What are international data transfers?
Advancing technology has enabled many businesses to operate internationally either by expanding their global footprint to buy and sell products or services overseas, or by utilising suppliers in other jurisdictions in order to remain competitive within their industry. Whenever a UK based organisation sends personal data outside of the UK it will be engaging in an "international data transfer" by "exporting" personal data to another jurisdiction. If you’re buying or selling abroad, monitoring the behaviour of individuals in other territories or engaging suppliers internationally, you are likely to be processing, and transferring personal data outside of the UK. Organisations should be particularly mindful of Software-as-a-Service (SaaS) providers whose 'cloud based' products often store personal data on servers outside the UK. Without consideration, utilising such providers may result in businesses falling foul of data protection law by inadvertently exporting personal data and not having the appropriate safeguards in place.
The UK adequacy decisions adopted by the European Commission have therefore been welcomed by businesses transferring such data between the UK and Europe post-Brexit, enabling the continued flow of data without the need for any additional safeguards (such as SCCs - see below). Despite this, there are still data protection considerations for UK organisations offering goods and services to individuals in the EU such as whether they need to appoint an EU Representative. Now, 8 months after the end of the transition period, we have seen EU regulators impose fines for failure to comply with this obligation and so businesses must ensure they act quickly if they have not yet implemented measures to comply with the requirements.
SCCs & IDTA
UK businesses should also be considering their options for transferring data outside of the UK in the absence of an applicable adequacy decision. At present, businesses looking to export personal data from the UK will need to continue to rely on the old EU Standard Contractual Clauses ("SCCs") rather than utilise the new EU SCCs - which facilitate data transfers from the EEA to countries outside of it (so called "third countries"). However, the ICO has recently published a consultation which seeks responses to its draft International Data Transfer Agreement (or "IDTA") which it intends will replace the old EU SCCs.
Of particular interest for businesses with complex processing chains which export data from the UK and the EEA, the ICO has also published an IDTA 'addendum' which it proposes, as an alternative to the IDTA, could be attached to the new EU SCCs to make them work in the context of UK data transfers. This addendum could significantly reduce the complexity for organisations which would otherwise have to deploy two entirely separate transfer tools for UK and EEA data exports. Businesses should keep an eye out for further developments; the ICO consultation ends 7th October 2021.
Transfer Risk Assessments
In addition to the developments following Brexit, those businesses exporting data from an EU country to countries further afield should give due consideration to the European Data Protection Board’s final recommendations relating to the supplementary measures required for the transfer of personal data outside of the EEA which were published in June. These are the measures that businesses are expected to take from a compliance perspective to navigate the tougher requirements on international transfers of personal data from Europe when relying on SCCs (or other applicable transfer tools) following the Schrems II case last summer. From a UK perspective, as part of its consultation the ICO has published a draft Transfer Risk Assessment tool (or "TRA") with accompanying guidance to assist organisations with the complex task of assessing the suitability of using the IDTA (or an alternative data transfer tool) for a particular transfer and whether extra steps and protections will be required to comply with the UK GDPR. The ICO does not intend to make use of the TRA tool mandatory, however, the draft guidance provides further insight into the assessments which businesses should be undertaking, and the protections they should be putting in place when exporting data from the UK.
As a starting point all organisations should be analysing and mapping their data transfers to understand where they are sending personal data. If you would like advice on your data protection compliance, our data protection team can offer practical support and advice.
Contact our Data Protection Team for more information.