The use within the UK of Standard Contractual Clauses ("SCCs") to provide appropriate safeguards for transfers of personal data to third countries (in the absence of a UK adequacy decision in respect of that third country) is soon to be updated.
By way of background, in June 2021, the European Commission adopted revised SCCs (the "New EU SCCs") in light of the Schrems II decision of the European Court of Justice, which, among other things, ruled that transferors must make an assessment of whether the SCCs suffice to provide 'essentially equivalent' protection, and if necessary put in place additional measures to compensate for lacunae in the protection of third-country legal systems.
With the transition period over, the New EU SCCs have not been adopted by the Information Commissioner's Office ("ICO"). Instead, the current position is that UK data controllers can continue to use the (older) EU SCCs, as modified to make sure they make sense in a UK context, as long as data controllers make any required enhancements to their processes in light of Schrems II. The ICO is now consulting on its own draft revised set of SCCs, accompanied by a draft model risk assessment. We set out the key changes which the ICO proposes to make.
The ICO Consultation
The consultation, which commenced on 11 August 2021, invites responses by 7 October 2021 on the following documents:
- Revised draft SCCs, called an International Data Transfer Agreement ("IDTA");
- Draft international transfer risk assessment tool;
- Draft UK Addendum to the New EU SCCs (to validate their use for transfers of personal data out of the UK) ("Addendum"); and
- Updated guidance on international transfers.
Key elements of the proposals
The proposed IDTA is divided into four parts.
- Part One includes the details of the parties and details of the transfer (such as the categories of personal data to be transferred, the categories of data subject, and the purpose of the data transfer). It also embeds into the contract the security requirements which apply to the transfer (including security of transmission, security of storage, security of processing, and organisational security requirements).
- Part Two provides space for the inclusion of any 'extra protection clauses' which may be determined by the transferor to be necessary in light of the risk assessment carried out (discussed below). The possible extra protection might include additional technical security protections, organisational protections, and/or contractual protections. (The draft states that such requirements could be set out in Part One or Part Two).
- Part Three provides for the parties to include any 'commercial clauses' relevant to their transfer. In practice, where the transfer of data is between a controller and processor (which already requires a written agreement in place, regardless of whether the transfer is outside the UK), part three of the IDTA is likely to reference that 'linked' agreement.
- Part Four contains the 'mandatory clauses' which must be included in full and without modification. These clauses provide for the core contractual requirements to ensure the transfer includes appropriate safeguards and is compliant with the UK General Data Protection Regulation ("GDPR"). Data subjects are given the contractual right to bring claims against the parties for breach of the IDTA.
Risk Assessment Tool
The ICO's draft international transfer risk assessment tool is divided into three stages: (a) assessment of whether the transfer risk assessment tool is suitable for the transfer (for example, the draft explains that some transfers may be too high risk or complex for the tool to be used); (b) determining whether the IDTA is likely to be enforceable in the destination country (including whether there are enforceable rights and effective remedies in that country); and (c) determining whether the destination country's regime is similar enough to the UK's regime in terms of regulating third-party access to data (including surveillance).
The outcome of the risk assessment will determine whether the transfer can be made and whether any extra protection is required. Transferors will therefore need to consider not only the transfer itself but also the regulatory system where the transferee is located in order to carry out the risk assessment.
The ICO is also consulting on issuing an alternative IDTA in the form of an 'addendum' to append to model data transfer agreements from other jurisdictions. Specifically, the ICO has produced a draft addendum to the New EU SCCs, which would enable organisations to use the New EU SCCs and then execute the Addendum for the purposes of compliance with the UK GDPR. For organisations carrying out business in both the UK and EU who wish to send personal data to third countries outside the UK and EU which are not subject to adequacy decisions, this would enable them to agree on one set of SCCs. We therefore expect the Addendum to be a well-received proposal.
The ICO is inviting views on a number of potential amendments to its guidance in relation to international transfers. Such amendments include but are not limited to:
- Clarification over whether transferors are required to first try to put in place an appropriate safeguard (such as SCCs) before relying on the derogations contained in Article 49 of the UK GDPR (which include where the data subject has explicitly consented to the proposed transfer, and where the transfer is necessary for the performance of a contract between the data subject and the controller).
- The proposal that 'in order for a restricted transfer to take place, there must be a transfer from one legal entity to another,' which would mean that 'it is not a restricted transfer where the data flows within a legal entity. For example ... where ... a UK company shares data with its overseas branch.' Whilst this proposal is consistent with the ICO guidance already in place, we expect that greater clarity over this issue would be welcomed by UK organisations with branches overseas.
- Clarification over whether the GDPR inevitably governs processing by an overseas processor of a UK GDPR data controller, or whether it will depend on the circumstances of the case.
The consultation closes on 7 October 2021; we can therefore expect finalisation of the proposals by around early 2022. Assuming the proposals are implemented and the new IDTA laid before Parliament, then, in respect of new SCCs to be entered into, transferors would have around four months to start using the new IDTA. There would, however, be a grace period of a further 21 months in respect of existing SCCs, giving firms time to transition across to new contracts. In other words, firms would have around 24 months to transition existing SCCs onto the ICO's IDTA.
Against this background, many of our clients are taking this opportunity to review their flows of personal data outside the UK and consider what modifications may be required to ensure that restricted transfers have appropriate safeguards in place. Specifically, firms may find that the ICO's risk assessment tool (albeit still in draft) provides much welcomed guidance as to how to approach the international transfer risk assessment.
Similarly, businesses with operations in the EU have been considering the implementation of the New EU SCCs: please click here for our client alert on this. For groups which have both EU and UK companies transferring data to third countries such as the United States, this further complicates the matrix of documentation they have to work with.
Separately, recent announcements from the UK Culture Secretary in relation to potential modifications to the UK GDPR (specifically with a view to reducing the incidence of 'cookie banners') suggests that the UK is looking to spread its wings as to the operation of the autonomous UK GDPR. Whether such proposals can be taken forward without jeopardising the EU's position on the UK's adequacy remains to be seen.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.