The UK's International Data Transfer Agreement: is this the ICO's worst document yet?
If you've been involved in transfers of personal data to third countries under the GDPR, you'll probably be familiar with the long-standing standard contract clauses.
And you may be familiar with the European Commission's new standard contract clauses (which are not recognised for use for transfers from the UK, although I've seen some commentary saying that you should use them anyway and argue about it later).
Well, as of 22nd March, there's due to be a new kid on the block, the UK's International Data Transfer Agreement.
This is a new agreement, prepared by the UK's Information Commissioner's Office, and it is currently awaiting Parliament's approval.
Having yet another agreement is hardly ideal.
But this isn't just "yet another agreement".
It's a pretty dreadful document, more in keeping with a review draft than something which is going to be actual, official, UK policy.
What follows is a selection of what I've picked up in reviewing it, and discussing with others. I'm not pretending this is an exhaustive list.
Clause 23: Access requests and direct access
Clause 23.1 introduces a definition of "Direct Access". It says:
“Direct Access” means direct access to any Transferred Data by public authorities of which the Importer is aware"
Does the qualification "of which the Importer is aware" relate to:
- the public authorities?
- the access?
- the Transferred Data?
I think it means "the following situation, if the Importer is aware of it: direct access to any Transferred Data by one or more public authorities".
Why leave it ambiguous?
Clause 15.1 of the new EC Standard Contractual Clauses is slightly clearer, putting an obligation on a data importer if it:
becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination ...
Again, this suffers from the same problem, the lack of clarity as to which bit of the sentence the qualification "in accordance with the laws of the country of destination" applies.
Clause 26: Breaches of this IDTA (this contains probably the worst issue I've spotted so far, to my mind)
Clause 26.1 says:
Each Party must notify the other Party in writing ... if it ... it (sic) should reasonably anticipate that it may breach this IDTA.
Is it me, or is this rather a mess of a sentence?
Why "should reasonably anticipate", and not "reasonably anticipates"? Does the "should" imply some kind of objective standard - it should have reasonably anticipated something, even if it did not? - or is it just a flourish?
And even if that is resolved, the trigger is not reasonable anticipation that it will breach the IDTA, but merely that it may do so. How likely does that "may" need to be? The "reasonably" applies to the anticipation, not the "may".
And do all the instances of "it" definitely refer to the same party? It could also be read as saying that, if Party A suspects that Party B might be in breach, Party A needs to tell it.
I don't think that's what it is meant to say, but that's the price of ambiguous drafting.
But there's worse to come.
"Significant Harmful Impact"
26.2 introduces a defined term of "Significant Harmful Impact":
In this IDTA “Significant Harmful Impact” means that there is more than a minimal risk of a breach of the IDTA causing (directly or indirectly) significant damage to any Relevant Data Subject or the other Party.
But the Legal Glossary says that it means:
As defined in Section 26.2 as where there is more than a minimal risk of the breach causing (directly or indirectly) significant harm to any Relevant Data Subject or the other Party.
Why does one place say "damage", and another "harm"?
This seems like a pretty significant error, assuming that it is an error.
Clause 32: Your liability
Getting liability clauses right is important. Clause 32 could be done better.
First, 32.2 says:
Each Party (in this Section, “Party One”) agrees to be fully liable to Relevant Data Subjects for the entire damage suffered by the Relevant Data Subject, caused directly or indirectly by:
Party One’s breach of this IDTA; and/or
where Party One is a Processor, Party One’s breach of any provisions regarding its Processing of the Transferred Data in the Linked Agreement;
where Party One is a Controller, a breach of this IDTA by the other Party if it involves Party One’s Processing of the Transferred Data (no matter how minimal)
in each case unless Party One can prove it is not in any way responsible for the event giving rise to the damage.
Let's leave aside why there's an "and/or" after the first condition, but not the second one. But that should be fixed.
The more pressing issue, to my mind, is that the clause deals with liability for Party One's breach, but exempts Party One if it can prove it is not responsible for the event giving rise to the damage.
Why this distinction - why not the breach giving rise to the damage?
Is "event" broader or narrower than "breach"?
One would presume that the use of different words is intentional, and that there is a purpose to them. But what is it?
(Apparently, there is to be "clause by clause guidance", and this might answer the question. Or give the ICO an opportunity to put a sticking plaster over oddities, until they can be fixed properly.)
Second, 32.3 says:
If one Party has paid compensation to a Relevant Data Subject ... it is entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s responsibility for the damage, so that the compensation is fairly divided between the Parties.
Why position this as an entitlement to claim, and not an obligation on the other party to pay its "fair" share?
(Leaving aside what constitutes "fairly divided", or the criteria one should use to assess that. It feels like litigation just waiting to happen.)
Clause 33: How ... the ICO may bring legal claims
The ICO is entitled to bring claims against the Exporter and/or Importer for breach of the following Sections [list of sections].
This one is just weird, to my mind.
I think that the ICO is trying to grant itself a right to bring a claim for breach of contract, even though it is not a party to a contract.
The regulator, with a contractual right of action in every single instance in which this agreement is used, rather than relying on exercising its enforcement powers under the Data Protection Act 2018.
This just feels odd to me. Perhaps there is an analogous situation, in which the regulator requires that parties inject it into their commercial agreements, but I can't think of one.
The new EC Standard Contractual Clauses do not do this.
Perhaps I am missing something but, in any case, how could the ICO demonstrate that it has suffered loss? If it has not suffered loss, what claim does it have?
Clause 35: Arbitration
This clause has both drafting problems and - in my view - policy problems.
First, arbitration is not by agreement. This clause is not optional, and either party to the agreement can force arbitration, as can a "Relevant Data Subject":
Instead of bringing a claim in a court under Section 34, any Party, or a Relevant Data Subject may elect to refer any dispute arising out of or in connection with this IDTA (including non-contractual claims) to final resolution by arbitration
The Parties agree to submit to any arbitration started by another Party or by a Relevant Data Subject
Forcing arbitration is unusual, especially since arbitration is typically expensive, private, and without a right of appeal.
I wonder if this is going to be an impediment to parties using this document.
It is England-centric, for no obvious reason
Second, it is entirely England-centric, which is odd in an agreement which covers the whole of the UK.
For example, clause 35.4 says:
London shall be the seat or legal place of arbitration. It does not matter if the Parties selected a different UK country as the ‘primary place for legal claims to be made’ in Table 2: Transfer Details.
English law governs this Section 35.
So a controller in Scotland (for example), with data subjects in Scotland, is required to use London as the seat of arbitration, governed by English law.
Perhaps there's a good reason for this, but it does not jump out to me.
Third, there is some odd - sloppy, to my mind - drafting.
The English language must be used in the arbitral proceedings.
So as long as a party uses English once, they're fine, even if they do the rest in Klingon?
If it was meant to say that "The arbitral proceedings will be carried out solely in English", then why not say that?
The drafting in the government's model services contract is not ideal (given its use of "shall"), but it is clearer:
the arbitration proceedings shall take place ... in the English language
(I note that the model services contract is also England-centric, so perhaps the ICO is aligned with broader government policy here?)
So what next?
Honestly, I don't know. As I said at the beginning, this is not an exhaustive list of problems. This isn't something which can be fixed with a couple of hours of work. It isn't like a blogpost, where typos are inconsequential, and readily fixed (hint hint, if you spot a typo in this).
This is an official document.
If this is the version of the agreement which gets through Parliament, then this is the version which exporters and importers need to use, foibles and all.
Perhaps the clause-by-clause guidance, as yet unpublished, will assist. If nothing else, it could be used a stop-gap measure by the ICO, to try to paper over some of these cracks (if that is what they are).
And, if someone from the ICO is reading this, I'm more than happy to work collaboratively, to try to iron out the quirks listed here, and others.