UK: Requirements for international data transfers under UK and EU data protection regimes
In February 2022, the Secretary of State for the Department for Digital, Culture, Media and Sport ('DCMS') laid before Parliament two optional models of Standard Contractual Clauses ('SCCs'), which, if approved, will come into effect on 21 March 2022. Rocio de la Cruz, Partner and Santos Hau, Trainee, at BPE Solicitors LLP, discuss these models and the resulting requirements for international data transfers.
It is a well-known fact that compliance with the UK and EU General Data Protection Regulation (Regulation (EU) (2016/679) ('GDPR'), as law incorporated in the UK and the EEA, is crucial for organisations processing personal data of any kind, not only because of potential claims for compensation and regulatory fines, but also for the reputational damage that organisations in breach of the data protection laws suffer. Furthermore, the loss of individuals' trust takes significant time to rebuild.
These risks are elevated for companies contracting services providers that are either international organisations, or operate from different countries.
Under Article 46 of the GDPR, where organisations processing personal data either by themselves (controllers) or under other's instructions (processors), are making transfers of personal data to third countries (i.e. countries not in the UK, EU, EEA, or those not deemed 'adequate' by the EU Commission or the UK's DCMS - we call these 'restricted transfers'), 'appropriate safeguards' which are enforceable and effective need to be implemented, to avoid being in breach of the GDPR.
The most commonly used 'appropriate safeguards' to date are what we know as SCCs, which in the UK, since Brexit, must be issued by the Information Commissioner's Office ('ICO') or otherwise approved by the Secretary of State for the DCMS.
In February 2022, the Secretary of State for the DCMS laid before Parliament two optional models of SCCs approved by the ICO that have been named 'International Data Transfer Agreement'1 ('IDTA') and 'International Data Transfer Addendum to the EU Commission Standard Contractual Clauses'2 ('the Addendum') and will be in force on 21 March 2022, should no objections be raised in Parliament.
The IDTA is the UK's brand new version of SCCs, while the Addendum consists of an approval of the existing Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council3 ('the EU SCCs'), but with the necessary amendments to adapt it to the UK context.
The new IDTA and Addendum from the UK have been long anticipated, as since the European Commission approved the EU SCCs in June 2021, there have not been standard clauses in the UK at an equivalent level. Until now, UK-based businesses subject to both the UK and the EU GDPR have struggled with harmonising both models of clauses with contracting services providers and, in some cases, made negotiations more difficult.
A key feature of the Addendum is that organisations making restricted transfers subject to both the UK and EU GDPR may wrap the Addendum and the EU SCCs in a single document, in which data processing particulars, modules chosen, and supplementary safeguards added apply to both models, allowing the simplification of clauses and models to which the parties must agree. The benefit of this is that organisations can complete one model and state that the other model also applies by reference. However, the document must incorporate both the EU SCCs and the Addendum, so each is legally binding in its respective jurisdictions.
Where organisations are making restricted transfers subject to the UK GDPR, they may enter into the IDTA with the recipient of the data covered by the UK GDPR. The benefits of the IDTA are that they are less jargon-filled, more practical and flexible, and certain in applying to UK transfers to organisations located in third countries (the EU SCCs were moot on this point), so another bespoke data transfer agreement covering such transfers is not automatically required.
The new models do not replace other obligations arising from the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) ('the Schrems II Case'), and the parties are still required to conduct a transfer impact assessment and to consider countries' local laws, practices, and risks which may render any data sharing agreements insufficient if the standards of the GDPR are not guaranteed in practice.
The IDTA allows for dispute resolution via arbitration, whilst the EU SCCs have mandatory forum and jurisdiction provisions. While the EU SCCs allow for additions (but not amendments) to the clauses, the provisions in the EU SCCs are clear - disputes must be resolved by 'courts' and this would appear to contradict with any additional arbitration or alternative dispute resolution provisions. Arbitration under the IDTA may be preferred by organisations as this reduces the risk of 'home state' advantages, may reduce costs of instructing foreign counsel, and may make it quicker to resolve disputes.
What to do now?
If these models finally come into force on 21 March 2022, on, or after, 22 September 2022, any new data sharing agreements subject to the UK GDPR must use either the new IDTA or the Addendum, giving organisations six months to start using the new standard documents. Any existing contracts concluded on, or before, 21 September 2022 will remain valid until 21 March 2024, effectively giving organisations two years to remediate existing contracts.
To facilitate this, organisations should:
- review existing contracts with providers, partners, and group entities;
- identify international data flows;
- identify UK and EU GDPR applications;
- analyse transfers which are high-risk and should be prioritised or will need to be revisited soon;
- consider other Article 46 mechanisms or Article 49 exemptions; and
- set out an action plan, to undertake the above to ensure compliance with the UK and EU GDPR.
1. Available at: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf
2. Available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
3. Available at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf