Due to the EU’s new standard contractual clauses for the transfer of personal data to third countries (“SCCs”) being implemented after the UK left the EU, some UK businesses have been left in the difficult position of trying to work out which of the two current sets of SCCs they should use when transferring personal data overseas.
The Information Commissioner’s Office (ICO) has taken some initial steps to resolve the situation, but new changes won’t be implemented quickly enough to avoid an interim period where two significantly overlapping and potentially conflicting sets of SCCs will be expected to operate alongside one another.
“Old” SCCs vs “New” SCCs
When we talk about the old and new versions of the SCCs in this article, what do we actually mean?
|
Version of SCCs |
Year Introduced |
As of now, applicable to? |
What data protection laws do the SCCs reflect? |
|
“Old” |
2010 |
UK businesses |
Pre-GDPR (albeit the ICO has suggested UK-specific amendments) |
|
“New” |
2021 |
Businesses in EU member states |
EU GDPR |
- Data Transfers from the EU to UK: Adequacy Decision
In respect of:
- EU businesses transferring data to the UK; and
- UK businesses processing EU data which does not leave the UK,
the position is, thankfully, a simple one.
The EU’s recent adequacy decision on 21st June 2021 means that EU businesses can freely transfer personal data to the UK without the need to put in place any supplementary measures, such as relying on the consent of the data subjects involved or incorporating the EU’s standard contractual clauses.
- Data Transfers from the UK to a Third Country: “Old” SCCs
Due to Brexit, the new SCCs do not apply in respect of transfers of personal data from the UK to third countries. Instead, the ICO has advised that UK businesses should use the old SCCs, but make amendments to them to reflect the considerable amount of data protection legislation that has been introduced since the old SCCs were originally implemented (most notably the GDPR and UK Data Protection Act 2018).
To assist with this, the ICO has produced template amended versions of the old SCCs which UK businesses can use (these are available on the ICO website).
However, these are cumbersome documents for businesses to use without legal support and, in any event, having to use an amended version of the old SCCs is not a viable long-term solution, particularly considering that the EU has held that the old SCCs are no longer valid from 27th September onwards.
To resolve this situation and create a more long-term solution, the ICO recently launched a consultation with the intention of creating a UK equivalent to the new SCCs (please see below for further details).
- Data Transfers of EU Data from the UK to a Third Country: New or Old SCCs?
Things are even less straightforward for those UK businesses whose processing of EU personal data involves the onward transferring of that data from the UK to a third country (e.g. to a US sub-processor).
Based on the ICO’s current advice set out above, a UK business should use the old SCCs when transferring the EU data from the UK to the third country in question.
However, that UK business’s EU data subjects may have good grounds to argue that they are entitled, as EU citizens under EU law, for the onward transfer of their data to be subject to the new SCCs, regardless of what the position is in the UK. Indeed, we may begin to see EU clients seeking to insert obligations on UK businesses to use the new SCCs when engaging any sub-processors outside the UK.
Despite the fact that this is not in line with ICO guidance, a UK business could choose to adopt the new SCCs, arguing that:
- with the new SCCs being drafted specifically with the GDPR in mind (compared to the old SCCs which have been amended to reflect the same) it is actually taking a more robust approach in complying with current data protection legislation; and
- it will have a commercial advantage over other UK businesses when contracting with EU clients.
It is therefore likely that, over the next few months, UK businesses will frequently be faced with the predicament of which set of SCCs to use in any situation.
ICO Consultation
With all of the above in mind, in August 2021, the ICO launched a public consultation (available here) with a view to establishing new guidance for UK businesses when transferring data overseas as well as introducing a new template international data transfer agreement (“IDTA”) for data transfers from the UK.
The IDTA will effectively be a bespoke UK-equivalent document to the new SCCs and remove the need for UK businesses to continue to use the old SCCs. A draft IDTA has been published as part of this consultation and can be viewed here.
As can be seen, the IDTA is a sizeable document and it is likely that it will take a considerable amount of time for businesses to familiarise themselves with its contents and for the use of the IDTA in commercial contracts to become normalised.
The consultation is due to close shortly on 7th October, after which time it remains to be seen to what extent the final version of the IDTA will differ from the new SCCs and how quickly a new regime incorporating the IDTA can be introduced. In any event, it seems unlikely that this will happen before the end of 2021.
Conclusion
Whilst the ICO’s actions are welcome and offer future clarity and certainty on international data transfers from the UK, this still leaves a lot of uncertainty over the next few months, especially from 27th September onwards, where UK businesses, particularly those processing EU citizens’ data, are going to have a real problem deciding which SCCs to use in any given situation and the prospect of having to incorporate multiple versions of the SCCs into their commercial contracts.