The UK Information Commissioner's Office (ICO) has launched a public consultation on its proposals for an international data transfer agreement (IDTA), which is – as a post-Brexit change - intended to replace EU Standard Contractual Clauses (SCCs) as a safeguard between parties transferring personal data from the UK to countries not covered by adequacy decisions recognised by the UK.
These proposed measures will not affect transfers from the UK to EEA countries or Andorra, Argentina, Canada (commercial companies only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private sector companies only), Jersey, New Zealand, Switzerland and Uruguay, which are subject to EU adequacy decisions recognised by the UK. SCCs have typically been used as a contractual safeguard for transfers of personal data from the UK/EU to many jurisdictions, including the USA, India and China. While the EU has itself recently published new SCCs under the EU General Data Protection Regulation (GDPR), these are not valid for transfers of personal data from the UK in light of the UK’s departure from the EU.
The ICO’s consultation on IDTA remains open until 7 October 2021. The consultation also includes a precedent UK transfer risk assessment (TRA) and a template addendum to the new EU SCCs intended to simplify contract documentation for companies making both UK and EU transfers. These are explained further below. There is also useful guidance for international data transfers from the UK.
We expect the ICO to finalise the form of IDTA and associated TRA guidance early next year.
In the meantime, companies transferring personal data from the UK in a way which requires a contractual safeguard will need to use the old EU SCCs – the ICO has helpfully provided a version of this to facilitate its use for UK transfers, which is available here. Before relying on an appropriate safeguard, companies must undertake a transfer impact assessment to ensure that the data subjects of transferred data continue to benefit from a level of protection equivalent to that under the UK data protection regime. This assessment considers the protections contained in that appropriate safeguard and the legal framework of the destination country.
If the company determines that the appropriate safeguard does not alone provide the necessary level of protection, it is permitted to include additional measures which may collectively suffice to ensure that the transfer could go ahead, for example, additional contractual, technical and organisational measures. The ICO has stated it will issue guidance on this topic in due course.
The IDTA is proposed as an adequate contractual safeguard to be used by companies under the UK GDPR and consists of the following elements:
The ICO has welcomed feedback on the draft IDTA, to ascertain whether it is clear how the IDTA should be used in conjunction with the TRA (explained below) and whether it is preferable over the modular approach adopted by the new EU SCCs.
The ICO has released a template draft addendum amending the new EU SCCs to enable them to be used for UK data transfers alongside the new EU SCCs instead of the IDTA. If the addendum is approved, companies which are subject to both the EU and UK GDPR will not need to implement separate transfer agreements for restricted transfers from the UK and the EU, which should serve as a helpful saving of time and resource. This would be an extremely welcome approach, to assist in simplifying transfer documentation.
To assist companies in making routine transfers, the ICO has released a draft TRA tool. However, they are also permitted to use their own risk assessment methods. The TRA comprises of three stages:
The guidance for international transfers from the UK poses various questions to respondents, relating to the transfer of personal data along with wider questions relating to the scope of the UK GDPR. It questions when a relevant transfer is considered to have taken place, allowing respondents to select different options depending on how they interpret the UK GDPR. A key point to note in the guidance is that the ICO is intending to update its current position that a transfer to an entity already directly subject to the UK GDPR by Article 3(2) does not form a restricted transfer to reflect that such a transfer occurs whenever the exporter is subject to the UK GDPR (whether they are located in the UK or overseas) and the importer is located outside of the UK.
Once closed, the consultation documents will be finalised by the ICO before the proposals are laid before Parliament. If approved, the IDTA should come into force 40 days after its submission. Three months after the IDTA comes into force, companies will no longer be able to use the old EU SCCs for restricted transfers and 21 months after this companies will need to have replaced all old EU SCCs with the IDTA for ongoing transfers. This allows companies three months to implement new safeguards for transfers before they must adopt the ICO’s model and 24 months overall to remove all use of the old EU SCCs.
This article has been co-written by Grace Lymer-Sullivan, associate - IP, IT and commercial.