By Ursula Mulvaney – arch.resource member.
International data transfers – let’s get back to basics…..
For privacy professionals the last few months brought a number of eagerly awaited key developments specifically in relation to international data transfers that many organisations now have to get to grips with. The clock started ticking in June 2021 prompting a significant workload for many organisations regardless of size or resources.
On 4th June 2021, the European Commission released new Standard Contractual Clauses (SCCs) for international transfers that are said to reflect new requirements under the General Data Protection Regulation (GDPR), “address the realities faced by modern business” and take into account the Schrems II judgement of the Court of Justice. It is envisaged that these “new tools” will offer more “legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, whilst allowing data to move freely across borders, without legal barriers”.
From a practical perspective organisations have the benefit of a 3 month transition period to make a choice to use the old SCCs or prepare and adjust to the new SCCs by 27th September 2021. For existing data transfers concluded before 27th September 2021 the new SCCs need to be incorporated by 27th December 2022.
The developments are welcomed though also bring many practical and complicated challenges for organisations particularly those with limited resources. The compliance challenge will persist for all types of organisations and it serves as a healthy reminder of the importance of taking the time and investing in resources to get a solid grounding of the data flows of your organisations and effectively carrying out a comprehensive data mapping exercise from the outset. It will be interesting to see over the coming months and years how all types of organisations seek to address this in their risk registers and internal compliance plans.
International transfers under UK GDPR
The new SCC’s have not been adopted for use in the UK which means that UK companies instead continue to use the old SCCs whilst the ICO prepares bespoke UK SCCs for international data transfers.
Last week on 11 August 2021 the Information Commissioner’s Office (ICO) launched a consultation on its draft international data transfer agreement (IDTA) and guidance with the intention of providing greater regulatory certainty and to assist organisations to comply with the law whilst also enabling the ICO to understand the practical impacts of the proposed approaches.
The IDTA will replace the current SCCs to take into account the judgment in the case of “Schrems II” which required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision. The Consultation is offering a selection of proposals and options to consider and is split into the following 3 sections:-
- Proposal and plans of the ICO for updates to guidance on international transfers
- Transfer risk assessments
- This includes a draft transfer risk assessment tool (TRA tool) to assist when completing the risk assessment required following the decision in Schrems II
- The ICO invites views on the draft TRA tool and any suggestions for example transfer scenarios that could be included in the tool.
- ICO model international data transfer agreement.
- Proposal 1: A new set of standard data protection clauses (previously referred to as SCCs, to be known as the model International Data Transfer Agreement (IDTA) under the UK GDPR. The ICO invites view on this proposal including any additional guidance templates that organisations would find helpful in the IDTA.
- Proposal 2: The adoption of model data transfer agreements issues in other jurisdictions. The ICO is considering issuing an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions. As a proposal is a UK GDPR addendum to the European Commission SCCs. The addendum amends the European Commission SCCs to work in the context of UK data transfers.
- Proposal 3: Disapplying the use of the Directive SCCs when the Commissioner issues an IDTA. The ICO proposes the following, starting from the date 40 days after the IDTA is laid before Parliament (assuming there are no Parliamentary objections to the IDTA), the Directive SCCs would be disapplied:
- at the end of three months for new Directive SCCs; and
- at the end of a further 21 months for all Directive SCCs.
- This time period allows you to enter into new Directive SCCs for a further three months and so sign any Directive SCCs you have in train. But, you must have updated all your Directive SCCs within 24 months.
The ICO recognises “the importance of international data flows to the UK’s digital economy” and aims “to enable a system that maintains high standards of data protection, and trust and confidence”. The Consultation runs until 5pm on Thursday the 7th October 2021 – have your say!
For further information, please contact arch.resource member Ursula Mulvaney by email at Ursula@arch.law.