ICO consults on data transfers

What's the issue?

Standard Contractual Clauses are one of the permitted transfer mechanisms which can legitimise a transfer of personal data to a third country which does not benefit from an adequacy agreement, under both the EU and the UK GDPR. Since the end of the Brexit transition period, the UK has continued to use the SCCs approved by the European Commission before the advent of the GDPR, and before the Schrems II decision.

In the meantime, the EU has moved on following approval of new EU SCCs. The EU's new SCCs align more closely with the GDPR and take the Schrems II decision into account but because they were adopted after Brexit, they do not apply in the UK which continues to use the outdated models.

What's the development?

The ICO has launched a consultation on data transfers which covers:

proposal and plans for updates to guidance on international transfers
transfer risk assessments (TRAs)
the proposed international data transfer agreement (IDTA) which will replace the current SCCs.

Input is also sought from stakeholders on relevant privacy rights, legal, economic or policy considerations and implications. The consultation closes on 7 October 2021.

What does this mean for you?

The UK is still using the old SCCs while the EU has moved on so the UK needs its own replacement. There will be inevitable differences, even if these are only administrative, but if the government really intends to diverge significantly from the EU GDPR, these changes may lead to more rather than less admin than businesses dealing with the EU and the UK currently face.

Read more about the ICO's consultation on international data transfers

Why is the ICO consulting on international data transfers?

The issue of data transfers is at the top of the UK's data protection agenda for a number of reasons. Last year's CJEU decision in the Schrems II case (retained in UK law by the EU Withdrawal Act) and Brexit have required both the EU and the UK to reassess how to adequately protect personal data exported to third countries.

The EC has taken steps to give effect to the Schrems II decision and to bring transfer mechanisms in line with the GDPR. In June 2021, it published guidelines for assessing the risks to personal data posed by the law and practices of importing jurisdictions, and on implementing supplemental safeguards for transfers. It also published new EC Standard Contractual Clauses (EC SCCs) for personal data transfers outside the EEA which take both the GDPR and the Schrems II decision into account.

While the Schrems II decision does apply in the UK, the subsequent measures taken by the EC to give effect to it do not as they were concluded after the end of the Brexit transition period. The UK which must now forge its own path, producing its own guidance and legal contractual mechanisms that can be used for exports of personal data subject to the separate UK GDPR. Its consultation on these issues is open until 7 October 2021.

Updates to transfers guidance on international transfers

In updating guidance on international transfers the ICO is particularly seeking feedback on:

aspects of the interpretation of the extra-territorial effect provisions of Article 3 UK GDPR relevant to processors of a UK controller and to overseas/UK joint controllers
what should constitute a 'restricted transfer' to which the transfer rules in Chapter V of the UK GDPR apply, and
the interpretation of the derogations for specific transfer circumstances under Article 49 UK GDPR.

The draft TRA

The proposed TRA sets out a comprehensive structure and methodology for organisations to use when assessing the risks associated with transferring personal data subject to the UK GDPR to a third country. The ICO does not propose that the TRA structure will be mandatory but it has been structured to work alongside the IDTA and is broken down into three parts:

assessing the transfer
determining whether the IDTA is likely to be enforceable in the destination country, and
determining whether there is appropriate protection for the data from third-party access.

The draft TRA includes case studies and examples and is intended to help with making appropriate risk- based assessments. The decision tree structure is substantial and may prove overwhelming for smaller organisations. In this respect the ICO is seeking feedback, among other points, on whether the approach proposed by the TRA is practical and helpful.

The draft IDTA and proposed addendum to the EC SCCs

The draft IDTA is intended to provide UK-specific standard contractual clauses for transfers of personal data to third countries (those not benefitting from a UK adequacy agreement). Once finalised these will replace the current pre-GDPR SCCs. The new IDTA will reflect the changes in UK data protection law while ensuring compliance with the Schrems II judgement.

Unlike the EC SCCs the proposed IDTA does not at apply a modular approach but is intended to be a single agreement suitable for all circumstances. Other features to note are:

the use of tables to help with setting out specific information about the exporter, importer, and the purposes of the restricted transfer
the option to exclude extra protection clauses
the option to include commercial clauses agreed by the exporter and importer
a set of mandatory clauses which must always be included.

In addition, the ICO has published a proposed IDTA in the form of an addendum to the EC SCCs for public consultation which can be used as an alternative to the IDTA. It will essentially apply the EC SCCs in the context of UK data transfers, replacing references to the EU GDPR with UK GDPR and so on. This will be of particular use to organisations sending data from both the EU and the UK, enabling organisations to use one set of SCCs to cover both transfers.

The ICO outlined that the addendum will provide additional appropriate safeguards for organisations relying on Article 46 transfer tools under the UK GDPR when transferring data out of the UK.

The consultation separately seeks views on whether there would be value in publishing an IDTA in the form of an addendum to the model data transfer agreements of other jurisdictions (for example New Zealand and ASEAN (Association of South East Asian Nations).

What does this mean for my data transfers?

Until the IDTA is finalised (and we don't know when this will happen), data transfers from the UK to non-adequate countries can be covered by the current UK SCCs. The consultation proposes that they cease to be used:

three months after the IDTA enters into force for new transfers, and
21 months after the IDTA enters into force for all existing UK SCCs.

This interim period is a good time for organisations to review their UK data flows and discuss a strategy and approach for international data transfers, bearing in mind the proposed documents that the ICO has published.