Cordery

Legal.Compliance.

UK Proposals & Consultation for Data Transfers, including Standard Contractual Clauses/International Data Transfer Agreement (IDTA)

Introduction

The UK’s data protection regulator the ICO has now finalised and published materials for international data transfers including with regard to Standard Contractual Clauses. This article looks at this latest development in brief.

What’s this all about?

By way of quick background, under EU GDPR, international data transfers can only be made in certain ways and subject to various conditions. These include country Adequacy Decisions (see here for our article about the EU’s Adequacy Decisions for the UK https://www.corderycompliance.com/eu-dpa-decisions-approved/), Binding Corporate Rules, and, probably the most relied on mechanism by organisations, Standard (Model) Contract Clauses (SCCs). SCCs consist of a contract entered into between a data exporter and a data importer that impose certain data protection obligations on both parties.

Following Brexit the UK is no longer part of the EU. UK GDPR has replaced EU GDPR for the UK – UK GDPR (along with the UK Data Protection Act 2018) regulates international data transfers. The new EU 2021 SCCs (which we’ve made a film about here https://www.corderycompliance.com/new-eu-sccs/) only apply to data transfers from the EU/EEA. Accordingly the UK has to develop its own international data transfer instruments and guidance, including with regard to SCCs. What the ICO has done is to launch a public consultation about a series of proposed international data transfer materials.

As the ICO makes clear, it has taken into account the 2020 European Court of Justice Schrems ruling (which we’ve written about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/). In the UK context this ruling requires organisations to carry out due diligence when making a transfer of personal data outside of the UK to countries for which there is no UK Adequacy Decision.

What are the highlights?

The draft UK documents are complex and detailed to say the least and consist of:

  • An international transfer risk assessment tool;
  • An international data transfer agreement; and,
  • A draft addendum to the EU Commission standard contractual clauses,

along with a consultation document.

The consultation document is divided into three sections, which addresses the following legally complex areas:

Section 1: proposal and plans for the ICO to update its guidance on international transfers –

Interpretation of the extra-territorial effects of Article 3 UK GDPR

Proposal 1: Processors of a UK GDPR Controller under Art 3(1)

Proposal 2: Processors of a UK GDPR Controller under Art 3(2)

Proposal 3: Overseas joint controller with a UK-based joint controller

Interpretation of Chapter V UK GDPR

Proposal 1: In order for a restricted transfer to take place, there must be a transfer from one legal entity to another

Proposal 2: A UK GDPR processor with a non-UK GDPR controller, will only make a restricted transfer to its own overseas sub-processors

Proposal 3: Whether processing by the importer must not be governed by UK GDPR

Proposal 4: Art 49 Derogations

Proposal 5: Guidance on how to use the IDTA (or other Art 46 transfer tools) in conjunction with the Art 49 Derogations;

Section 2: Transfer risk assessments –

Proposal 1: A transfer risk assessment tool; and,

Section 3: ICO model international data transfer agreements –

Proposal 1: A new set of standard data protection clauses

Proposal 2: The adoption of model data transfer agreements issued in other jurisdictions

Proposal 3: Disapplying the use of the Directive SCCs when the Commissioner issues an IDTA.

In relation to these issues the consultation sets out a mixture of things to consider, options, questions to be answered or views or evidence to be submitted.

What’s next?

Parties have until 5.00pm on Thursday 7 October 2021 to respond to the consultation. The consultation paper can be downloaded and completed and responses emailed to IDTA.consultation@ico.org.uk; the ICO will publish all responses it receives unless parties request otherwise. The ICO will then review the responses after which the finalised materials can be expected to issued sometime after – at this stage no possible dates for that are publicly known.

What are the takeaways?

Responding to the ICO’s consultation will be a tall order as both the content and style of the consultation are challenging.

What will probably be of most interest to organisations is the new set of SCCs, to be known in the UK as the model International Data Transfer Agreement or IDTA. In terms of core issues there appear to be similarities between the proposed IDTA and the 2021 EU SCCs but there are also a number of particular UK aspects. Also of possible interest to organisations, the ICO is considering issuing an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions. Whatever the result of the consultation, as with the 2021 EU SCCs, plenty of work will need to be done by organisations as regards the eventual final version of the UK IDTA so organisations will need to plan ahead and set aside resources to deal with this in the future.

More information

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance.  It includes a monthly call to keep up-to-date with GDPR changes across the EU.  GDPR Navigator also includes films, template and written guides on topics including:

  • Accountability and Audit
  • Geographical reach
  • Data Controller or Data Processor – what do these terms mean and which are you?
  • Fine determination – work out what the consequences of a breach might be
  • Appointing processors – how to reduce your risk
  • One-stop-shop – determine who your regulator will be
  • Binding Corporate Rules
  • The security provisions of GDPR

For information about our Cordery GDPR Navigator tool please see http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/

We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

Details of the ICO’s consultation and materials can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/

For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.