We welcome and are grateful for the opportunity to contribute to this call for views on the Information Commissioner's Office (ICO) international data transfers guidance and more generally, on the most beneficial regulatory approach to this critical issue for the United Kingdom.
This response is based on our experience gained over many years of advising global organisations and companies on the mechanisms to legitimise international transfers of personal data. Our position is underpinned by the principle that the objective of the current legal framework is to ensure that personal data subject to the protection of that framework continues to be suitably protected irrespective of the location in the world from which such data is accessed and used.
With this in mind, our contribution focuses on encouraging the ICO to be understanding of the unquestionable need for personal data to flow across borders for the world to function and to apply its sound legal judgment, creativity and regulatory pragmatism to facilitate the adoption of suitable and realistic formulas to legitimise international data transfers.
In this response, we refer to a number of specific situations we have encountered where this approach is especially important, and where the ICO's guidance will be of great assistance to enable data transfers in a lawful and safe manner.
A streamlined approach to transfer risk assessments
As set out in the ICO's guide to data transfers, where organisations rely on one of the “appropriate safeguards” listed in Article 46 of the UK GDPR as a transfer mechanism, they must undertake a transfer risk assessment (TRA). This is in response to the decision by the Court of Justice of the European Union (CJEU) in the Schrems II case,1 where the CJEU established the need to assess the level of protection afforded by the relevant transfer mechanism in any given case.
Accordingly, undertaking a TRA enables organisations to determine that, in the circumstances of their restricted transfer, the transfer mechanism deployed provides appropriate safeguards, and effective and enforceable rights for data subjects. The ICO has helpfully issued detailed guidance on how to carry out TRAs and provided a sophisticated “TRA Tool” that relies on a series of questions and checklists to enable organisations to carry out a TRA.
However, the current TRA Tool is 41 pages long and in practice, requires substantial resources and effort to follow the complex process it sets out. Therefore, we encourage the ICO to adopt and promote a more streamlined approach to TRAs. Our own experience in this regard shows that it is possible to undertake a simpler but effective TRA that focuses on (a) the nature of the data, (b) the likelihood of a foreign government accessing that data, and (c) the practical measures in place. In our view, a TRA is much more likely to be performed if organisations consider the effect of these three factors and document this in a simpler and more accessible way.
A sensible approach towards countries seen as very high-risk
While historically much of the regulatory action in this area has focused on data transfers to the United States, and the decisions by the CJEU have dealt with the specific circumstances affecting data flows between Europe and the US, in recent times, attention has shifted to other jurisdictions, most notably China. The evolution of concerns regarding the protection of personal data across borders reflects an increased focus on national security and government access to data. This has been evident in the debates surrounding the original EU-US Safe Harbor, the Privacy Shield, and more recently the Data Privacy Framework, but also in the policies of countries that have not previously restricted data flows, such as the US, towards jurisdictions regarded as geopolitical adversaries.
This shift has become more evident following a recent enforcement action by the Irish Data Protection Commission, in which the crucial aspect of the decision was that a country like China was perceived as so insecure for European data that no combination of legal, organisational and technical measures could be sufficient to safeguard personal data accessible from there. The risk of this stance is that it could spiral into a blanket doctrine of “no transfers” to certain jurisdictions, which is incompatible with today's inherently interconnected world.
It is therefore imperative that the ICO adopts a more tolerant and sensible approach that recognises the potential or theoretical risks to data protection, but also acknowledges that such risks can be effectively managed and mitigated in practice, particularly when the nature of the data is not sensitive and the measures in place are reasonable. This should be taken into account in the ICO's forthcoming guidance and its broader regulatory policy.
Low-risk situations by default
In order to provide even greater certainty in this challenging area, it should also be possible to identify specific situations that are likely to present a much lower level of risk. This is something the ICO has already done in the past and could articulate further in its guidance going forward. By identifying individual scenarios that inherently present a low or negligible level of risk – whether due to the innocuous nature of the data, its lack of relevance from a government access perspective, or the tight level of control maintained by the data exporter over the importer – the ICO could simplify the TRA exercise or, in some cases, eliminate the need for it altogether.
There is a recent precedent for this approach in the new Data (Use and Access) Act passed by the UK Parliament, where certain data processing activities are automatically eligible for reliance on legitimate interest without requiring a legitimate interests assessment. While the Government may choose to follow this idea and apply it to international data transfers in the future, it should also be possible for the ICO to provide examples that clearly fall within this low-risk category.
Transfers to importers who are subject to the UK GDPR
There is a data transfer scenario that presents a significantly low legal risk: where the importer is directly subject to the same data protection requirements as the exporter under the UK GDPR. The extraterritorial effect of the UK GDPR means that a controller or processor in another jurisdiction may be directly subject to the application of UK data protection law. When such a controller or processor based overseas receives data originating from the UK, it will be legally required to apply the UK GDPR's standards of data protection to the imported data, irrespective of any additional safeguards that may be imposed by the exporter.
This means that, at least in part, the objective pursued by the legal restrictions on international data transfers – namely, to prevent the loss of data protection when data flows across borders – will already have been met. In other words, by virtue of the UK GDPR's application to the importer's processing of personal data, the protections intended to be deployed via appropriate safeguards are already present, and the importer is accountable for its data processing activities. This scenario should be properly recognised in the ICO's guidance and be afforded the necessary regulatory flexibility.
Conclusion
Before concluding, we wish to acknowledge the ICO's ongoing efforts in this area to ensure that data continues to be protected wherever it is in the world in a pragmatic and sensible way. The ICO's constructive attitude towards organisations that are already making visible efforts to export European standards of data protection globally – particularly through the adoption and implementation of Binding Corporate Rules – is both extremely helpful and reassuring.
The next iteration of the ICO's data transfers guidance presents a very valuable opportunity to continue applying this mindset and to serve as an inspiration for regulators elsewhere. We hope that the suggestions made in this response prove useful in helping the ICO continue to provide valuable guidance and legal certainty to those engaged in international transfers of personal data.
1/ Judgment of the Court (Grand Chamber) of 16 July 2020 in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
[View source.]
