The UK’s data protection regulator the ICO has now finalised and published materials for international data transfers including with regard to Standard Contractual Clauses. This article looks at this latest development in brief.
What’s this all about?
By way of quick background, under EU GDPR, international data transfers can only be made in certain ways and subject to various conditions. These include country Adequacy Decisions (see here for our article about the EU’s Adequacy Decisions for the UK https://www.corderycompliance.com/eu-dpa-decisions-approved/), Binding Corporate Rules, and, probably the most relied on mechanism by organisations, Standard (Model) Contract Clauses (SCCs). SCCs consist of a contract entered into between a data exporter and a data importer that impose certain data protection obligations on both parties.
Following Brexit the UK is no longer part of the EU. UK GDPR has replaced EU GDPR for the UK – UK GDPR (along with the UK Data Protection Act 2018) regulates international data transfers. The new EU 2021 SCCs (which we’ve made a film about here https://www.corderycompliance.com/new-eu-sccs/) only apply to data transfers from the EU/EEA. Accordingly the UK has to develop its own international data transfer instruments and guidance, including with regard to SCCs. What the ICO has done is to launch a public consultation about a series of proposed international data transfer materials.
As the ICO makes clear, it has taken into account the 2020 European Court of Justice Schrems ruling (which we’ve written about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/). In the UK context this ruling requires organisations to carry out due diligence when making a transfer of personal data outside of the UK to countries for which there is no UK Adequacy Decision.
What are the highlights?
The draft UK documents are complex and detailed to say the least and consist of:
- An international transfer risk assessment tool;
- An international data transfer agreement; and,
- A draft addendum to the EU Commission standard contractual clauses,
along with a consultation document.
The consultation document is divided into three sections, which addresses the following legally complex areas:
Section 1: proposal and plans for the ICO to update its guidance on international transfers –
Interpretation of the extra-territorial effects of Article 3 UK GDPR
Proposal 1: Processors of a UK GDPR Controller under Art 3(1)
Proposal 2: Processors of a UK GDPR Controller under Art 3(2)
Proposal 3: Overseas joint controller with a UK-based joint controller
Interpretation of Chapter V UK GDPR
Proposal 1: In order for a restricted transfer to take place, there must be a transfer from one legal entity to another
Proposal 2: A UK GDPR processor with a non-UK GDPR controller, will only make a restricted transfer to its own overseas sub-processors
Proposal 3: Whether processing by the importer must not be governed by UK GDPR
Proposal 4: Art 49 Derogations
Proposal 5: Guidance on how to use the IDTA (or other Art 46 transfer tools) in conjunction with the Art 49 Derogations;
Section 2: Transfer risk assessments –
Proposal 1: A transfer risk assessment tool; and,
Section 3: ICO model international data transfer agreements –
Proposal 1: A new set of standard data protection clauses
Proposal 2: The adoption of model data transfer agreements issued in other jurisdictions
Proposal 3: Disapplying the use of the Directive SCCs when the Commissioner issues an IDTA.
In relation to these issues the consultation sets out a mixture of things to consider, options, questions to be answered or views or evidence to be submitted.
Parties have until 5.00pm on Thursday 7 October 2021 to respond to the consultation. The consultation paper can be downloaded and completed and responses emailed to IDTA.firstname.lastname@example.org; the ICO will publish all responses it receives unless parties request otherwise. The ICO will then review the responses after which the finalised materials can be expected to issued sometime after – at this stage no possible dates for that are publicly known.
What are the takeaways?
Responding to the ICO’s consultation will be a tall order as both the content and style of the consultation are challenging.
What will probably be of most interest to organisations is the new set of SCCs, to be known in the UK as the model International Data Transfer Agreement or IDTA. In terms of core issues there appear to be similarities between the proposed IDTA and the 2021 EU SCCs but there are also a number of particular UK aspects. Also of possible interest to organisations, the ICO is considering issuing an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions. Whatever the result of the consultation, as with the 2021 EU SCCs, plenty of work will need to be done by organisations as regards the eventual final version of the UK IDTA so organisations will need to plan ahead and set aside resources to deal with this in the future.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. It includes a monthly call to keep up-to-date with GDPR changes across the EU. GDPR Navigator also includes films, template and written guides on topics including:
- Accountability and Audit
- Geographical reach
- Data Controller or Data Processor – what do these terms mean and which are you?
- Fine determination – work out what the consequences of a breach might be
- Appointing processors – how to reduce your risk
- One-stop-shop – determine who your regulator will be
- Binding Corporate Rules
- The security provisions of GDPR
For information about our Cordery GDPR Navigator tool please see http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
Details of the ICO’s consultation and materials can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|