On 11 August, the UK Information Commissioner's Office launched a consultation paper on "International transfers under UK GDPR". The documents released alongside the paper include a draft International Data Transfer Agreement (a.k.a the "UK SCCs"), a UK Addendum to the European Commission's new Standard Contractual Clauses, and a Transfer Risk Assessment tool. The consultation has been highly anticipated and will allow organisations engaged in UK and EU outbound data flows to begin to plan how their compliance framework can accommodate both the UK and EU legal regimes.
On 11 August, the UK Information Commissioner's Office ("ICO") launched a consultation on protecting personal data when it is transferred outside of the UK. The documents released for consultation include a draft International Data Transfer Agreement ("UK SCCs"), a UK Addendum to the recently updated EU Standard Contractual Clauses ("EU SCCs"), and a Transfer Risk Assessment tool.
Background to the consultation
Since 1 January 2021, the UK has operated its own data protection regime, independent from that of the EU. Ahead of this, the UK government launched its National Data Strategy in 2020, identifying "Championing the international flow of data" as one of its five priority areas for action.
This consultation is the first step in progressing this priority area and the most significant proposed development in the UK's data protection laws since Brexit. The consultation also contains highly anticipated draft guidance for organisations on the measures they will need to put in place to lawfully transfer personal data to third countries for the purposes of the UK GDPR.
The need for the UK SCCs and related guidance is pressing. The European Commission recently adopted new, replacement EU SCCs, which the ICO has confirmed are not valid for transfers from the UK to third countries. The SCCs issued under the repealed Data Protection Directive (96/46/EC) (the "Directive SCCs") can no longer be used in the EU from 27 September 2021. As far as using the Directive SCCs in the UK is concerned, the consultation indicates the Directive SCCs will be withdrawn from use for new agreements 3 months following the period 40 days after the UK SCCs are placed before Parliament, with a 24 month repapering requirement also starting from that time.
What you need to know
Significant points arising from the consultation to be aware of are:
1. Transfer Risk Assessment Tool and Guidance: Despite Brexit, the legacy of the Schrems II judgment means that carrying out a risk assessment is required when relying on standard contractual clauses or any other Article 46 UK GDPR transfer tool: https://www.bclplaw.com/en-GB/insights/eu-us-data-transfers-dealt-a-setback-privacy-shield-struck-down-by-eus-highest-court-and-sccs-subject-to-more-scrutiny.html. The consultation helpfully includes a template Transfer Risk Assessment tool (the "TRA") that can be used for this purpose. The ICO recognises that such risk assessments may be difficult to complete and emphasises that organisations are not required to carry out diligence to the same extent that the government would when making adequacy regulations. They should instead focus on whether the UK and the destination country "share certain key principles...such as a respect for the rule of law".
The TRA directs an organisation to consider the risk to data subjects in the event that the transfer tool (such as UK SCCs in future or BCRs) relied on by the organisation fails to provide the "right level" of protection in the particular circumstances of the transfer. The TRA therefore provides a mechanism to consider whether the transfer tool would be enforceable in the third country in question, and whether the laws and practices of that third country place sufficient safeguards around the access to personal data by third parties. The tool also provides detailed guidance on how to assess the level of risk to data subjects, as well as examples of measures that can be implemented to provide additional protections for personal data transferred.
The guidance accompanying the TRA makes clear that the level of protection does not need to be identical to that under the UK GDPR, but should be "sufficiently similar" so as not to undermine the protections under that legislation. In carrying out their assessment, organisations are encouraged to look at publicly available sources such as those issued by the Foreign Commonwealth and Development Office, and information provided by data importers (e.g. service providers). The ICO notes that in line with its Regulatory Action Policy, if an organisation can show that it has used "best efforts" in completing its assessment, this will be taken into account "if it later turns out that [the organisation's] decisions were not correct."
While organisations are required to carry out a risk assessment, the TRA tool provided by the ICO is not intended to be a mandatory document. Where organisations have carried out assessments for the purposes of transfers conducted under the EU GDPR, it is not envisaged that they would necessarily have to be repeated provided that they meet the requirements established by Schrems II.
2. International Data Transfer Agreement: The draft International Data Transfer Agreement (or "UK SCCs" in this article) is a UK-specific template contract for parties to enter into when making restricted transfers of personal data. It will take the place of the old EU SCCs that UK organisations have historically been able to rely on (although note that there is also a UK Addendum to the new EU SCCs, discussed below). The UK SCCs and the TRA are designed to be used together and the draft document is split into four parts:
a) Part one contains four tables in which key details of the
relevant transfer are to be set out, including the details of the
parties, the details of the transfer (including the laws that apply
to each party), the data that is subject to transfer, and the
security measures implemented for the transfer.
b) Part two provides for extra protection clauses to be added based on the outcome of the TRA.
c) Part three allows the parties to introduce commercial clauses, if they wish to do so, provided that they do not reduce the level of protection provided for by the IDTA overall.
d) Part four contains mandatory clauses which will be binding on each party, and in effect establish a level of protection for transferred personal data.
3. UK Addendum to the EU SCCs: A UK Addendum to the EU Commission Standard Contractual Clauses ("Addendum") has also been published. There is no guidance accompanying the document, however it appears intended to be entered into by parties which have already entered into the EU SCCs, thereby reducing the need for parties to enter into both EU SCCs and the full UK SCCs. If adopted, this would be a welcome development for exporters with activities in both the EU and the UK. Since use of the EU SCCs will be mandatory for all new contracts covering EU outbound transfers from 27 September 2021, and the date on which the UK SCCs will be finalised is unknown but seems unlikely to be before November 2021, the Addendum could be a helpful and popular tool for UK exporters looking to bridge that time lag. The consultation also seeks views on whether addenda to fit with other international standard contractual clauses, such as those authorised by New Zealand, would be helpful.
While it would not appear prudent to put in place the UK SCCs or Addendum until the documents have been finalised and formally adopted, this is no reason to delay carrying out a risk assessment particularly in relation to high-value data flows, or those involving sensitive data types. UK organisations carrying out international data transfers may well consider the TRA as a helpful framework for such a transfer risk assessment.
An initial impression from the tone of the documents is that the UK is looking for ways of supporting organisations to facilitate transfers - more "glass half full" rather than the EU "glass half empty" approach. In this respect, and when adopting any adequacy regulations in respect of third countries, the UK will need to tread carefully so as not to endanger its freshly minted adequacy decision from the European Commission.
The consultation will run until 7 October 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.