ICO data transfers guide clarifies data exporter role in sub-processing

According to Kathryn Wynn of Pinsent Masons, a data protection law specialist, the restructuring could be prompted by clarifications the Information Commissioner’s Office (ICO) has provided about which party in a data processing agreement is considered the ‘data exporter’ and, therefore, the party with the statutory obligation to comply with the international data transfer rules.

The international transfer of personal data is an essential and everyday occurrence in an increasingly global and digital business market. However, UK data protection law, like EU data protection law, places significant conditions on the transfer of personal data outside of the UK and the EEA. Those rules are designed to ensure that, where international transfers of personal data happen, the data exported is governed by a data protection regime that is essentially equivalent to that which applies domestically. Where it isn’t, the rules require that “appropriate safeguards” – whether technical, organisational or contractual – are in place, and that enforceable data subject rights and effective legal remedies for data subjects are available.

Policymakers and data protection authorities have developed a number of legal tools to help businesses determine that such appropriate safeguards are in place. These mechanisms include standard contractual clauses, binding corporate rules and so-called adequacy decisions, such as the one issued by the European Commission in respect of the UK.

Before the General Data Protection Regulation (GDPR) took effect in 2018, the responsibility for ensuring compliance with the requirements around international transfers of personal data was clearly de-marked – only a controller could be the data exporter responsible for compliance because it was only the controller that could be subject to the international transfers of personal data rules under the pre-GDPR legislation.

Since the GDPR took effect, however, the position has become more muddied. This is because processors now have statutory obligations in respect of international transfers of personal data in addition to controllers.

“The ICO’s data transfers guide is clear: it is only the controller or processor that initiates and agrees to the transfer that is responsible for compliance,” Wynn said. “The position is straightforward where controllers engage a processor and the processor undertakes the processing in a ‘non-adequate’ jurisdiction outside of the UK – in this scenario, the controller initiates the transfer and is responsible for compliance. However, the position is more complex where processors engaged by controllers themselves engage sub-processors to carry out the data processing activities in a non-adequate jurisdiction outside of the UK.”

“Often the contractual chain does not align with the actual physical data flows that take place, and this has led to confusion – and inconsistencies in market practice – in relation to who the data exporter in these arrangements is. Guidance issued earlier this year by the European Commission did not fully clarify the matter in respect of the EU GDPR,” she said.

Now, however, the ICO has clarified that processors will be data exporters in respect of sub-processing under the UK GDPR where that processor has initiated the data export, regardless of the physical data flow.

In its guidance, the ICO said: “If you are a processor making a restricted transfer to a sub-processor located outside of the UK, you must comply with the transfer rules. You will have initiated and agreed to send the data to your sub-processor, often in the sub-processor agreement. The controller may have other obligations under UK GDPR about that data flow, but it is not responsible for complying with the transfer rules.”

Wynn said: “For processors, the ICO’s guidance gives them an opportunity to take direct control over the compliance arrangements for sub-processing but they are no longer able to rely on the controller in this regard, and so it does also increase their potential liabilities. Some processors, particularly those used to operating contracts under framework agreements, may look at whether they can structure their product and service offerings in such a way that causes controllers to be the party that is deemed to initiate the international data transfers to sub-processors in response to the ICO’s clarification.”

Also included within the ICO’s guidance is particular guidance in relation to transfer risk assessments – these are exercises businesses are expected to undertake before proceeding with data transfers so that risks are identified properly and mitigated where possible.

Rosie Nance of Pinsent Masons said the ICO had advocated a risk-based approach to carrying out such assessments. This, she said, is in line with the approach set out in the Data Protection and Digital Information Bill – the legislation earmarked for updating the UK’s data protection law framework – as introduced to the UK parliament. It will be welcomed by many UK-based businesses grappling with the strict transfer risk assessment requirements introduced by the so-called Schrems II ruling of the Court of Justice of the EU.

“The TRA tool invites exporters to consider what is a reasonable and proportionate level of investigation,” Nance said. “This is different philosophy to the one we see in the European Data Protection Board recommendations and from regulators in the EU – the Austrian supervisory authority, for example, has said that the Chapter V rules on data transfers under the EU GDPR do not allow for a risk-based approach.”

“The European Commission will take this guidance into account when it reviews the UK’s adequacy decision, to weigh up the protections EU GDPR personal data will receive for onward transfers, but it seems likely this will not, on its own, jeopardise UK adequacy. The approach to international transfers the UK is moving towards is still closer to the EU approach than many jurisdictions that have EU adequacy status,” she said.

The ICO’s new guidance on data transfers and transfer risk assessments can play into looming compliance deadlines businesses operating in both the EU and UK face in respect of their use of standard contractual clauses (SCCs), said data protection law expert Jonathan Kirsop of Pinsent Masons.

From 27 December 2022, organisations will no longer be able to rely on legacy versions of EU standard contractual clauses (SCCs) – the 2001 or 2004 controller-to-controller clauses and the 2010 controller-to-processor clauses – for transferring personal data outside of the European Economic Area (EEA).