UK International Data Transfers - what next?

August 2021

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

The concept is fairly straightforward, however the practicalities have become rather complex in recent times.

You’d be forgiven for finding the whole topic of international transfers confusing. And that’s bad for business – we need real clarity on the requirements to keep data flowing between the UK and other countries.

Especially and as the UK begins to emerge from the massive economic (not to mention health & social) impacts of Coronavirus.

The complexity around data transfers comes from a few factors. First there’s impact of Brexit on data flows and the recent EC-UK Adequacy Decision.

But we must also consider the fallout from the now famous “Schrems II” ruling by the European Court of Justice. That’s the one which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data – resulting in recently updated SCCs being published by the European Commission, to take account of the ruling.

But what does this all mean for the UK?

  • Can UK businesses use European SCCs post-Brexit?
  • Do we need UK SCCs?

A public consultation on UK data transfers

The Information Commissioner’s Office (ICO) has announced a public consultation on its draft International Data Transfer Agreement (known as IDTA) and accompanying guidance. (Update: this consultation has since closed).

The IDTA is a model contract which UK organisations would be able to use when transferring data to other countries. In particular, when transferring data to countries which do not benefit from an EC adequacy decision.

In this situation, most organisations would normally look to use SCCs to ensure the transfers are lawful. However, EU SCCs don’t directly apply to the UK post Brexit and the ICO’s proposed replacement for the UK is the IDTA.

The ICO tells us this new agreement takes into account the binding judgment of the European Court of Justice from the Schrems II Ruling.

What’s in the consultation?

There are three key sections to the consultation:

  • Proposal and plans for the ICO to update its guidance on international transfers
  • Transfer risk assessments – including a new risk-assessment tool
  • The International Data Transfer Agreement.

The ICO is also proposing the use of a template Addendum to the EU SCCs, allowing organisations to adapt those SCCs to work in the context of UK transfers.

The UK Regulator has provided proposals and options which it would like us to consider and comment on.

On announcing the consultation Steve Wood, the ICO’s Executive Director of Regulatory Strategy said:

“The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.

“We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements will help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.”.