UK data transfers guidance updated

However, Malcolm Dowden and Jonathan Kirsop of Pinsent Masons said the guidance also highlights a significant point of difference in interpretation of the law between the ICO and data protection authorities in the EU. Specifically, the ICO has confirmed that restrictions contained in UK data protection law around the transfer of personal data outside of the UK do not apply where a UK-based data processor is transferring the data to a controller located outside of the UK.

The position that the ICO has articulated reflects a view the ICO has held for a number of years, according to Dowden and Kirsop, but they said the compliance position is complicated by views taken by EU regulators.

Both the UK and EU GDPR place strict conditions on the transfer of personal data outside of the jurisdiction – an activity that is an everyday occurrence for global businesses. The restrictions, contained in Chapter V of the respective regulations, are designed to ensure personal data that benefits from the protections under the GDPR continue to benefit from an equivalent standard of protection even if it is transferred outside the EU or UK.

Chapter V sets out several different options controllers or processors can take advantage of to ensure an equivalent standard of protection applies to data being transferred. These include adequacy decisions; standard contractual clauses and other “appropriate safeguards”; binding corporate rules; and derogations for specific situations.

Dowden said: “The ICO has for a few years taken the view that a transfer by a UK-based processor to its overseas controller is never a restricted transfer for the purposes of Chapter V of UK GDPR. In practical terms, that means that the transfer can be made without having to ensure that there is an adequacy decision in place or that ‘appropriate safeguards’ such as standard contract clauses are used. This view has now been strengthened through its inclusion in the ICO’s updated guidance on international transfers.”

The ICO said that UK processors transferring personal data to a controller located outside the UK will “never” be considered to be making a restricted transfer where they are “only handling the personal information as a processor under the instructions of [their] controller; and transferring the personal information to the same controller that instructed [them] to do the processing”.

“This is because in this situation your controller is initiating the transfer, i.e. your controller instructs you to transfer the information to it,” the ICO said. “It’s also not a restricted transfer by your controller as the information is flowing to the controller itself, and not to a separate organisation.”

The ICO said that “the same principle applies when a sub-processor located in the UK transfers information to its processor located outside the UK”.

However, the ICO said that for processors processing personal data governed by the EU GDPR and following European Data Protection Board (EDPB) guidance, “the position is different” – equivalent data transfers would, it said, be considered to be subject to the EU GDPR’s restrictions.

Dowden said: “EDPB guidance confirms that a transfer from an EU processor to its overseas controller is a transfer falling within Chapter V of EU GDPR. It therefore requires either an adequacy decision or appropriate safeguards, such as standard contractual clauses.”

Kirsop said: “The ICO position by contrast is more logical – and practical – and it does seem counterintuitive for the EDPB to require that additional conditions must be satisfied for a processor to return or otherwise provide personal data to an overseas controller when that data may have originated from the controller in the first place and in any event is subject to its overall control.”  

Notwithstanding this less stringent interpretation, Dowden said UK-based processors must still factor data security obligations into data transfer arrangements to overseas controllers, even where they are not in-scope of Chapter V restrictions.

“Although the UK processor would not need to look for an adequacy decision or to put in place standard contract clauses, it must still consider whether transferring personal data to its overseas controller would pose a threat to security,” Dowden said. “Relevant factors might include laws in the receiving country permitting government bulk digital surveillance. Consequently, even though Chapter V of UK GDPR is not engaged, UK processors must still consider the risks inherent in international transfers of personal data.”

With its refreshed guidance, the ICO has outlined a revised three-step process that organisations should go through when considering whether they will be making a “restricted transfer” of personal data. The process is presented as best practice rather than as a legal requirement, but Dowden and Kirsop said that following and documenting it would provide strong evidence of compliance with UK GDPR in the event of complaints by data subjects or investigation by the ICO.

The three-step process involves asking: whether the UK GDPR applies to the organisation’s processing of the data to be transferred; whether it is initiating the transfer to an organisation located outside of the UK; and whether the organisation to which the personal information is being transferred a separate legal entity from the sender.

The ICO’s updated guidance also reminds organisations that a transfer of personal data occurs not only when it is physically sent overseas, but also when it is made available, for example by means of remote access.