UK Information Commissioner consults on data transfers – including approach to EU Standard Contractual Clauses

Will we be able to use the new EU SCCs for data transfers from the UK?

Probably, yes – but read the ‘smallprint’.

The Commissioner is considering issuing an international data transfer agreement in the form of a “UK addendum” to data transfer agreements issued by other countries or regions. This could be used for the EU SCCs, or for other data transfer agreements (such as the New Zealand or ASEAN agreements). The consultation asks what the value of this approach would be to organisations.

As an example of how this could be done, the consultation includes a draft addendum to the EU SCCs. This modifies parts of the EU SCCs which refer to EU or member state law, or to EU or member state institutions, so that the clauses can be used for data transfers from the UK. The addendum is short, clear and flexible – allowing its terms to be modified so long as appropriate safeguards are maintained. Accordingly, there should be scope to alter the drafting of parts of the addendum, if needed. There is also flexibility as to how the addendum can be executed.

At the moment, the EU SCCs cannot be used in the UK. As a result, organisations who are trying to prepare new vendor, customer, or intra-group data transfer agreements for data transfers are having to prepare alternative forms of language for the EU and for the UK. This imposes additional cost and complexity on organisations doing business in or with the UK – so it is important for readers to respond to the consultation to say that this would be of value.

So we can’t just use the exact EU SCCs for UK data transfers without amendment?

No. The EU SCCs will only be permitted for use for UK data transfers if they are amended. Organisations should note that there will also be some timing complexity here.

As from 27th September, the EU SCCs must be used for new transborder dataflows from the EU. As from that date, the previous SCCs, approved in 2001, 2004 and 2010 (“old SCCs”), can no longer be used for new data flows. However, the EU SCCs cannot be used in the UK. Even if the Commissioner does approve and issue an addendum which modifies the EU SCCs for use in the UK, this will not be effective until very late 2021 or, more likely, in 2022. Accordingly, organisations will have to have two different data transfer agreements for the EU and the UK – but may later be able to use the EU SCCs, with UK addendum for UK data transfers.

If you want more detail, there’s a post-script at the end of this note which explains the interaction of EU and UK law on this point.

Can we just keep the “old” SCCs in place for UK data transfers?

No.

The old SCCs do not take account of all the provisions in the GDPR (or of Schrems II), so the UK cannot accept that these provide appropriate safeguards for personal data in the long term. The consultation proposes that the old SCCs should be replaced. This will be linked to the date of approval of new UK data transfer arrangements. The consultation proposes that the old SCCs should cease to be used:

• for new transborder data flows, 3 months and 40 days after the new UK international data transfer agreement[2]is laid before Parliament;
• for existing transborder data flows, 21 months after the date above.

What is the UK specific international data transfer agreement?

The Information Commissioner has drafted a bespoke, UK, international data transfer agreement (“IDTA”) and asks for feedback on this. Key features of the IDTA are:

• it is easy to use
  • there are tables at the beginning of the agreement which allow the parties to specify all the “variables” of the agreement – such as details of the parties, the personal data being transferred, the purposes of the transfer etc… This tabular approach is likely to make the IDTA easy for procurement departments to use
  • it is a one-size fits all agreement. Unlike the modular structure of the EU SCCs, the IDTA is just one agreement, which can be signed as-is. Some clauses state that they apply to everyone; others say that they do not apply if the importer is a processor etc. This is clearly set out in the IDTA itself; there is no need for the parties to cut & paste text to create an agreement (although the Commissioner makes clear that they can do so if they prefer);
• it fills in some of the gaps in the EU SCCs
  • it can be used even if the importer is directly subject to the UK GDPR. In this situation, the sections of the IDTA which contain UK-GDPR obligations (for example, data subject rights) are disapplied – because they apply automatically to the importer
  • it covers more scenarios: transfers from a processor to a recipient who is not a sub-processor, or its instructing controller and transfers between joint controllers
• it is more flexible
  • the mandatory clauses cannot be changed, but parties are free to edit the tabular structure and to delete sections irrelevant to them. Parties can also make the agreement multi-party if they want – and can nominate one party to make decisions on everyone’s behalf. The IDTA also recognises that parties may have linked agreements (a MSA or data processing agreement) and that parties can cross reference this.

So what are the downsides? It’s a little early to say: we need to try to draft around the IDTA to be sure. However, two immediate points should be noted: 1) the IDTA says that its provisions and the associated transfer risk assessment should be reviewed annually – which could be excessive for low risk transfers; and 2) for controller to controller transfers, data subject rights are extended to include an obligation to comply with “any reasonable request” of the data subject.

There’s a precedent Transfer Risk Assessment

This is designed for use alongside the IDTA, although the consultation states that it’s not mandatory to use this form of TRA. The consultation says that the Transfer Risk Assessment is intended to be used for relatively routine risk assessments – and that a more detailed transfer risk assessment may be needed for complex or high risk processing, or transfers to a country with a poor human rights record.

There is a lot that is good about the draft Transfer Risk Assessment:

• it makes clear that exporters don’t have to look for identical legal systems and that diversity in approach is to be welcomed; it also states that there can be a legitimate place for laws regulating surveillance and that countries with no laws addressing this may, in fact, raise greater concerns with countries with laws, as this may suggest a lack of safeguard;
• it contains useful examples of what may be regarded as low, medium and high risk;
• it contains accessible scenarios, showing when transfers may be permitted – for example, where there is a low likelihood of access to that data and, even if there were access to the data, the risk to data subjects would be low;
• it takes a more holistic approach to assessing risk – not just considering risks from public authority access, but from the enforceability of the data transfer agreement per se – for example, because of difficulties in enforcing judgments or because of lengthy delays in obtaining justice or corruption;
• ICO accepts that conducting a transfer risk assessment can be challenging – and the draft guidance states that if an organisation can show that it used best efforts to complete the TRA, but that the analysis turns out to be incorrect, that the ICO will take this into account in any regulatory action. Indeed, the ICO states that it will do this when any transfer impact assessment is carried out, even if it is not in the ICO suggested format.

However, it is 49 pages long which will make it difficult to access for SMEs. It would be more accessible if the ICO (or others) took the content and turned it into an interactive tool.

ICO is open about areas of uncertainty – and explores the pros & cons of changing its guidance

In the first part of the consultation, ICO explains certain key areas where it is considering whether or not to issue new guidance, or to alter the approach taken in existing guidance. This affects: territorial scope of UK data protection law; the meaning of a restricted transfer; and approach to derogations.

On territorial scope:

• ICO asks whether it should issue guidance stating that any processor of a UK established controller is, itself, automatically directly subject to the UK GDPR
  • This would have rather bizarre outcomes – such a processor would not need to appoint a representative (as this only applies where GDPR has extra-territorial scope pursuant to art.3(2)) – so UK legislation would be applicable, in theory, but without the mechanisms provided by GDPR to assist with enforcement in this situation
  • This also seems unnecessary – as most of the obligations which would apply to the processor under UK data protection law, would be imposed through the data processing agreement in any event
• ICO also asks whether, if one joint controller is established in the UK, that would automatically mean that UK data protection legislation would apply to the other joint controllers.

On data transfers, ICO suggests:

• that there is only a “transfer” if personal data is transferred from one entity to another. The result of this is that a transfer of data by a branch in the UK to the mother organisation is not to be regarded as a data transfer. ICO states that this view reflects the language in Art. 44 and Art.46 - but does not parse out the language to substantiate this point. We see no reason why these articles should be interpreted in this way;
• that there is no “transfer” if a processor returns data to, or at the direction of, its instructing controller; and
• that ICO may rethink its view that there is no “restricted” transfer (and hence no need for safeguards) if there is a transfer of data to an importer to whom UK data protection legislation applies on an extra-territorial basis.

On derogations, ICO asks:

• if these should be applied where the transfer is “necessary” to achieve the derogation, or only where it is “strictly necessary”;
• for views on the provisions in Art.49 and recital 111 which restrict certain of the derogations to transfers which are “occasional”, or not “repetitive”; and
• suggests that it may be possible to combine derogations and art. 46 safeguards – so finding a middle way between standard contractual clauses and consent. There is a significant risk that, in situations where transfers have to take place (e.g. to conclude a communication service, or to transfer funds overseas), exporters will conclude that there is no point in trying to use standard contractual clauses and that the only way of addressing the transfer is to rely on data subject consent. If the legal and political situation is too complex for governments, regulators and sophisticated multinationals to solve, pushing the problem to “consent” by the data subject cannot be a good outcome – and ICO’s suggestion that SCCs should still be used to provide better protection for individuals in many situations, together with consent to provide a robust legal solution, is a welcome attempt to move the debate forward.

ICO is open to a debate on difficult issues

It will be apparent to readers from the points above, that ICO is tackling difficult and controversial topics - and some of these are topics, where guidance has been expected from the European Data Protection Board for a significant period. ICO is doing this in an open manner. On these difficult topics, the guidance explains what ICO thinks the strengths and weaknesses of the various options are (both from a black-letter-law and a policy perspective); ICO explains what its preliminary view is and asks for feedback. The ICO has also taken considerable efforts to do all of this in plain English – making the documents accessible and easy to read and it deserves significant credit for this as well as for the substantive quality of the documents. Post-Brexit ICO is open to new ideas and has the self-assurance and confidence to debate points openly. The contrast to the approach to consultation taken by the EDPB is striking.

Post-script: how do the EU rules and the UK rules fit together?

As readers will be aware, on 4th June 2021, the European Commission adopted new Standard Contractual Clauses which can be used to provide appropriate safeguards for personal data which is transferred from the EU. The EU SCCs will replace the Standard Contractual Clauses which were adopted by the Commission under the old, 1995 Data Protection Directive, in 2001, 2004 and 2010 (“old SCCs”). At the moment, organisations can use either the new SCCs or the old SCCs to provide adequate safeguards for transfers of personal data from the EU. However, from 27th September 2021, parties can only use the new SCCs for new transborder dataflows. For existing transborder data flows, parties have until 27th December 2022, to replace old SCCs with new SCCs. Many readers will be busy preparing new agreements for use with customers, vendors, or intra-group as a result.

UK data protection legislation references appropriate safeguards for personal data that were in force as at the moment Brexit took place (11 p.m. on 31 December 2020). Accordingly, at the moment, UK legislation only recognises the old SCCs not the EU SCCs.

*This article has been previously published on the IAPP website and shared with its members

[1]Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance)

[2] This would be the UK addendum to other agreements and the UK specific international data transfer agreement.