What is new for international data transfers?

28 September, 2021

Following the decision in the Schrems II case in July 2020, the EU’s Standard Contractual Clauses (SCC) have been subject to review both in the EU and in the UK. 

 

New EU Standard Contractual Clauses

The European Commission has released a new set of SCCs to cover the transfer of personal data from the EU to “third countries” such as the US (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en ).  These new SCCs will repeal and replace the existing SCCs which date from 2001, 2004 and 2010.

The new SCCs reflect the GDPR requirements and place significant obligations on data importers, particularly importers acting as controllers. They also include the Article 28 GDPR processor terms, addressing a gap in the existing SCCs.

The new SCCs are drafted on a modular basis allowing for the following types transfers (the last two of which were not covered by the existing SCCs):

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller.

The new SCCs should be used for any new transfers from the EU and EU businesses relying on the existing SCCs should replace them with the new version by the end of 2022. However, UK businesses should continue to use the old SCCs until the new IDTA / UK SCC Addendum (referred to below) comes into force because the UK was no longer in the EU when the new SCCs were adopted.

 

UK International Data Transfer Agreement

Following the release of the new EU SCCs,  the Information Commissioner’s Office (ICO) has produced a draft set of UK-specific standard contractual clauses for restricted transfers from the UK. These UK SCCs are being referred to by the ICO as the international data transfer agreement (IDTA) and the ICO has launched a public consultation on the IDTA and related guidance (see: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/). This consultation covers the following three aspects:

  • Proposal and plans for updates to guidance on international transfers.
  • Transfer risk assessments.
  • The IDTA.

The consultation will remain open until 5pm on 7 October 2021.

The IDTA can be used for many different transfer situations. In addition to allowing for the four transfer situations covered by the EU’s new SSCs as set out above, the IDTA also allows for transfers to other processors or controllers who may be unconnected (provided that this is on the instruction of the controller).

The IDTA is drafted using a ‘plain English’ approach and is divided into four parts:

  • Part one – Tables: including the parties, transfer details and signatures.
  • Part two – Extra Protection Clauses: This contains optional space for extra protection clauses to be added if the Transfer Risk Assessment identifies that additional measures are needed.
  • Part three – Commercial Clauses: This contains optional space for commercial clauses if the IDTA is not accompanied by a separate commercial agreement.
  • Part four – Mandatory Clauses: This contains the mandatory clauses and is the main body of the document.

As expected, given that both documents reflect the same GDPR requirements, the substance of the IDTA is largely similar to the new EU SCCs in terms of the concepts and commitments. The most notable differences between the two documents are:

  • The IDTA expressly allows for the existence of a separate commercial agreement between the parties and allows the parties to incorporate provisions of that commercial agreement (referred to in the IDTA as a ‘Linked Agreement’) by reference.
  • The IDTA allows the parties to negotiate their own audit provisions in a Linked Agreement and the IDTA audit provisions will only apply in the absence of such separately negotiated provisions.

 

UK Addendum to the EU Commission Standard Contractual Clauses

In addition to the draft IDTA, the ICO’s consultation also includes a draft Addendum to the EU SCCs. This UK SCC Addendum allows UK businesses to use the new SCCs provided they are accompanied by the UK-specific addendum. This is good news for international businesses which will be keen to avoid having to use completely different documents for transfers of data from the UK and the EU. Instead they can use the new EU SCCs and UK SCC Addendum to cover all restricted transfers whether from the UK or the EU. 

The existence of this draft UK SCC Addendum raises the question as to whether the IDTA will actually be used in practice.

 

Schrems II – Transfer Risk Assessments

In response to the decision in the Schrems II case and the EDPB’s recommendations, the new EU SCCs require the parties to warrant that they have no reason to believe that the laws and practices in the destination country prevent the importer from fulfilling its obligations under the new SCCs and also require the parties to assess transfer risks, including those specific to the destination country.

Similar transfer risk assessments (TRAs) are required for restricted transfers of data from the UK and the ICO’s consultation includes a draft TRA tool and related guidance which is intended to make it easier for businesses to understand the extent of their obligations when considering making international transfers of personal data (see: https://ico.org.uk/media/about-the-ico/consultations/2620397/intl-transfer-risk-assessment-tool-20210804.pdf). 

 

Data transfers between the UK and EU

SCCs are not required for the transfer of personal data between the UK and the EU as a result of the EU Commission adopting decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED) in June 2021.  In both cases, the European Commission found the UK to be adequate meaning that most data can continue to flow between the UK and the EU without the need for additional safeguards. The adequacy decisions do not cover data transferred to the UK for the purposes of immigration control, or where the UK immigration exemption applies. For this kind of data, different rules apply and the EEA sender needs to put other transfer safeguards in place.