News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | FAQs for UK ICO's data transfer consultation – including approach to EU SCCs Related reading: European Commission publishes proposed replacement SCCs

rss_feed

On Aug. 11, the U.K. Information Commissioner's Office launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the U.K. or who provides services to U.K. organizations. The consultation asks whether it would be helpful for the ICO to approve an addendum, allowing the EU standard contractual clauses to be used for transfers of personal data from the U.K. Even if organizations have no comments on the ICO's other points, this point alone is important enough to warrant a response to the consultation.

In addition the consultation proposes: 1) The ICO will terminate the (current, temporary) approval of the 2001, 2004 and 2010 SCCs; 2) a new, U.K.-specific International Data Transfer Agreement; 3) an accompanying Transfer Risk Assessment; and 4) changes to existing U.K. guidance on data transfers.

The deadline for responding is 5 p.m. GMT+1, Oct. 7.

Will we be able to use the new EU SCCs for data transfers from the UK?

Probably, yes — but read the small print.

The ICO is considering issuing an international data transfer agreement in the form of a “U.K. addendum” to data transfer agreements issued by other countries or regions. This could be used for the EU SCCs or for other data transfer agreements (such as the New Zealand or Association of Southeast Asian Nations agreements). The consultation asks what the value of this approach would be to organizations.

As an example of how this could be done, the consultation includes a draft addendum to the EU SCCs. This modifies parts of the EU SCCs that refer to EU or member state law or to EU or member state institutions so the clauses can be used for data transfers from the U.K. The addendum is short, clear and flexible. allowing its terms to be modified so long as appropriate safeguards are maintained. Accordingly, there should be scope to alter the drafting of parts of the addendum if needed. There is also flexibility as to how the addendum can be executed.

At the moment, the EU SCCs cannot be used in the U.K. As a result, organizations trying to prepare new vendor, customer or intra-group data transfer agreements for data transfers are having to prepare alternative forms of language for the EU and for the U.K. This imposes additional cost and complexity on organizations doing business in or with the U.K., so it is important for readers to respond to the consultation to say this would be of value. 

So we can’t just use the exact EU SCCs for UK data transfers without amendment?

No. The EU SCCs will only be permitted for use for U.K. data transfers if they are amended. Organizations should note there will also be some timing complexity here.

From Sept. 27, the EU SCCs must be used for new trans-border data flows from the EU. From that date, the previous SCCs, approved in 2001, 2004 and 2010 (we'll call them the old SCCs) can no longer be used for new data flows. However, the EU SCCs cannot be used in the U.K. Even if the ICO does approve and issue an addendum that modifies the EU SCCs for use in the U.K., this will not be effective until very late in 2021 or, more likely, 2022. Accordingly, organizations will have to have two different data transfer agreements for the EU and the U.K. — but they may later be able to use the EU SCCs, with a U.K. addendum for U.K. data transfers.

If you'd like more details, see the postscript at the end of this article that explains the interaction of EU and U.K. law on this point.

Can we just keep the old SCCs in place for UK data transfers?

No.

The old SCCs do not take account of all the provisions in the EU General Data Protection Regulation or of "Schrems II," so the U.K. cannot accept that these provide appropriate safeguards for personal data in the long term. The consultation proposes the old SCCs should be replaced. This will be linked to the date of approval of new U.K. data transfer arrangements. The consultation proposes the old SCCs should cease to be used:

  • For new trans-border data flows, three months and 40 days after the new U.K. international data transfer agreement (this would be the U.K. addendum to other agreements and the U.K.-specific international data transfer agreement) is laid before Parliament.
  • For existing trans-border data flows, 21 months after the date above.

What is the UK-specific international data transfer agreement?

The ICO drafted a bespoke U.K. international data transfer agreement and asks for feedback on this. Here are some key features of the IDTA.

  • It is easy to use:
    • There are tables at the beginning of the agreement that allow the parties to specify all the “variables” of the agreement, such as details of the parties, the personal data being transferred, the purposes of the transfer, etcetera. This tabular approach is likely to make the IDTA easy for procurement departments to use.
    • It is a one-size-fits-all agreement. Unlike the modular structure of the EU SCCs, the IDTA is just one agreement, which can be signed as is. Some clauses state they apply to everyone; others say they do not apply if the importer is a processor, etcetera. This is clearly set out in the IDTA itself; there is no need for the parties to cut and paste text to create an agreement (although the ICO makes clear they can do so if they prefer).
  • It fills in some of the gaps in the EU SCCs:
    • It can be used even if the importer is directly subject to the U.K. GDPR. In this situation, the sections of the IDTA that contain UK-GDPR obligations (for example, data subject rights) are disapplied because they apply automatically to the importer.
    • It covers more scenarios: transfers from a processor to a recipient that is not a sub-processor, or its instructing controller and transfers between joint controllers.
  • It is more flexible:
    • The mandatory clauses cannot be changed, but parties are free to edit the tabular structure and delete sections irrelevant to them. Parties can also make the agreement multiparty if they want and can nominate one party to make decisions on everyone’s behalf. The IDTA also recognizes parties may have linked agreements (a master service agreement or data processing agreement) and parties can cross-reference this.

So what are the downsides? It’s a little early to say. We need to try to draft around the IDTA to be sure. However, two immediate points should be noted: 1) The IDTA says its provisions and the associated transfer risk assessment should be reviewed annually – which could be excessive for low-risk transfers; and 2) for controller-to-controller transfers, data subject rights are extended to include an obligation to comply with “any reasonable request” of the data subject.

There’s a precedent Transfer Risk Assessment

This is designed for use alongside the IDTA, although the consultation states it’s not mandatory to use this form of TRA. The consultation says the TRA is intended to be used for relatively routine risk assessments and a more detailed TRA may be needed for complex or high-risk processing, or transfers to a country with a poor human rights record.

There is a lot that is good about the draft TRA:

  • It makes clear that exporters don’t have to look for identical legal systems and that diversity in approach is to be welcomed; it also states there can be a legitimate place for laws regulating surveillance and countries with no laws addressing this may, in fact, raise greater concerns with countries with laws, as this may suggest a lack of safeguards.
  • It contains useful examples of what may be regarded as low, medium and high risk.
  • It contains accessible scenarios, showing when transfers may be permitted. For example, where there is a low likelihood of access to that data and, even if there were access to the data, the risk to data subjects would be low.
  • It takes a more holistic approach to assessing risk — not just considering risks from public authority access, but from the enforceability of the data transfer agreement per se. For example, because of difficulties in enforcing judgments or because of lengthy delays in obtaining justice or corruption.
  • The ICO accepts that conducting a TRA can be challenging. The draft guidance states that if an organization can show it used best efforts to complete the TRA but the analysis turns out to be incorrect, the ICO will take this into account in any regulatory action. Indeed, the ICO states it will do this when a transfer impact assessment is carried out, even if it is not in the ICO-suggested format.

However, it is 49-pages long, which will make it difficult to access for small and medium enterprises. It would be more accessible if the ICO (or others) took the content and turned it into an interactive tool.

The ICO is open about areas of uncertainty and explores the pros and cons of changing its guidance

In the first part of the consultation, the ICO explains certain key areas where it is considering whether or not to issue new guidance, or to alter the approach taken in existing guidance. This affects territorial scope of U.K. data protection law, the meaning of a restricted transfer and approach to derogations.

On territorial scope:

  • The ICO asks whether it should issue guidance stating any processor of a U.K.-established controller is, itself, automatically directly subject to the U.K. GDPR.
    • This would have rather bizarre outcomes — such a processor would not need to appoint a representative, as this only applies where GDPR has extra-territorial scope pursuant to Art.3(2) — so U.K. legislation would be applicable, in theory, but without the mechanisms provided by the GDPR to assist with enforcement in this situation.
    • This also seems unnecessary, as most of the obligations which would apply to the processor under U.K. data protection law would be imposed through the data processing agreement in any event.
  • The ICO also asks if one joint controller is established in the U.K. it would automatically mean U.K. data protection legislation would apply to the other joint controllers.

On data transfers, the ICO suggests:

  • There is only a “transfer” if personal data is transferred from one entity to another. The result of this is a transfer of data by a branch in the U.K. to the mother organization is not to be regarded as a data transfer. The ICO states this view reflects the language in Article 44 and Article 46 but does not parse out the language to substantiate this point. We see no reason why these articles should be interpreted in this way.
  • There is no “transfer” if a processor returns data to, or at the direction of, its instructing controller. 
  • The ICO may rethink its view that there is no “restricted” transfer (and hence no need for safeguards) if there is a transfer of data to an importer to whom U.K. data protection legislation applies on an extraterritorial basis.

On derogations, the ICO asks:

  • If these should be applied where the transfer is “necessary” to achieve the derogation or only where it is “strictly necessary."
  • For views on the provisions in Article 49 and Recital 111, which restrict certain of the derogations to transfers which are “occasional” or not “repetitive.”
  • Suggests it may be possible to combine derogations and Article 46 safeguards, thus finding a middle way between SCCs and consent. There is a significant risk that, in situations where transfers have to take place (e.g. to conclude a communication service or to transfer funds overseas), exporters will conclude there is no point in trying to use SCCs and the only way of addressing the transfer is to rely on data subject consent. If the legal and political situation is too complex for governments, regulators and sophisticated multinationals to solve, pushing the problem to “consent” by the data subject cannot be a good outcome. Additionally, the ICO’s suggestion that SCCs should still be used to provide better protection for individuals in many situations, together with consent to provide a robust legal solution, is a welcome attempt to move the debate forward.

ICO is open to a debate on difficult issues

It will be apparent to readers from the points above that the ICO is tackling difficult and controversial topics — and some of these are topics where guidance has been expected from the European Data Protection Board for a significant period. The ICO is doing this in an open manner. On these difficult topics, the guidance explains what the ICO thinks the strengths and weaknesses of the various options are (both from a black-letter-law and a policy perspective). The ICO explains what its preliminary view is and asks for feedback. It has also taken considerable efforts to do all of this in plain English, making the documents accessible and easy to read. It deserves significant credit for this, as well as for the substantive quality of the documents. The post-Brexit ICO is open to new ideas and has the self-assurance and confidence to debate points openly. The contrast to the approach to consultation taken by the EDPB is striking. 

Postscript: How do the EU rules and the U.K. rules fit together?

As readers will be aware, on June 4 the European Commission adopted new SCCs that can be used to provide appropriate safeguards for personal data transferred from the EU. The EU SCCs will replace the SCCs that were adopted by the commission under the old, 1995 Data Protection Directive, in 2001, 2004 and 2010. At the moment, organizations can use either the new SCCs or the old SCCs to provide adequate safeguards for transfers of personal data from the EU.

However, from Sept. 27 onward, parties can only use the new SCCs for new trans-border data flows. For existing trans-border data flows, parties have until Dec. 27, 2022, to replace old SCCs with new SCCs. Many readers will be busy preparing new agreements for use with customers, vendors, or intra-groups as a result.

U.K. data protection legislation references appropriate safeguards for personal data that were in force as at the moment Brexit took place (11 p.m GMT. on Dec. 31, 2020). Accordingly, at the moment, U.K. legislation only recognizes the old SCCs and not the EU SCCs.

Photo by Rocco Dipoppa on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Ruth Boardman IAPP Member Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
Transborder Data Flow
Recent Comments