Willkie Farr & Gallagher LLP
To print this article, all you need is to be registered or login on Mondaq.com.
The use within the UK of Standard Contractual Clauses
(“SCCs“) to provide appropriate
safeguards for transfers of personal data to third countries (in
the absence of a UK adequacy decision in respect of that third
country) is soon to be updated.
By way of background, in June 2021, the European Commission
adopted revised SCCs (the “New EU SCCs“)
in light of the Schrems II decision of the European Court of
Justice, which, among other things, ruled that transferors must
make an assessment of whether the SCCs suffice to provide
‘essentially equivalent‘ protection, and if
necessary put in place additional measures to compensate for
lacunae in the protection of third-country legal systems.
With the transition period over, the New EU SCCs have not been
adopted by the Information Commissioner’s Office
(“ICO”). Instead, the current position is that UK data
controllers can continue to use the (older) EU SCCs, as modified to
make sure they make sense in a UK context, as long as data
controllers make any required enhancements to their processes in
light of Schrems II. The ICO is now consulting on its own draft
revised set of SCCs, accompanied by a draft model risk assessment.
We set out the key changes which the ICO proposes to make.
The ICO Consultation
The consultation, which commenced on 11 August 2021, invites
responses by 7 October 2021 on the following documents:
- Revised draft SCCs, called an International Data Transfer
- Draft international transfer risk assessment tool;
- Draft UK Addendum to the New EU SCCs (to validate their use for
transfers of personal data out of the UK)
- Updated guidance on international transfers.
Key elements of the proposals
The proposed IDTA is divided into four parts.
- Part One includes the details of the parties and details of the
transfer (such as the categories of personal data to be
transferred, the categories of data subject, and the purpose of the
data transfer). It also embeds into the contract the security
requirements which apply to the transfer (including security of
transmission, security of storage, security of processing, and
organisational security requirements).
- Part Two provides space for the inclusion of any ‘extra
protection clauses’ which may be determined by the transferor
to be necessary in light of the risk assessment carried out
(discussed below). The possible extra protection might include
additional technical security protections, organisational
protections, and/or contractual protections. (The draft states that
such requirements could be set out in Part One or Part Two).
- Part Three provides for the parties to include any
‘commercial clauses’ relevant to their transfer. In
practice, where the transfer of data is between a controller and
processor (which already requires a written agreement in place,
regardless of whether the transfer is outside the UK), part three
of the IDTA is likely to reference that ‘linked’
- Part Four contains the ‘mandatory clauses’ which must
be included in full and without modification. These clauses provide
for the core contractual requirements to ensure the transfer
includes appropriate safeguards and is compliant with the UK
General Data Protection Regulation
(“GDPR“). Data subjects are given the
contractual right to bring claims against the parties for breach of
Risk Assessment Tool
The ICO’s draft international transfer risk assessment tool
is divided into three stages: (a) assessment of whether the
transfer risk assessment tool is suitable for the transfer (for
example, the draft explains that some transfers may be too high
risk or complex for the tool to be used); (b) determining whether
the IDTA is likely to be enforceable in the destination country
(including whether there are enforceable rights and effective
remedies in that country); and (c) determining whether the
destination country’s regime is similar enough to the UK’s
regime in terms of regulating third-party access to data (including
The outcome of the risk assessment will determine whether the
transfer can be made and whether any extra protection is required.
Transferors will therefore need to consider not only the transfer
itself but also the regulatory system where the transferee is
located in order to carry out the risk assessment.
The ICO is also consulting on issuing an alternative IDTA in the
form of an ‘addendum’ to append to model data transfer
agreements from other jurisdictions. Specifically, the ICO has
produced a draft addendum to the New EU SCCs, which would enable
organisations to use the New EU SCCs and then execute the Addendum
for the purposes of compliance with the UK GDPR. For organisations
carrying out business in both the UK and EU who wish to send
personal data to third countries outside the UK and EU which are
not subject to adequacy decisions, this would enable them to agree
on one set of SCCs. We therefore expect the Addendum to be a
The ICO is inviting views on a number of potential amendments to
its guidance in relation to international transfers. Such
amendments include but are not limited to:
- Clarification over whether transferors are required to first
try to put in place an appropriate safeguard (such as SCCs) before
relying on the derogations contained in Article 49 of the UK GDPR
(which include where the data subject has explicitly consented to
the proposed transfer, and where the transfer is necessary for the
performance of a contract between the data subject and the
- The proposal that ‘in order for a restricted transfer
to take place, there must be a transfer from one legal entity to
another,‘ which would mean that ‘it is not a
restricted transfer where the data flows within a legal entity. For
example … where … a UK company shares data with its overseas
branch.‘ Whilst this proposal is consistent with the ICO
guidance already in place, we expect that greater clarity over this
issue would be welcomed by UK organisations with branches
- Clarification over whether the GDPR inevitably governs
processing by an overseas processor of a UK GDPR data controller,
or whether it will depend on the circumstances of the case.
The consultation closes on 7 October 2021; we can therefore
expect finalisation of the proposals by around early 2022. Assuming
the proposals are implemented and the new IDTA laid before
Parliament, then, in respect of new SCCs to be entered into,
transferors would have around four months to start using the new
IDTA. There would, however, be a grace period of a further 21
months in respect of existing SCCs, giving firms time to transition
across to new contracts. In other words, firms would have around 24
months to transition existing SCCs onto the ICO’s IDTA.
Against this background, many of our clients are taking this
opportunity to review their flows of personal data outside the UK
and consider what modifications may be required to ensure that
restricted transfers have appropriate safeguards in place.
Specifically, firms may find that the ICO’s risk assessment
tool (albeit still in draft) provides much welcomed guidance as to
how to approach the international transfer risk assessment.
Similarly, businesses with operations in the EU have been
considering the implementation of the New EU SCCs: please click
here for our client alert on this. For groups which have both
EU and UK companies transferring data to third countries such as
the United States, this further complicates the matrix of
documentation they have to work with.
Separately, recent announcements from the UK Culture Secretary
in relation to potential modifications to the UK GDPR (specifically
with a view to reducing the incidence of ‘cookie banners’)
suggests that the UK is looking to spread its wings as to the
operation of the autonomous UK GDPR. Whether such proposals can be
taken forward without jeopardising the EU’s position on the
UK’s adequacy remains to be seen.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from European Union