ORG submission to the Information Commissioner’s Office – International Transfers Under the UK GDPR

Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 20,000 active supporters, we are a grassroots organisation with local groups across the UK.

This is our answer to the Information Commissioner’s Office consultation regarding the proposed International Data Transfers Agreement (IDTA), Addendum to the EU Standard Contractual Clauses (SCC), and the International Transfers Risk Assessment Tool.

As a first, overarching consideration, we stress the importance of retaining consistency between these tools and the European Commission SCC as well as the EDPB “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. We believe the ICO should have provided a comparison between the instruments they seek to implement and the relevant EU counterparts, as well as an explanatory note outlining the reasoning behind changes or peculiarities in the proposed documents. In the absence of such comparison, respondents to the consultation are likely to have a lower understanding of the ICO proposals, thus reducing their ability to provide meaningful feedback.

Notwithstanding these limitations, ORG recommend that:

  • The adequacy of IDTAs and SCCs in providing suitable safeguards to the rights of data subjects is assessed against specific countries. For instance, organisations could be given a list of countries where no measure to supplement the contractual safeguards is needed.
  • The ICO consider issuing specific guidance on implementing supplementary measures for international data transfers in those countries where IDTAs and SCCs would not suffice. Mindful of the extent of this task, the ICO could prioritise countries and areas of interest.
  • The proposed International Transfers Risk Assessment Tool is amended
    • to reflect the fact that IDTAs and SCCs will not be sufficient to provide adequate protection for international data transfers to the United States, in line with the EDPB recommendation 01/2020;
    • to provide further clarity about how encryption-key management should be developed and implemented by organisations to ensure the rights and freedom of data subjects.

The following considerations underpin these recommendations:

  • The main objective of an international data transfer regime should be to ensure an equivalent level of protection to the rights and freedom of individuals whose data is undergoing processing. This principle must not be derogated, regardless of the practical difficulties that may result from international data transfers mechanisms. Nevertheless, it should be recognised that carrying out a “transfer risk assessment” is an exceptionally complicated task for organisations.
  • While the ICO risk assessment tool will surely be helpful, we should be mindful that organisations need exceptional support in assessing the impact of third-countries national law on the rights and freedoms of the data subjects. This could be achieved by providing a clear assessment of whether the contractual safeguards enshrined in SCCs or IDTAs do provide sufficient protection in those countries whose legal regime has not been recognised as Adequate. In practical terms, this could take the form of a whitelist of countries that are not adequate within the meaning of Article 45 of the UK GDPR, but where adopting SCCs or IDTAs would be sufficient to provide adequate protection to the data subjects’ rights.
  • Ideally, more detailed and targeted guidance could be issued for those countries where SCCs or IDTAs would not suffice. This would clarify how additional measures would, in different settings, complement contractual safeguards to ensure an adequate level of protection for the data subjects. Mindful that covering the whole range of possibilities would be unrealistic, this guidance could be limited to those settings that are more likely to arise (for instance, cloud computing or fintech service providers). The International Data Transfer Risk Assessment Tool would then constitute a complimentary tool for those settings and countries that have not been addressed with specific guidance.
  • Concerning the proposed International Data Transfer Risk Assessment Tool, a brief comparison with the EDPB “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” reveals how the ICO proposal is much less specific in at least two areas.
    • Contrary to the ICO proposed risk assessment tool, the EDPB guidance addresses the issues arising in data transfers to the US, particularly when relying on cloud and other service providers subject to Section 702 of FISA. Even in the presence of contractual safeguards, the US regime’s inadequate protection is undisputed, and reliance on US services undoubtedly constitutes the most common instance where UK controllers will be called to identify supplemental measures.
    • The EDPB guidance expressly addresses the issue of encryption-key management, and how contractual safeguards may not adequately protect these keys from foreign law enforcement agencies. The ICO proposed risk assessment tool, instead, only mentions the implementation of “suitable key management procedures”, without providing any useful indication on how to assess relevant threats and safeguards in this area.
  • International data transfers to the US are likely to constitute the most frequent scenario in which organisations are called to implement additional safeguards to supplement SCCs or IDTAs. Encryption of data in transit and at rest are likely to be the most effective measures to implement to address the issues arising from international data transfers. Therefore, we believe these issues should already be developed and addressed in the proposed International Transfers Risk assessment tool.

ORG remains available to answer any question regarding this submission.