On 11th August 2021, the United Kingdom Information Commissioner launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the UK, or who provides services to UK organisations. The consultation asks whether it would be helpful for the Information Commissioner to approve an addendum, allowing the EU Standard Contractual Clauses[1] to be used for transfers of personal data from the UK. Even if organisations have no comments on the Commissioner’s other points, this point alone is important enough to warrant a response to the consultation. In addition the consultation proposes: 1) that the Information Commissioner will terminate the (current, temporary) approval of the 2001, 2004 and 2010 Standard Contractual Clauses; 2) a new, UK specific, International Data Transfer Agreement; 3) an accompanying Transfer Risk Assessment; and 4) changes to existing UK guidance on data transfers. The deadline for responding is 5 p.m. (local time) on 7th October 2021.
Probably, yes – but read the ‘smallprint’.
The Commissioner is considering issuing an international data transfer agreement in the form of a “UK addendum” to data transfer agreements issued by other countries or regions. This could be used for the EU SCCs, or for other data transfer agreements (such as the New Zealand or ASEAN agreements). The consultation asks what the value of this approach would be to organisations.
As an example of how this could be done, the consultation includes a draft addendum to the EU SCCs. This modifies parts of the EU SCCs which refer to EU or member state law, or to EU or member state institutions, so that the clauses can be used for data transfers from the UK. The addendum is short, clear and flexible – allowing its terms to be modified so long as appropriate safeguards are maintained. Accordingly, there should be scope to alter the drafting of parts of the addendum, if needed. There is also flexibility as to how the addendum can be executed.
At the moment, the EU SCCs cannot be used in the UK. As a result, organisations who are trying to prepare new vendor, customer, or intra-group data transfer agreements for data transfers are having to prepare alternative forms of language for the EU and for the UK. This imposes additional cost and complexity on organisations doing business in or with the UK – so it is important for readers to respond to the consultation to say that this would be of value.
No. The EU SCCs will only be permitted for use for UK data transfers if they are amended. Organisations should note that there will also be some timing complexity here.
As from 27th September, the EU SCCs must be used for new transborder dataflows from the EU. As from that date, the previous SCCs, approved in 2001, 2004 and 2010 (“old SCCs”), can no longer be used for new data flows. However, the EU SCCs cannot be used in the UK. Even if the Commissioner does approve and issue an addendum which modifies the EU SCCs for use in the UK, this will not be effective until very late 2021 or, more likely, in 2022. Accordingly, organisations will have to have two different data transfer agreements for the EU and the UK – but may later be able to use the EU SCCs, with UK addendum for UK data transfers.
If you want more detail, there’s a post-script at the end of this note which explains the interaction of EU and UK law on this point.
No.
The old SCCs do not take account of all the provisions in the GDPR (or of Schrems II), so the UK cannot accept that these provide appropriate safeguards for personal data in the long term. The consultation proposes that the old SCCs should be replaced. This will be linked to the date of approval of new UK data transfer arrangements. The consultation proposes that the old SCCs should cease to be used:
The Information Commissioner has drafted a bespoke, UK, international data transfer agreement (“IDTA”) and asks for feedback on this. Key features of the IDTA are:
So what are the downsides? It’s a little early to say: we need to try to draft around the IDTA to be sure. However, two immediate points should be noted: 1) the IDTA says that its provisions and the associated transfer risk assessment should be reviewed annually – which could be excessive for low risk transfers; and 2) for controller to controller transfers, data subject rights are extended to include an obligation to comply with “any reasonable request” of the data subject.
This is designed for use alongside the IDTA, although the consultation states that it’s not mandatory to use this form of TRA. The consultation says that the Transfer Risk Assessment is intended to be used for relatively routine risk assessments – and that a more detailed transfer risk assessment may be needed for complex or high risk processing, or transfers to a country with a poor human rights record.
There is a lot that is good about the draft Transfer Risk Assessment:
However, it is 49 pages long which will make it difficult to access for SMEs. It would be more accessible if the ICO (or others) took the content and turned it into an interactive tool.
In the first part of the consultation, ICO explains certain key areas where it is considering whether or not to issue new guidance, or to alter the approach taken in existing guidance. This affects: territorial scope of UK data protection law; the meaning of a restricted transfer; and approach to derogations.
On territorial scope:
On data transfers, ICO suggests:
On derogations, ICO asks:
It will be apparent to readers from the points above, that ICO is tackling difficult and controversial topics - and some of these are topics, where guidance has been expected from the European Data Protection Board for a significant period. ICO is doing this in an open manner. On these difficult topics, the guidance explains what ICO thinks the strengths and weaknesses of the various options are (both from a black-letter-law and a policy perspective); ICO explains what its preliminary view is and asks for feedback. The ICO has also taken considerable efforts to do all of this in plain English – making the documents accessible and easy to read and it deserves significant credit for this as well as for the substantive quality of the documents. Post-Brexit ICO is open to new ideas and has the self-assurance and confidence to debate points openly. The contrast to the approach to consultation taken by the EDPB is striking.
As readers will be aware, on 4th June 2021, the European Commission adopted new Standard Contractual Clauses which can be used to provide appropriate safeguards for personal data which is transferred from the EU. The EU SCCs will replace the Standard Contractual Clauses which were adopted by the Commission under the old, 1995 Data Protection Directive, in 2001, 2004 and 2010 (“old SCCs”). At the moment, organisations can use either the new SCCs or the old SCCs to provide adequate safeguards for transfers of personal data from the EU. However, from 27th September 2021, parties can only use the new SCCs for new transborder dataflows. For existing transborder data flows, parties have until 27th December 2022, to replace old SCCs with new SCCs. Many readers will be busy preparing new agreements for use with customers, vendors, or intra-group as a result.
UK data protection legislation references appropriate safeguards for personal data that were in force as at the moment Brexit took place (11 p.m. on 31 December 2020). Accordingly, at the moment, UK legislation only recognises the old SCCs not the EU SCCs.
*This article has been previously published on the IAPP website and shared with its members
[1]Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance)
[2] This would be the UK addendum to other agreements and the UK specific international data transfer agreement.