The UK Information Commissioner’s Office (ICO) has released a consultation paper on the regulatory regime governing international data transfers in and out of the United Kingdom (UK) under the UK GDPR (the UK law which implements the GDPR after Brexit).
Given that the UK has also left the EU, this paper signals that UK is willing to establish a data protection regime that, though still inspired by the GDPR, can take a different approach in some aspects. Accordingly, this paper presents a key opportunity to indicate reforms and desired outcomes from rules on transfer mechanisms, contractual clauses and risk assessments that would govern how data moves in and out of the UK, including to and from Indian processors and controllers.
Comments from Indian companies are likely to be valuable to the ICO, considering that it shall operationalise any future partnership / arrangements between the Governments of UK and India on cross-border data transfers. For context, the UK has listed India as a priority country to strike a data adequacy partnership with.
The consultation paper discusses the following:
- Proposals and plans for updates to guidance on data transfers, including on the interpretation of relevant sections of the UK GDPR such as those on territorial applicability and on restrictions on data transfers
- A transfer risk assessment tool for the purposes of carrying out risk assessments of routine international data transfers
- A ICO model international data transfer agreement which is intended to be the equivalent of the Standard Contractual Clauses of the European Commission (SCCs) but for the UK territory (since, post Brexit, the SCCs do not apply to the UK).
The consultation paper presents multiple policy options and raises questions under each of the above. The paper contains specific fields for persons responding to choose between options and fill in their responses. The ICO is also generally seeking views on any relevant concerns that stakeholders may have on privacy rights or on legal, economic or policy considerations of its proposed approaches. The deadline for responding to the consultation paper is October 7th, 2021.
Request for inputs
We request members to send their choices on policy options presented, and responses to questions raised, in the consultation paper by the ICO by October 4th, 2021 to Varun@nasscom.in and cc to Apurva@nasscom.in by filling out the consultation paper provided by the ICO. We also request members to also forward the consultation paper and other documents to their legal teams and data protection officers for their inputs. We would also like to have any general feedback/comments beyond the questions listed. A copy of the consultation paper and other consultation documents are available here.