What steps are being proposed by the UK’s ICO to protect personal data being transferred outside the UK?

The key takeaway

The ICO has published new plans for a framework to replace the EU’s SCCs post-Brexit. The proposals include some significant changes to the SCCs, in particular under its new draft international data transfer agreement (IDTA). All organisations involved in the transfer of data outside the UK should read them carefully.

The background

The ICO is calling for views on its draft international data transfer agreement (IDTA) which will replace the SCCs for personal data transfers outside the UK, and form part of the framework to assist organisations in complying with data protection law.

Following the decision in Schrems II last year, the EU released an updated version of the SCCs in June 2021. However post-Brexit, these updated SCCs will not apply to the UK GDPR. The ICO is therefore seeking to publish its own UK version of the SCCs to make sure they conform with Schrems II, which forms part of retained EU law under the withdrawal agreement.

The development

The consultation was launched in August this year and seeks opinions from stakeholders on the ICOs proposals covering three topics:

  • updated guidance on international data transfers
  • the draft Transfer Risk Assessment (TRA)
  • the draft IDTA.

The draft guidance on data transfers primarily concerns the interpretation of Article 3 and Chapter V of the UK GDPR. The ICO is asking interested parties to provide their views on how they interpret these provisions.

The draft TRA sets out measures to evaluate the risks associated with transfers to third countries in order to determine whether the relevant transfer mechanism can be relied on. The ICO’s TRA seems to closely align with the guidance put out by the European Data Protection Board following Schrems II.

The most significant part of the consultation is the IDTA. The ICO has adopted a different structure from the new EU SCCs, which are modular. The IDTA has a tabular format, with most clauses applying to all transfers of data irrespective of whether they involve processors or controllers. There are four parts to the IDTA:

  • tables which will be filled out for each transfer
  • additional protection clauses, to be filled out if the TRA identifies that the transfer mechanism requires additional safeguards
  • mandatory clauses to be adopted in their entirety, and
  • commercial clauses, which parties can include as an option.

In terms of substance, there are relatively few differences between the IDTA and the SCCs, which is not surprising as the IDTA will also need to incorporate GDPR requirements.

The consultation also proposes an option for the new EU SCCs to be used instead of the IDTA by incorporating a UK addendum. This draft addendum is designed to allow parties transferring EU personal data to insert a section to cover transfers made under the UK GDPR, meaning a smaller administrative burden.

Why is this important?

Although the IDTA and TRA are currently in draft form, the outcome of the consultation will impact anyone who transfers personal data from the UK overseas or provides services or contracts with UK organisations. The inclusion of proposals like the UK addendum suggest that the ICO is alive to the potential challenges of having a different system to the SCCs, especially for businesses that regularly transfer data between the EEA and the UK. However, the fact that the ICO is proposing new acronyms for its transfer documentation shows just how keen the ICO is to create some clear water between UK and the EU’s approach to international data compliance.

Any practical tips?

The SCCs have been in place for some time, and organisations are likely to have developed processes based on their use. Any stakeholder that will be affected by a significant departure from the SCCs should consider responding to the consultation with views on how the IDTA will impact their business.