UK publishes own set of Standard Contractual Clauses UK publishes own set of Standard Contractual Clauses
The UK Information Commissioner's Office (ICO) has launched a public consultation on its draft "UK Standard Contractual Clauses" and guidance for organizations on international data transfers. The ICO also provides a template addendum to the new EU Standard Contractual Clauses (EU SCCs).
The EU Commission just recently published the revised SCCs under the European General Data Protection Regulation (EU GDPR). Following Brexit, however, these updated SCCs do not apply in the UK, which is why the ICO must release its own set of SCCs under the applicable UK law (UK GDPR).
On 11 August 2021, the ICO launched a public consultation on its draft International Data Transfer Agreement (IDTA) and guidance for organizations with regard to international transfers.
Once finalized, the IDTA will be the UK equivalent of the EU standard contractual clauses and replaces the latter. The IDTA has been drafted to govern the handling and safeguarding of personal data by data importers receiving personal data from the UK while giving data exporters confidence that the transfer is in line with the UK GDPR.
The ICO’s consultation is split into three sections, covering proposals for
- the guidance on international data transfers
- the Transfer Risk Assessments (TRAs)
- and the IDTA
How does this affect EU/EEA companies?
Most EU companies are currently in the process of analyzing their international data flows and are in the midst of implementing the revised EU SCCs according to the European Data Protection Board’s recommendations.
At the beginning of May 2021, the ICO announced that it was working on "bespoke UK SCCs" and further stated that it was considering whether to recognize the new EU SCCs as a valid transfer mechanism under the UK GDPR.
EU companies are therefore faced with legal uncertainty: Can the new EU SCCs that companies are implementing now also serve as an adequate transfer mechanism under the UK GDPR? If so, this would mean that companies could avoid having to use EU SCCs for transfers outside the EU and at the same time having to use a different set of clauses to transfer data outside of the UK.
An addendum as a simple solution?
With regards to this, it is of particular relevance for multinational businesses to mention the fact that the ICO has also published a template addendum to the EU SCCs, allowing organizations to adapt the EU SCCs in order to work in the context of transfers under the UK GDPR. This would mean that companies could use the revised EU SCCs for exports from the UK subject to completing the addendum.
International companies are likely to favor implementing the revised EU SCCs and add the UK addendum to those data transfer agreements that fall under the scope of the UK GDPR, rather than having to adopt the IDTA as a means of international data transfer.
The ICO has stated that it considers its addendum "provides appropriate safeguards for the purposes of transfers of personal data to a third country or an international organization in reliance on Article 46 of the UK GDPR […]."
Both the draft IDTA and the addendum to the EU SCCs are open to consultation until 7 October 2021.