Insights

The ICO consults on international data transfers post-Brexit

(Part 1 – UK SCCs)

In August, the ICO launched a consultation on how organisations can continue to protect personal data when it is transferred outside of the United Kingdom.

This consultation by the ICO has been eagerly anticipated, after the European Commission approved the final text of the Standard Contractual Clauses on 4 June 2021.

The ICO has issued the following documents for consultation:

  1. International data transfer agreement (the UK’s version of the “standard contractual clauses” (SCCs) anticipated by GDPR).
  2. International transfer risk assessment tool.
  3. A wider consultation on transfers generally – to cover a number of issues (some of which have been troubling for a while).  As part of this there is also at draft UK Addendum to the EU Commission SCCs which will allow an exporter and importer to use the EU SCCs with amendments to make them appropriate in a UK context.

The ICO has invited responses to the consultation by 5PM on 7 October 2021.

This is the first of a series of three blogs covering these separate aspects of the consultation.

Use, Structure, Style of the UK SCCs

The first thing to note is that the ICO has avoided use of the term “SCC” and has called the clauses an “international data transfer agreement” (IDTA), presumably as a marker to show that it is not following the EU.

Like the EU SCCs, the IDTA can be used for many different transfer situations and indeed rather than the four envisaged by the EU document, there is even greater flexibility (for example, the EU SCCs do not have scope for use in a SP2P transfer, but the UK IDTA allows that).

There are some notable differences in the look of the documents:

  • The UK IDTA has attempted to adopt a “plain English” approach, which is similar in approach to most ICO guidance. It is certainly more readable, but this is such a technical issue that it is perhaps unrealistic to expect that these are going to be used by anyone other than sophisticated businesses or professionals.
  • As is well known, the EU SCCs have adopted a modular approach. The UK SCCs adopt a structure where almost all the clauses apply to all transfers (no matter if C2C or C2P or whatever), but (remarkably) few clauses are specifically stated to apply to certain circumstances only.   The most prominent example is the imposition of the GDPR data protection principles (of course) on controllers only. This does make for a nicer “read” (even if of little tangible benefit).
  • The UK IDTA has “tables” at the front; rather than “annexes” at the back!
  • More generally, the UK IDTA is divided into four parts:
    • Part one: “Tables”, including parties and signatures and transfer details.
    • Part two: optional space for extra protection clauses (table format) – if the Transfer Risk Assessment identified supplementary measures as needed.
    • Part three: optional space for commercial clauses (table format) – if there is no accompanying commercial agreement.
    • Part four: mandatory clauses – the real meat of the document.
  • The structure also includes an introductory section explaining how the clauses are to be used, together with a suite of FAQs, which go into a relative amount of detail.  The ICO’s FAQs are very helpful and, again, are drafted in “plain English”, which will be very helpful for the less  experienced user.

Substance

In terms of substance, there is remarkably little difference between the UK document and the EU’s.  The language, style and structure may not be identical, but the concepts and commitments remain largely the same.   This is not surprising of course, as by law the protection that should be obtained by the UK document has to reflect GDPR requirements – namely, those set out in Chapter V (especially, Article 45’s requirement that the clauses in common with other transfer mechanisms must “ensure that the level of protection of natural persons guaranteed by [UK GDPR] is not undermined”).

Some of the key features we have identified are set out by our colleagues at European law firm, Fieldfisher, in this table: UK IDTA v EU SCC comparison table.

The most notable departures are:

  • There is express recognition of the existence of a parallel commercial agreement (which is almost inevitably the case).  More usefully is the recognition that some of the detail needed to populate the IDTA (in the Tables) can be found in that document (called the “Linked Agreement“).
  • It is interesting to note that the ICO are considering introducing an alternative dispute resolution mechanism, namely arbitration. The arbitration scheme rules have not yet been set out, but it will be interesting to see how these are developed. The ICO have stated that it may be a faster means of resolving issues surrounding international transfers of personal data.
  • A recognition in the UK that audit provisions can be negotiated in the commercial agreement and those will apply: that in the IDTA is only if the Linked Agreement does not have any audit mechanism.  (Physical inspection therefore not mandatory!).
  • The UK have mandated that the (Schrems inspired) Transfer Risk Assessment be (formally?) reviewed no less than annually. This is in contrast to the EU SCCs approach of obliging the parties being aware of any changes to law/regulation/practice that might affect the transfer.

Will they be used?

The key question is whether these will be used in practice.  Seasoned practitioners may well feel that as they are so familiar (already!) with the EU SCCs that they may not wish to get to grips with yet another document. This is especially the case if, as expected given the document issued for consultation, that the UK will allow use of the EU SCCs for extra-UK transfers alongside a UK-specific addendum.  That coupled with the need for global businesses to try and contract in a uniform manner, suggests that take-up would be very low indeed.   Especially given that the substantive differences really are minimal. Perhaps UK government department and agencies may feel compelled (or pressured) to use the UK form of document.

So, what next?

At present, for international transfers of personal data from the UK, the older EU SCCs should continue to be used. Once the ICO has concluded the consultation, it will need to digest the responses and ultimately produce a final version of the documents. These are to be laid before the UK parliament and if parliament doesn’t object will have legal effect after 40 days.

The UK is envisaging a two-tier transitional period (as the EU did).  A period of three months in which the current SCCs (the older EU SCCs) can be used for new deals; plus an additional 21 months in which existing transfers can carry on without the need for replacement.

The ICO consultation is open until 7 October 2021 and it is keen to hear views from stakeholders. Given that in these draft proposals the ICO has taken steps to think differently and has introduced new concepts, or more flexible ways of managing international transfers, it is important that stakeholders respond to the consultation and feedback any comments, concerns or queries.

Insights

Menu