The Future of Data Protection and International Data Transfers

  1. Home
  2. Latest
  3. Data Protection and Data Transfers

The Future of Data Protection and International Data Transfers

The Future of Data Protection and International Data Transfers

Last week saw the closing date of the ICO’s consultation on international data transfers (the date of closure was 11 October 2021).

Over a period of 6 weeks running up to the submission date, a team of 16 data protection lawyers from private practice and in-house disciplines worked tirelessly to produce a detailed response for the ICO. 

The team working on this consultation was made of a diverse mix of lawyers from different businesses, backgrounds and sectors, each with bright ideas and unique points of view on this important topic. We loved wrestling with the complex issues that this consultation created. We debated and disagreed as a group. We studied the text of the law and guidance in detail. We took time to listen to the views of practitioners and experts from various fields. As a team we worked tirelessly to really capture the importance of this topic to us and our passion for it. We were forging friendships and ideas at the same time, often over late night emails and calls. Above everything else, as a team we had a united ambition to ensure that the future of international data transfers was one that we were helping to form and one in which our voices were heard. To every team member – well done. I am proud of you.

Here is a very brief summary of the EMW consultation findings:

Section 1: Proposals and plans for the ICO to update its guidance on international transfers

  • We directed the ICO to interpret Articles 3(1) and 3(2) UK GDPR on a case by case basis. We were sympathetic to the idea that it should always bind a processor, but ultimately a concrete rule is not likely to result in better compliance or greater protection for data subjects. Whether a joint controller is covered by Article 3(1) will always depend on the circumstances.
  • We support the view that for a restricted transfer to take place, there must be a transfer from one legal entity to another. However we think the ICO should introduce additional safeguards where data is transferred out of the UK but still within the same legal entity.
  • A restricted transfer takes place whenever the exporter is subject to UK GDPR (and may be located in the UK or overseas) and the importer is located outside of the UK. The current guidance may be convoluted and open to interpretation which should be avoided.
  • Data exporters should not have to first put an appropriate Article 46 safeguard in place before relying on an Article 49 derogation. Forcing them to do that makes no sense at all, and doesn’t fit with the language or purpose of Article 49.

Section 2: Transfer Risk Assessment and Tool

  • Generally the draft TRA tool is practical and useful. The guidance and supporting documents are clearly drafted and the decision tree is easy to use.
  • It is simply not realistic however to expect all businesses to be able to effectively complete a TRA, and in practice many won’t. The guidance must be easier to follow.
  • We call on the ICO to create an on-line, user-friendly tool to provide a synopsis and risk assessment of each third country that a controller/processor can use to make a decision about risk involved.

Section 3: ICO draft International Data Transfer Agreement (IDTA)

  • The IDTA provides effective safeguards for data subject rights.
  • We view the IDTA as satisfactory for private practice lawyers, and large companies with in-house counsel. However it would be an increased cost and complex for smaller organisations. The ICO needs to clarify how the IDTA will function with the EU SCCs via the addendum. We think quite a lot of businesses with pan-EU operations will prefer the EU SCCs to the IDTA.
  • A modular, selective approach is worth consideration but we recognise it can cause inconsistency.
  • The suggested formal multi-party IDTA would be useful to standardise the approach where more than two parties enter an IDTA would be useful. Ability to nominate a lead party would be a practical addition.
Get in touch

The team was led by Matthew Holman, Head of Technology & Data Protection at EMW.

The consultation response team at EMW included :

Matthew Holman, EMW (Principal), Aiden Dunning, EMW (Principal), Alex Press, Domino’s Pizza (Solicitor & Senior Legal Counsel), Lauren Turner, Domino’s Pizza (Trainee Solicitor), Anita Kingsman (Solicitor), Talisa Gill (Solicitor), Jamie Delaney, Cognita (Solicitor & Legal Counsel), Batuhan Bikim, EMW (Trainee Solicitor), Sophie Gladwell, EMW (Solicitor), Meer Gala-Shah, EMW (Trainee Solicitor) Olivia Malek, EMW (Trainee Solicitor), Stefan Dingelstad, EMW (Trainee Solicitor).