ICO Issues New Standard Contractual Clauses for International Data Transfers

Overview

The Information Commissioner’s Office (ICO) has recently issued new standard contractual clauses (SCCs) for international transfers of personal data from the UK to “third countries” or international organisations. These transfers are known as “restricted transfers”.

If organisations export personal data out of the UK to these third countries (i.e. countries that are not in the EEA or that are not on the list of countries deemed by our government to have adequate legal safeguards for the transfer of personal data), they will most likely need to use SCCs with the importing organisation to ensure that the transfers comply with the EU’s General Data Protection Regulation 2016 (EU GDPR) as amended and incorporated into UK law following Brexit (UK GDPR).

Where are the new standard contractual clauses?

These new SCCs are contained within the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (Addendum).

Both documents (the IDTA and Addendum) are the UK’s equivalent of the EU’s own SCCs which are used for the transfer of personal data from EU member states to third countries. The European Commission adopted the latest version of the EU SCCs (the “new” EU SCCs) in June 2021 and, following Brexit, they are no longer valid for restricted transfers under the UK GDPR. The UK had until recently continued to use the “old” EU SCCs, namely those which were adopted under the Data Protection Directive 95/46/EC.

Data exporters may now use either the IDTA or the Addendum when making restricted transfers of personal data outside the UK. The differences between the two alternatives can be explained as follows:

• The IDTA is a standalone agreement which acts as the UK’s version of the new EU SCCs. It can be used by organisations (whether they are data controllers or data processors) as a contractual mechanism to regulate restricted transfers under the UK GDPR.
• In contrast, the Addendum is designed to be used as an attachment to the new EU SCCs. Where the business operates across the EU and the UK, they can use the Addendum alongside the EU SCCs to cover transfers from the UK to third countries.

The IDTA and Addendum may be used as one of the “appropriate safeguards” referred to in Article 46 of the UK GDPR for restricted transfers of personal data from the UK which are not covered by the UK’s “adequacy” regulations. These regulations currently cover restricted transfers to countries in the EEA as well as countries, territories and sectors covered by existing EU “adequacy decisions”.

When did this change take effect?

The IDTA and Addendum were issued under Section 119A of the Data Protection Act 2018 and came into force on 21 March 2022 following Parliamentary approval. Although these SCCs may be used immediately, the ICO has issued an accompanying document setting out transitional provisions which confirm the following:

• The old EU SCCs will continue to be classed as an appropriate safeguard for new contracts involving data processing under the UK GDPR until 21 September 2022; and
• Contracts involving data processing which are based on the old EU SCCs and concluded on or before 21 September 2022 will continue to provide appropriate safeguards under the UK GDPR until 21 March 2024, provided that the processing operations remain unchanged and that reliance on these clauses ensures that the transfer of personal data is subject to appropriate safeguards.

What does this mean for data exporters?

The IDTA and Addendum are designed to provide further clarity for UK organisations transferring personal data to organisations based outside of the UK or EEA. In particular, they should address the uncertainty which followed the European Commission’s adoption of new EU SCCs in June 2021.

The ICO is expected to publish additional guidance in due course regarding the use of the IDTA and Addendum for international transfers of personal data. In the meantime, data exporters may wish to consider the following:

• IDTA versus Addendum: the choice between the IDTA and the Addendum may depend on the nature of the data exporter’s operations. International organisations which operate across the UK and EEA, and whose transfers may therefore be subject to both the UK GDPR and EU GDPR, may find it simpler to use the Addendum in conjunction with the new EU SCCs. The IDTA may be more suitable for UK-based organisations transferring personal data from the UK to third countries which may not have transitioned to the new EU SCCs.
• Transfer Impact Assessments and Additional Safeguards: the IDTA and Addendum take account of the decision of the European Court of Justice in the Schrems II case, which ruled that standard contractual clauses alone are not necessarily sufficient to ensure adequate protection for data subjects (see here). Therefore, data exporters using the IDTA or Addendum will additionally be required to complete a transfer impact assessment and potentially also put in place additional safeguards designed to protect and safeguard the transferred personal data. The European Data Protection Board has published detailed guidance on this, though this guidance will apply to EU processing activity. The ICO is expected to publish further guidance on transfer impact assessments in addition to its guidance on using the IDTA and Addendum.
• Future reforms: organisations entering into new contracts from 21 March 2022 may wish to adopt the IDTA or Addendum in order to avoid the organisational costs of making the transition at a later stage. It remains to be seen whether use of IDTAs or the Addendum will help organisations protect themselves against future changes in UK policy proposed by the Data Reform Bill. The Data Reform Bill envisages the UK moving further away from the EU GDPR, which could affect the UK’s adequacy regulations. This means that it may be preferable for companies to start using the IDTA or Addendum rather than continuing to make use of the old EU SCCs and, in addition, depending on the changes to UK data protection law implemented by the Data Reform Bill, potentially just IDTAs in order to reduce reliance on the new EU SCCs, given that the UK may look to move further away from the EEA system.