Ever since the ICO published its International Data Transfer Agreement at the start of the year, the UK Data Protection community has waited patiently for the accompanying guidance that the regulator said would be forthcoming. The IDTA is a technical and confusing document, and an explanation of how the ICO thinks it works is plainly required.
Any delay is bewildering – how you could write the document without producing the guidance in tandem is something I don’t understand, but for there to be any significant lag in producing the latter is actively unhelpful to controllers. John Edwards has said he wants his version of the ICO to be the go-to source of advice for practitioners, making it a central aim of his ‘ICO25’ strategy and inventing an essentially baseless but widely promoted claim that this objective will save UK businesses £100 million over the next three years. It’s ironic therefore that as a result of the delay, one of the most commercially successful things I’ve done this year has been a course about the IDTA. I doubt I would have had as many bookings if the guidance had come out, so thanks for the assist, John.
I made an FOI request to the ICO in the spring to see when the guidance might materialise: the answer was essentially ‘May, probably’. By September, there was still no guidance, so I made the request again. I asked for recorded information about when the guidance would be published, any internal discussion about why it wasn’t out yet, any internal discussion of the impact on controllers of the guidance not being available, and whether the Commissioner himself was aware ethat such a vital piece of information was unavailable.
The ICO’s answer was interesting. I didn’t ask who was responsible for producing the guidance, but the response very explicitly pointed out that Emma Bate, Director of Legal Services (Regulatory Advice and Commercial) is “the key internal stakeholder for this programme of work”. I don’t credit them with much, but the ruthlessness with which someone wants to throw Bate under the bus is admirable.
According to a succession of emails, in April, the aim was to get the guidance out by mid-May, with guidance on the Transfer Risk Assessment (another absent piece of the international transfers puzzle) following in June. The deadline shifted to July, with an ambitious sounding ‘ICO contract builder’ and an online tool based on the Transfer Risk Assessment following in the “autumn / end of year”. Then another email said the deadline was the end of June.
At the start of July, briefing notes for an ‘Ask the ICO’ event included the aim that the guidance would be out in “the Autumn”, but when an “external stakeholder” asked in the middle of the month, things were a bit more equivocal: “Sorry no date yet – hoping for the autumn”. In September, emails preparing Edwards for his attendance at the Asia Pacific Privacy Authorities (APPA) meeting including the line “…we should definitely have it out by November…”. It’s worth noting that at this time, the ICO also intended to publish the transfer risk assessment by the end of September. Which didn’t happen.
The IDTA document was laid before Parliament in February (following an initial cock-up where the final document had a date typo that invalidated the grace period for using the old standard contract clauses). It came into force in March. That grace period ended in September. And yet still, more than six months after it was released, the ICO has failed to get their act together, letting down the entire UK data protection sector in the process. Even if they finally publish in November, it will be after a succession of missed deadlines.
Remarkably, the only recorded information to explain the delay comes from an email in May, where Bate blamed the delay at that point on the following:
- A delay in receiving advice.
- Preparation for a last minute stakeholder visit and for ICO25.
- Upcoming annual leave
It’s a wonder they were able to keep their homework away from the dog.
Ponder this for a moment: months after the IDTA was laid before Parliament, the people writing the guidance about it still needed advice before they could explain how it works. This crucial guidance that thousands of controllers are waiting for was also delayed to work on a strategy built on the importance of giving controllers better guidance.
Apart from this email to Paul Arnold, the ICO’s Deputy Chief Executive, there has been no other recorded discussion about the harmful and potentially costly delay in publishing proper guidance on this most vexing of issues. Nobody seems to be interested in chasing it; not Arnold or the Commissioner himself, who seems to have done nothing at all.
Worse yet, there has been no recorded discussion of the impact of this delay on controllers. Of course, that doesn’t automatically mean that there hasn’t been any, but there have been no emails, no minuted discussions, nothing on record. Without any evidence to the contrary, I think it’s safe to assume that it simply hasn’t occurred to the people working on the project to think about all the organisations that they’ve left hanging.
As is traditional when the ICO replies to an FOI request which makes them look bad, they throw in a justification:
“For context, producing guidance for the IDTA and transfer risk assessments is complicated. It requires careful analysis and consideration of various sources of law to come to the correct and right guidance. Further, the need to balance the rights and freedoms of data subjects as well as ensuring that we produce guidance that meets the needs of organisations, regardless of their size, was of paramount importance. We want to get this right, which is why we have taken the time to do it right”
The only thing I can say in response to this is that failing to publish much needed guidance for more than six months, even after legal deadlines and grace periods have elapsed, is not doing it right. It’s a shambles. Of course, from a purely commercial perspective, I’m happy for the ICO to be useless in this way because it’s good for business. But especially under Edwards, the ICO claims to be the definitive source of information for UK controllers. Right now, if you want advice about how international transfers from the UK work, they’re still not in a position to give it to you.
SHAMELESS PLUG: the next outing for my course on international transfers from the UK is on 5 December at 9.30am. For more information, click here: https://2040training.co.uk/courses/great-escape/