change tack and repaper once the UK’s position is finalised (e.g. if it adopts the currently proposed UK Addendum).
- Using only the new EU SCCs along the contractual chain for the time being – from our recent experience there appears to be an emerging market trend for cloud service providers to be favouring this option. As part of this option businesses might also produce a detailed internal document explaining the reasons for the decision to adopt only the new EU SCCs and wait for the ICO to publish guidance on how to strictly comply with UK GDPR following the consultation. The reasons why businesses may be reluctant to pursue two parallel sets of SCCs could be based on, amongst other things: (a) the considerable costs of implementing short- term measures whilst the ICO is considering a way forward; and (b) that the compliance gap can be readily addressed once the UK position is clarified. The practice of fully and properly documenting such decisions, and having a clear project plan in place for the timely implementation of the UK solution (once finalised), will all contribute to show to the ICO, if ever needed, intelligent engagement with the GDPR and that the business has ultimately thought about protecting data subjects when transferring their data.
- As part of the above two options businesses could also seek to future-proof contracts with drafting that incorporates the UK IDTA or UK Addendum by reference, potentially avoiding the need to repaper for UK GDPR restricted transfers at a later date.
- Adopt a risk-based hybrid approach, that takes into account the materiality of the outsourcing, the volumes/sensitivity of the personal data, issues identified during the due diligence and ongoing management of the service provider (e.g. previous personal data breaches suffered), rights and remedies available under the outsourcing agreement, priority third countries requiring strict compliance, etc.
Crucially, recent enforcement actions by EU supervisory authorities and the ICO have emphasised that contractual protection alone will in most cases be insufficient. The legal minimum standard for adequate safeguards include technical and organisational measures to be put in place when handling personal data. In practice: (a) contractual protection can be pursued via the adoption of the SCCs; (b) specific technical security measures might include encryption and hashing of personal data, as well as current awareness of emerging threats to cybersecurity; and (c) organisational measures can include appropriate governance, policies, procedures and processes to be put in place to assess and monitor security threats to personal data (possibly including the testing of security systems through “motivated intruder” attacks).
Which option should we choose?
Which options are appropriate will ultimately depend on a detailed analysis of the transfers in question and the risk appetite of the business involved. That said, a pragmatic approach does seem possible, provided that careful consideration is given to the issues and appropriate documentation of decisions made is put in place, should things end up under the microscope in the future.
This article was first published in the Outsourcing Focus issue, December 2021.
Howard Duckworth. Howard is Managing Associate at Womble Bond Dickinson (UK) LLP. He is a technology lawyer who advises on outsourcings, fintech and technology transactions as well as data protection, privacy and cyber security. His work is often in the context of business critical projects and digital transformations. A focus of Howard's practice is the financial services sector.
Supuni Perera. Supuni is a trainee solicitor in our technology and data teams whose current experience includes international data transfers and general data protection and compliance.