On Aug. 11, the U.K. Information Commissioner's Office launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the U.K. or who provides services to U.K. organizations. The consultation asks whether it would be helpful for the ICO to approve an addendum, allowing the EU standard contractual clauses to be used for transfers of personal data from the U.K. Even if organizations have no comments on the ICO's other points, this point alone is important enough to warrant a response to the consultation.

In addition the consultation proposes: 1) The ICO will terminate the (current, temporary) approval of the 2001, 2004 and 2010 SCCs; 2) a new, U.K.-specific International Data Transfer Agreement; 3) an accompanying Transfer Risk Assessment; and 4) changes to existing U.K. guidance on data transfers.

The deadline for responding is 5 p.m. GMT+1, Oct. 7.

Will we be able to use the new EU SCCs for data transfers from the UK?

Probably, yes — but read the small print.

The ICO is considering issuing an international data transfer agreement in the form of a “U.K. addendum” to data transfer agreements issued by other countries or regions. This could be used for the EU SCCs or for other data transfer agreements (such as the New Zealand or Association of Southeast Asian Nations agreements). The consultation asks what the value of this approach would be to organizations.

As an example of how this could be done, the consultation includes a draft addendum to the EU SCCs. This modifies parts of the EU SCCs that refer to EU or member state law or to EU or member state institutions so the clauses can be used for data transfers from the U.K. The addendum is short, clear and flexible. allowing its terms to be modified so long as appropriate safeguards are maintained. Accordingly, there should be scope to alter the drafting of parts of the addendum if needed. There is also flexibility as to how the addendum can be executed.

At the moment, the EU SCCs cannot be used in the U.K. As a result, organizations trying to prepare new vendor, customer or intra-group data transfer agreements for data transfers are having to prepare alternative forms of language for the EU and for the U.K. This imposes additional cost and complexity on organizations doing business in or with the U.K., so it is important for readers to respond to the consultation to say this would be of value. 

So we can’t just use the exact EU SCCs for UK data transfers without amendment?

No. The EU SCCs will only be permitted for use for U.K. data transfers if they are amended. Organizations should note there will also be some timing complexity here.

From Sept. 27, the EU SCCs must be used for new trans-border data flows from the EU. From that date, the previous SCCs, approved in 2001, 2004 and 2010 (we'll call them the old SCCs) can no longer be used for new data flows. However, the EU SCCs cannot be used in the U.K. Even if the ICO does approve and issue an addendum that modifies the EU SCCs for use in the U.K., this will not be effective until very late in 2021 or, more likely, 2022. Accordingly, organizations will have to have two different data transfer agreements for the EU and the U.K. — but they may later be able to use the EU SCCs, with a U.K. addendum for U.K. data transfers.

If you'd like more details, see the postscript at the end of this article that explains the interaction of EU and U.K. law on this point.

Can we just keep the old SCCs in place for UK data transfers?

No.

The old SCCs do not take account of all the provisions in the EU General Data Protection Regulation or of "Schrems II," so the U.K. cannot accept that these provide appropriate safeguards for personal data in the long term. The consultation proposes the old SCCs should be replaced. This will be linked to the date of approval of new U.K. data transfer arrangements. The consultation proposes the old SCCs should cease to be used:

  • For new trans-border data flows, three months and 40 days after the new U.K. international data transfer agreement (this would be the U.K. addendum to other agreements and the U.K.-specific international data transfer agreement) is laid before Parliament.
  • For existing trans-border data flows, 21 months after the date above.

What is the UK-specific international data transfer agreement?

The ICO drafted a bespoke U.K. international data transfer agreement and asks for feedback on this. Here are some key features of the IDTA.

  • It is easy to use:
    • There are tables at the beginning of the agreement that allow the parties to specify all the “variables” of the agreement, such as details of the parties, the personal data being transferred, the purposes of the transfer, etcetera. This tabular approach is likely to make the IDTA easy for procurement departments to use.
    • It is a one-size-fits-all agreement. Unlike the modular structure of the EU SCCs, the IDTA is just one agreement, which can be signed as is. Some clauses state they apply to everyone; others say they do not apply if the importer is a processor, etcetera. This is clearly set out in the IDTA itself; there is no need for the parties to cut and paste text to create an agreement (although the ICO makes clear they can do so if they prefer).
  • It fills in some of the gaps in the EU SCCs:
    • It can be used even if the importer is directly subject to the U.K. GDPR. In this situation, the sections of the IDTA that contain UK-GDPR obligations (for example, data subject rights) are disapplied because they apply automatically to the importer.
    • It covers more scenarios: transfers from a processor to a recipient that is not a sub-processor, or its instructing controller and transfers between joint controllers.
  • It is more flexible:
    • The mandatory clauses cannot be changed, but parties are free to edit the tabular structure and delete sections irrelevant to them. Parties can also make the agreement multiparty if they want and can nominate one party to make decisions on everyone’s behalf. The IDTA also recognizes parties may have linked agreements (a master service agreement or data processing agreement) and parties can cross-reference this.

So what are the downsides? It’s a little early to say. We need to try to draft around the IDTA to be sure. However, two immediate points should be noted: 1) The IDTA says its provisions and the associated transfer risk assessment should be reviewed annually – which could be excessive for low-risk transfers; and 2) for controller-to-controller transfers, data subject rights are extended to include an obligation to comply with “any reasonable request” of the data subject.

There’s a precedent Transfer Risk Assessment

This is designed for use alongside the IDTA, although the consultation states it’s not mandatory to use this form of TRA. The consultation says the TRA is intended to be used for relatively routine risk assessments and a more detailed TRA may be needed for complex or high-risk processing, or transfers to a country with a poor human rights record.

There is a lot that is good about the draft TRA:

  • It makes clear that exporters don’t have to look for identical legal systems and that diversity in approach is to be welcomed; it also states there can be a legitimate place for laws regulating surveillance and countries with no laws addressing this may, in fact, raise greater concerns with countries with laws, as this may suggest a lack of safeguards.
  • It contains useful examples of what may be regarded as low, medium and high risk.
  • It contains accessible scenarios, showing when transfers may be permitted. For example, where there is a low likelihood of access to that data and, even if there were access to the data, the risk to data subjects would be low.
  • It takes a more holistic approach to assessing risk — not just considering risks from public authority access, but from the enforceability of the data transfer agreement per se. For example, because of difficulties in enforcing judgments or because of lengthy delays in obtaining justice or corruption.
  • The ICO accepts that conducting a TRA can be challenging. The draft guidance states that if an organization can show it used best efforts to complete the TRA but the analysis turns out to be incorrect, the ICO will take this into account in any regulatory action. Indeed, the ICO states it will do this when a transfer impact assessment is carried out, even if it is not in the ICO-suggested format.

However, it is 49-pages long, which will make it difficult to access for small and medium enterprises. It would be more accessible if the ICO (or others) took the content and turned it into an interactive tool.

The ICO is open about areas of uncertainty and explores the pros and cons of changing its guidance

In the first part of the consultation, the ICO explains certain key areas where it is considering whether or not to issue new guidance, or to alter the approach taken in existing guidance. This affects territorial scope of U.K. data protection law, the meaning of a restricted transfer and approach to derogations.

On territorial scope:

  • The ICO asks whether it should issue guidance stating any processor of a U.K.-established controller is, itself, automatically directly subject to the U.K. GDPR.
    • This would have rather bizarre outcomes — such a processor would not need to appoint a representative, as this only applies where GDPR has extra-territorial scope pursuant to Art.3(2) — so U.K. legislation would be applicable, in theory, but without the mechanisms provided by the GDPR to assist with enforcement in this situation.
    • This also seems unnecessary, as most of the obligations which would apply to the processor under U.K. data protection law would be imposed through the data processing agreement in any event.
  • The ICO also asks if one joint controller is established in the U.K. it would automatically mean U.K. data protection legislation would apply to the other joint controllers.

On data transfers, the ICO suggests:

  • There is only a “transfer” if personal data is transferred from one entity to another. The result of this is a transfer of data by a branch in the U.K. to the mother organization is not to be regarded as a data transfer. The ICO states this view reflects the language in Article 44 and Article 46 but does not parse out the language to substantiate this point. We see no reason why these articles should be interpreted in this way.
  • There is no “transfer” if a processor returns data to, or at the direction of, its instructing controller. 
  • The ICO may rethink its view that there is no “restricted” transfer (and hence no need for safeguards) if there is a transfer of data to an importer to whom U.K. data protection legislation applies on an extraterritorial basis.

On derogations, the ICO asks:

  • If these should be applied where the transfer is “necessary” to achieve the derogation or only where it is “strictly necessary."
  • For views on the provisions in Article 49 and Recital 111, which restrict certain of the derogations to transfers which are “occasional” or not “repetitive.”
  • Suggests it may be possible to combine derogations and Article 46 safeguards, thus finding a middle way between SCCs and consent. There is a significant risk that, in situations where transfers have to take place (e.g. to conclude a communication service or to transfer funds overseas), exporters will conclude there is no point in trying to use SCCs and the only way of addressing the transfer is to rely on data subject consent. If the legal and political situation is too complex for governments, regulators and sophisticated multinationals to solve, pushing the problem to “consent” by the data subject cannot be a good outcome. Additionally, the ICO’s suggestion that SCCs should still be used to provide better protection for individuals in many situations, together with consent to provide a robust legal solution, is a welcome attempt to move the debate forward.

ICO is open to a debate on difficult issues

It will be apparent to readers from the points above that the ICO is tackling difficult and controversial topics — and some of these are topics where guidance has been expected from the European Data Protection Board for a significant period. The ICO is doing this in an open manner. On these difficult topics, the guidance explains what the ICO thinks the strengths and weaknesses of the various options are (both from a black-letter-law and a policy perspective). The ICO explains what its preliminary view is and asks for feedback. It has also taken considerable efforts to do all of this in plain English, making the documents accessible and easy to read. It deserves significant credit for this, as well as for the substantive quality of the documents. The post-Brexit ICO is open to new ideas and has the self-assurance and confidence to debate points openly. The contrast to the approach to consultation taken by the EDPB is striking. 

Postscript: How do the EU rules and the U.K. rules fit together?

As readers will be aware, on June 4 the European Commission adopted new SCCs that can be used to provide appropriate safeguards for personal data transferred from the EU. The EU SCCs will replace the SCCs that were adopted by the commission under the old, 1995 Data Protection Directive, in 2001, 2004 and 2010. At the moment, organizations can use either the new SCCs or the old SCCs to provide adequate safeguards for transfers of personal data from the EU.

However, from Sept. 27 onward, parties can only use the new SCCs for new trans-border data flows. For existing trans-border data flows, parties have until Dec. 27, 2022, to replace old SCCs with new SCCs. Many readers will be busy preparing new agreements for use with customers, vendors, or intra-groups as a result.

U.K. data protection legislation references appropriate safeguards for personal data that were in force as at the moment Brexit took place (11 p.m GMT. on Dec. 31, 2020). Accordingly, at the moment, U.K. legislation only recognizes the old SCCs and not the EU SCCs.

Photo by Rocco Dipoppa on Unsplash