It’s official Summer is here…the new UK SCCs consultation is out!
17 August 2021
On 11 August, the Information Commissioner’s Office (ICO) published its long awaited consultation on the international data transfer mechanisms that it proposes to be used in a post-Brexit world.
It is worth remembering we are talking about transfers from the UK to non-EEA countries that do not benefit from a European Commission (or UK) adequacy decision (‘restricted transfers’), where it is necessary to ensure that the transferred personal data is protected to an equivalent high standard that is “sufficiently similar to UK protections”.
There are three sections in the consultation, covering (1) proposals for guidance on restricted transfers, (2) transfer risk assessments and Schrems II, and (3) UK-specific international transfer mechanisms, each of which we will look at in turn.
1. Proposal and plans for updates to guidance on international transfers
This section of the consultation has two parts. It looks at (a) the interpretation of the extra-territorial effects of Article 3 UK GDPR and (b) the interpretation of Chapter V UK GDPR. There are several proposals under each part and questions relating to the scope of UK GDPR when it applies to overseas processors of personal data. Article 49 UK GDPR derogations are in the spotlight, with views sought on whether exporters should have to attempt a transfer mechanism before relying on derogations (see question 7).
It will also be interesting to see how the ICO’s final guidance compares to the European Data Protection Board’s expected opinion on “Territorial scope (Article 3) of the GDPR and its interplay with Chapter V” when it is published.
2. Transfer risk assessments
The ICO is clear that a Transfer Risk Assessment (TRA) must be completed where there is a restricted transfer and the parties rely on an Article 46 UK GDPR transfer mechanism (which includes SCCs). This is in order to comply with the Schrems II judgment which is part of UK law under the EU Withdrawal Agreement. The TRA is designed to ensure that local laws and practices do not override the protections contained in the transfer mechanism. As expected, you do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the restricted transfer is covered by one of the exceptions.
The ICO has created a draft transfer risk assessment tool (TRA tool) to help organisations complete the risk assessment required. This TRA tool is designed to be used with the UK specific transfer mechanisms (see below) for routine transfers and is not mandatory. Organisations can use other methods to assess risk. If the parties have already undertaken Schrems II remediation work, it may be possible to utilise this to complete the TRA.
The draft TRA tool has three steps to assess the risk:
- Assess the transfer itself
- Is the International Data Transfer Agreement (IDTA) likely to be enforceable in the destination country?
- Is there appropriate protection for the data from third-party access?
There are decision trees, questions, examples – including rating of risks to data subjects and adjustments that could be made, and links to ICO guidance and legislation to assist with completing the TRA. The ICO notes its guidance on TRAs may evolve over time in relation to changes in legislation, caselaw and as a result of reviewing how the guidance works in practice.
3. The international data transfer agreement
The ICO proposes two new frameworks to legitimise restricted transfers and proposals to replace ‘old’ SCCs.
ICO model IDTA
The first proposal is the ICO’s model IDTA which is effectively a new UK version of the EU’s Standard Contractual Clauses (SCCs), i.e. it is the contract to use when you are making a restricted transfer. While the IDTA is an appropriate safeguard within the meaning of the UK GDPR, it is notably different in structure and style from the new EU SCCs (for more information about those SCCs see our article).
The data exporter and importer enter into the IDTA, which structurally is in a tabular format so favoured by the ICO. The parties need to fill out information about themselves, the restricted transfer, and the security measures that will be put in place to protect the personal data. As is clear from their name, the IDTA includes mandatory clauses. There are also a set of extra data protection clauses (it is suggested that the TRA should inform the decision to include these or not) and there is also the option of including commercial clauses so long as they do not contradict the IDTA. Templates are provided for these optional clauses but they need not be used. There is provision to cross-reference any main agreement, whether for services, data sharing or data processing, which is called a “linked agreement” but the IDTA should always prevail. As part of the consultation the ICO has asked whether creation of a multiparty template would be beneficial (see question 11).
Interaction with other jurisdictions and the ‘UK addendum’
In proposal two the ICO sets out its thoughts on adopting model agreements from other jurisdictions. The examples given are those of the European Commission, i.e. the new EU SCCs, New Zealand and the Association of Southeast Asian Nations (ASEAN). The proposal is to issue an addendum to these model data transfer agreements, and the ICO has created a draft UK addendum to the EU SCCs so that they work in the context of UK data transfers. This approach is the one that has been touted by many practitioners, including us, as being the most straightforward way to legitimise UK restricted transfers.
The positive news is, although this is subject to consultation, it looks as though the ICO is minded to recognise the new EU SCCs if used in conjunction with the UK addendum. In addition, the proposals recognise that the UK addendum need not be in the form proposed by the ICO; there will be flexibility for the parties to agree their own addendum provided it meets the requirements set out in the ICO’s draft.
This will be welcome news for organisations transferring data from the UK and the EEA as it will allow such transfers to be dealt with in one agreement. This is a highly pragmatic proposal from the ICO whilst also one that has one eye on ensuring continued compliance with the UK adequacy decision from the European Commission.
If post-consultation both the model IDTA and the IDTA addendum to the EU SCCs are recognised by the ICO as valid transfer mechanisms, it will be interesting to see whether a preference is adopted across the market. Will controllers and processors simply use the EU SCC plus UK GDPR addendum model? Or will controllers and processors pick and choose depending on relevant data sets? Given the familiarity of the EU SCCs and the need for data exporters to sometimes use them in any event, we think the UK addendum will be the most straightforward and therefore preferred approach – but watch this space.
The third and final proposal in this section deals with the old SCCs, which are called the “Directive SCCs” (because they were introduced under the GDPR’s precursor, Directive 95/46/EC). Post-Brexit the old SCCs could continue to be used under the transitional provisions set out in Schedule 21 para.7 of the Data Protection Act (DPA) 2018. The ICO may disapply the old SCCs by virtue of Schedule 21 para.8(b) of the DPA. Once the old SCCs are disapplied and any transitional timeline has expired, they can no longer be used as a valid transfer mechanism.
The ICO proposes to disapply the old SCCs when it lays the new frameworks before Parliament. If there are no Parliamentary objections the timelines would be:
- For data transfer agreements being negotiated, the parties can use the old SCCs for around 4.5 months (or 3 months plus 40 days to be precise) from the date the proposals are laid before Parliament, after which they can no longer be used.
- For all existing arrangements relying on the old SCCs (and any arrangements concluded during the above period), the old SCCs would remain valid for a further period of 21 months (so effectively 2 years and 40 days after the date that the proposals are laid before Parliament).
However, the continued validity of the old SCCs does not necessarily mean that they should be used. While technically the new transfer mechanisms cannot be used until they receive statutory force, organisations may wish to future-proof their transfers by taking a practical and risk-based approach by using the new transfer mechanisms.
While the above deals with extra-UK transfers, it is worth bearing in mind for extra-EEA transfers the European Commission is set to repeal the old SCCs on 27 September 2021 and all existing (and unchanged) arrangements can continue to rely on the old SCCs until 27 December 2022.
As for extra-Swiss transfers, we are awaiting a decision on whether the new EU SCCs will be approved by the Federal Data Protection and Information Commissioner who is “currently examining the extent to which these (EU) standard contractual clauses can also be adopted under the Federal Act of 19 June 1992 on Data Protection”. Where you have complex data transfers, the data mapping exercises and remediation plans you may already have in place/are undertaking will assist you in navigating which transfers you need to prioritise and which need to be scheduled in order to comply with the various deadlines.
The ICO is also keen to remind us of their independent role supporting the Government’s approach to adequacy assessments – more on that expected soon too - and that the UK transfer mechanisms and associated documents and guidance will form part of the wider UK approach to international data transfers, thus providing greater certainty for organisations.
The consultation closes at 5.00pm on Thursday 7 October 2021 and submissions should be sent to IDTA.firstname.lastname@example.org