NOTE: The information contained in this article is only for a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.
Hot on the heels of the European Commission publishing its revised SCCs under the European General Data Protection Regulation (EU GDPR), on 11 August, the UK Information Commissioner’s Office (ICO) launched a public consultation, under the UK General Data Protection Regulation (UK GDPR), on its draft guidance for organisations in the UK involved in restricted international transfers (that is, transfers to a third country that have not been deemed ‘adequate’ by the EU or the UK). The consultation also deals with the data transfer tools that will replace the current EU Standard Contractual Clauses (EU SCCs). Once agreed and finalised, the UK Standard Contractual Clauses (UK SCCs) will govern the transfer of personal data of UK data subjects to an importer in a third country to ensure the transfer is handled consistent with data protection requirements.
There has been much speculation on how the ICO’s office would develop data privacy in the UK following Brexit and the confirmed decision of adequacy for the UK. The UK Culture Secretary recently provided a glimpse (”UK to overhaul privacy rules in post-Brexit departure from GDPR”) that suggested the UK has the flexibility post-Brexit to call out those provisions of the EU GDPR that may not necessarily work for the UK.
To an extent, this is evident in the consultation launched by the ICO. The UK’s consultation has been somewhat broader than that launched by the EU Commission. The UK consultation draws on several documents:
- Proposals aimed at addressing international transfers of personal data outside of the UK
- An international transfer risk assessment guidance proposal (Risk Assessment Guidance)
- The international data transfer agreement (ITDA)
- Draft UK addendum to the EU Commission standard contractual clauses
A key aspect of the transfer of UK personal data to a third country is the transfer impact assessments to evaluate if the third country has laws and regulations that do not impede UK GDPR compliance. Such reviews need to be initiated early in negotiations with the supplier, and organisations need to start thinking about supplementing these as part of their supplier relationship processes.
Note also that once the UK SCCs have been finalised, businesses are able to use the ICO's template addendum to the EU SCCs, allowing them to adapt the EU SCCs to transfer personal data under the UK GDPR. An additional factor that may be highlighted at the end of the ICO consultation (7 October 2021) would be that organisations may be more inclined to use the EU SCCs with the template addendum rather than implement the ITDA.
Organisations are likely currently (and probably frantically) analysing their international data flows to ensure they comply with yet another data privacy regulation in an uncertain and shifting data privacy landscape. Where possible, organisations can benefit from the support provided by privacy professionals and technical data privacy tools that can aid in compliance and in alleviating the pressure on data privacy functions.
Currently, UK personal data importers making restricted transfers will still have to rely on the existing EU Standard Contractual Clauses, which the ICO has tweaked together with the transfer risk assessment and the European Data Protection Board recommendations (see ”Recommendations on measures that supplement transfer tools”). It is safe to say that organisations are watching this space intensely to see how the rest of the UK’s SCC consultation unfolds and the shape of UK restricted transfers of personal data going forward.
A key aspect of the transfer of UK personal data to a third country is the transfer impact assessments to evaluate if the third country has laws and regulations that do not impede UK GDPR compliance.