The ICO’s proposals for international transfers seem closer to the actual findings of the Schrems II case than the EDPB’s effective demand that processing of non-pseudonymised data be kept within Europe. However, as a risk-based scheme, it will require more work from both exporters and importers to demonstrate that transferring doesn’t create significantly greater risk to individuals.
The ICO’s scheme has two components:
- an International Data Transfer Agreement (IDTA), which is a contract between an exporter and an importer (playing the same role as the current Standard Contractual Clauses), and
- an International Transfer Risk Assessment (ITRA), which exporters should use to determine whether the IDTA is an appropriate mechanism for a particular transfer.
The ITRA is the new feature, responding to the Schrems II requirement that exporters consider whether any contract can provide sufficient protection for individuals whose data are exported. Whereas the EDPB focused on the powers and actions of law enforcement and security services and whether those “go beyond what is necessary and proportionate in a democratic society”, the ICO takes a broader view.
Its first stage is to consider whether the contract itself is likely to be enforceable: does the receiving jurisdiction recognise international agreements, including those that confer benefits on persons other than the contracting parties (here, data subjects)? If not, are there factors about the specific transfer – for example the behaviour of the importer or the nature of the data being transferred – that make it unlikely that lack of enforceability will actually create a significant risk to data subjects? If not, and judicial enforcement against the importer is likely to be needed to protect data subjects, are there ways to change the nature of the transfer (for example making data pseudonymous) to reduce the risk to an acceptable level?
The second stage is to look at third-party access (including under surveillance laws) using a similar series of tests: is the regulation of such access sufficiently similar to the UK that the transfer does not create significant additional risks? If not, how likely is it that third-party access to the transferred data will occur? If more than minimal, what risk to data subjects does such access present? If more than low, are there additional steps and protections the exporter can apply?
So long as both stages conclude that the additional risk created by transferring from the UK to the overseas jurisdiction is low, the transfer can take place under an IDTA.
For each question, the proposed guidance provides tables of factors that would create, increase or decrease risk. These seem to have been chosen with specific applications in mind: for example employee data is separated into basic low-risk data such as name, job title and contact details; medium-risk non-sensitive records such as CV and payroll history; and high-risk banking details and special category data. This is much more helpful (and realistic) than the EDPB’s bald statement that there are no circumstances in which “transfer to cloud service providers … which require access to data in the clear” or “remote access to data for business purposes” can be adequately protected. However it does still leave a potentially complex assessment for general-purpose cloud services. It’s possible that these will be addressed in the Example blocks (which are blank in the current draft); if not, then at least using an ITRA to explore and document the risks will show that the exporter has done its best to identify these and mitigate any increase caused by the transfer.
The ICO’s consultation is open till October 7th.