ICO News

The Future Of International Data Transfers Post-Brexit: The ICO Consults – Privacy – European Union – Mondaq News Alerts

To print this article, all you need is to be registered or login on Mondaq.com.


The use within the UK of Standard Contractual Clauses
(“SCCs“) to provide appropriate
safeguards for transfers of personal data to third countries (in
the absence of a UK adequacy decision in respect of that third
country) is soon to be updated.

By way of background, in June 2021, the European Commission
adopted revised SCCs (the “New EU SCCs“)
in light of the Schrems II decision of the European Court of
Justice, which, among other things, ruled that transferors must
make an assessment of whether the SCCs suffice to provide
essentially equivalent‘ protection, and if
necessary put in place additional measures to compensate for
lacunae in the protection of third-country legal systems.

With the transition period over, the New EU SCCs have not been
adopted by the Information Commissioner’s Office
(“ICO”). Instead, the current position is that UK data
controllers can continue to use the (older) EU SCCs, as modified to
make sure they make sense in a UK context, as long as data
controllers make any required enhancements to their processes in
light of Schrems II. The ICO is now consulting on its own draft
revised set of SCCs, accompanied by a draft model risk assessment.
We set out the key changes which the ICO proposes to make.

The ICO Consultation

The consultation, which commenced on 11 August 2021, invites
responses by 7 October 2021 on the following documents:

  • Revised draft SCCs, called an International Data Transfer
    Agreement (“IDTA“);

  • Draft international transfer risk assessment tool;

  • Draft UK Addendum to the New EU SCCs (to validate their use for
    transfers of personal data out of the UK)
    (“Addendum“); and

  • Updated guidance on international transfers.

Key elements of the proposals

Draft IDTA

The proposed IDTA is divided into four parts.

  • Part One includes the details of the parties and details of the
    transfer (such as the categories of personal data to be
    transferred, the categories of data subject, and the purpose of the
    data transfer). It also embeds into the contract the security
    requirements which apply to the transfer (including security of
    transmission, security of storage, security of processing, and
    organisational security requirements).

  • Part Two provides space for the inclusion of any ‘extra
    protection clauses’ which may be determined by the transferor
    to be necessary in light of the risk assessment carried out
    (discussed below). The possible extra protection might include
    additional technical security protections, organisational
    protections, and/or contractual protections. (The draft states that
    such requirements could be set out in Part One or Part Two).

  • Part Three provides for the parties to include any
    ‘commercial clauses’ relevant to their transfer. In
    practice, where the transfer of data is between a controller and
    processor (which already requires a written agreement in place,
    regardless of whether the transfer is outside the UK), part three
    of the IDTA is likely to reference that ‘linked’

  • Part Four contains the ‘mandatory clauses’ which must
    be included in full and without modification. These clauses provide
    for the core contractual requirements to ensure the transfer
    includes appropriate safeguards and is compliant with the UK
    General Data Protection Regulation
    (“GDPR“). Data subjects are given the
    contractual right to bring claims against the parties for breach of
    the IDTA.

Risk Assessment Tool

The ICO’s draft international transfer risk assessment tool
is divided into three stages: (a) assessment of whether the
transfer risk assessment tool is suitable for the transfer (for
example, the draft explains that some transfers may be too high
risk or complex for the tool to be used); (b) determining whether
the IDTA is likely to be enforceable in the destination country
(including whether there are enforceable rights and effective
remedies in that country); and (c) determining whether the
destination country’s regime is similar enough to the UK’s
regime in terms of regulating third-party access to data (including

The outcome of the risk assessment will determine whether the
transfer can be made and whether any extra protection is required.
Transferors will therefore need to consider not only the transfer
itself but also the regulatory system where the transferee is
located in order to carry out the risk assessment.


The ICO is also consulting on issuing an alternative IDTA in the
form of an ‘addendum’ to append to model data transfer
agreements from other jurisdictions. Specifically, the ICO has
produced a draft addendum to the New EU SCCs, which would enable
organisations to use the New EU SCCs and then execute the Addendum
for the purposes of compliance with the UK GDPR. For organisations
carrying out business in both the UK and EU who wish to send
personal data to third countries outside the UK and EU which are
not subject to adequacy decisions, this would enable them to agree
on one set of SCCs. We therefore expect the Addendum to be a
well-received proposal.

Updated Guidance

The ICO is inviting views on a number of potential amendments to
its guidance in relation to international transfers. Such
amendments include but are not limited to:

  • Clarification over whether transferors are required to first
    try to put in place an appropriate safeguard (such as SCCs) before
    relying on the derogations contained in Article 49 of the UK GDPR
    (which include where the data subject has explicitly consented to
    the proposed transfer, and where the transfer is necessary for the
    performance of a contract between the data subject and the

  • The proposal that ‘in order for a restricted transfer
    to take place, there must be a transfer from one legal entity to
    ‘ which would mean that ‘it is not a
    restricted transfer where the data flows within a legal entity. For
    example … where … a UK company shares data with its overseas
    ‘ Whilst this proposal is consistent with the ICO
    guidance already in place, we expect that greater clarity over this
    issue would be welcomed by UK organisations with branches

  • Clarification over whether the GDPR inevitably governs
    processing by an overseas processor of a UK GDPR data controller,
    or whether it will depend on the circumstances of the case.


The consultation closes on 7 October 2021; we can therefore
expect finalisation of the proposals by around early 2022. Assuming
the proposals are implemented and the new IDTA laid before
Parliament, then, in respect of new SCCs to be entered into,
transferors would have around four months to start using the new
IDTA. There would, however, be a grace period of a further 21
months in respect of existing SCCs, giving firms time to transition
across to new contracts. In other words, firms would have around 24
months to transition existing SCCs onto the ICO’s IDTA.

Against this background, many of our clients are taking this
opportunity to review their flows of personal data outside the UK
and consider what modifications may be required to ensure that
restricted transfers have appropriate safeguards in place.
Specifically, firms may find that the ICO’s risk assessment
tool (albeit still in draft) provides much welcomed guidance as to
how to approach the international transfer risk assessment.

Similarly, businesses with operations in the EU have been
considering the implementation of the New EU SCCs: please click
for our client alert on this. For groups which have both
EU and UK companies transferring data to third countries such as
the United States, this further complicates the matrix of
documentation they have to work with.

Separately, recent announcements from the UK Culture Secretary
in relation to potential modifications to the UK GDPR (specifically
with a view to reducing the incidence of ‘cookie banners’)
suggests that the UK is looking to spread its wings as to the
operation of the autonomous UK GDPR. Whether such proposals can be
taken forward without jeopardising the EU’s position on the
UK’s adequacy remains to be seen.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from European Union

Is The UK About To Scrap GDPR?

Littler Mendelson

UK employers have just about got used to the idea of GDPR, but the government has launched a consultation on reforms to the data protection regime.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.