International data transfers: the race to comply with new rules
Mark Brown, Global Managing Director, Digital Trust, Consulting Services at BSI discusses how the new IDTA replaces a set of old rules previously put in place by the EU but UK data exporters are only bound to use the new Agreement from 21st September 2022. The challenge is that while the new IDTA was set to settle questions over international data transfers for the foreseeable future, the announcement of a Data Reform Bill to replace the GDPR brings new uncertainty into the fray.
Out with the old, and in with the new! On 2nd February, the UK International Data Transfer Agreement (IDTA) and accompanying documents were announced by the Information Commissioner’s Office and laid before parliament. And on the 10th of May, a couple weeks ahead of the fourth anniversary of the GDPR, new reforms to the UK’s data protection regime were announced as part of the key government priorities in the Queen’s Speech.
Both mark significant developments. The new IDTA replaces a set of old rules previously put in place by the EU but UK data exporters are only bound to use the new Agreement from 21st September 2022. The challenge is that while the new IDTA was set to settle questions over international data transfers for the foreseeable future, the announcement of a Data Reform Bill to replace the GDPR brings new uncertainty into the fray.
Catching up with Brexit
Cross-border data flows are highly integral to international commerce, and existing legislation has sought to reflect this. So, when the landscape of international commerce changes, as it did with Brexit, the rules governing the transfer of data must change too.
The GDPR, which came into effect four years ago, ensures that personal data is only transferred to countries (so-called “third countries”) outside of the EU and European Economic Area states when they have an adequate level of safeguarding that ensures that the rights and freedoms of UK data subjects are protected.
One of the mechanisms that enable these safeguards is the European Commission’s updated “Standard Contractual Clause” (SCC) contracts, which facilitate the transfer of data from the EU to third countries whilst protecting the data subjects. But the UK’s exit from the EU means that SCCs can no longer be used for UK data exporters.
For a while, the UK was forced to use legacy-form SCCs that were applicable when the UK was a part of the EU. The new IDTA acts as a solution to this, providing appropriate mechanisms for data transfer and enables transfers from the UK in compliance with the UK’s specific data protection regime. The UK has also provided a useful Addendum to enable organizations that have already implemented the EU’s new-form SCCs to avoid having to repaper those agreements.
But with the Data Reform Bill reforms on the horizon promising to reduce compliance overheads and burdens on businesses, the government must be careful not to weaken standards of data protection in the UK. If improperly carried out, these reforms could weaken digital trust and paradoxically increase risks and costs for businesses. If the UK is perceived to be compromising on data protection, the EU will face strong pressure to revisit its decision regarding the UK’s GDPR adequacy equivalency decision.
This is a particular concern given the Court of Justice of the European Union (CEJU) has already thrown out adequacy agreements with the US twice – Safe Harbour (Schrems I) and Privacy Shield (Schrems II).
The data protection community adapts
BSI recently conducted a poll of our online communities, asking them which mechanism for international data transfer organizations would be using up to the 21st September 2022 deadline and/or going forward.
The survey revealed a close tie between those seeking to use the new UK IDTA and the new EU SCCs with the UK addendum, with 39% of respondents voting for the former 41% of respondents opting for the latter, indicating a great deal of proactivity. Only a comparatively small minority of 16% are opting to use the Old EU SCCs until 21st September. With businesses, therefore, having largely done the work to adapt themselves to new rules concerning data transfers, many within the industry will no doubt wish to avoid further changes to the regulatory landscape that could be triggered by the Data Reform Bill.
International data transfers going forward
Transfers of data to jurisdictions outside the UK are known as “restricted transfers” and require an additional, enabling mechanism to come into compliance with UK GDPR. Each transfer must be assessed on a case-by-case basis. Therefore, organizations need to map all data flows, identify any transfers outside the UK, and select the appropriate mechanism to enable restricted transfers.
Privacy teams need to remain mindful of factors such as the volume of contracts and the amount of repapering. Ensuring that the appropriate mechanism with the appropriate safeguards is chosen can be very burdensome if the correct mechanism is not utilised. It also opens the exporter up to data and compliance risks. What’s more, with new UK legislation on the table, businesses that operate within the UK and EU will in due course need to abide by two separate legislative regimes – the EU GDPR and UK Data Reform Bill rules – potentially resulting in a duplication of effort around paperwork, contracts, and regulatory engagement.
For data protection professionals struggling to implement the any new regulations, the simplest solutions are often the best. In that vein, the safest approach to take so that risks are minimised as much as possible could look something like the below:
Map your data flows
Identify any international data transfers
Identify any restricted transfers
Identify appropriate mechanisms to enable those restricted transfers
Where a mechanism is not suitable, identify an alternative.
Even though the new IDTA is well-drafted with the intent of protecting consumer data, one wonders how much it will be used in the future. The UK has previously announced its intention to explore adequacy agreements for “priority jurisdictions” such as Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, the Republic of Korea, Singapore, and the U.S. Novel though the IDTA is, it may end up purely reserved for data transfers to countries where the UK government cannot reach an adequacy agreement, and play second fiddle to EU SCCs as the established and globally recognized leading mechanism to enable international data transfers.
Ultimately, data protection professionals, where necessary, should be proactive about incorporating the latest recommendations and regulations of the IDTA – using the time until the Autumn of 2022 to ensure they can maintain digital trust in their international data transfers for the long run. At the same time, they should closely monitor the Data Reform Bill’s path through Parliament. One thing is for certain, however, this is unlikely to be the end of the story for international data transfers.
Ransomware: how to understand, mitigate and address impact
Watch this webinar recording and find out more about:
Email has historically been the undisputed champion of ransomware attacks. Today, it is still the number one delivery method for an attack. But. as businesses shift to the cloud environment, so do emails and, so do attackers.