In 2021 the European Commission published new standard contractual clauses (SCCs). These allow transfers of personal data to countries without adequate data protection laws, so-called third countries. The old ones had been drafted under the old 1995 Data Protection Directive which GDPR replaced in 2018. So replacement clauses were long overdue. The Schrems II ruling in 2020 invalidated the EU/US Privacy Shield. It also indicated that a party transferring data should undertake a risk assessment to ensure the data would be protected properly. But the old SCCs continued – until last year. So, welcome to the all-new SCCs with their 4 modules to cover a variety of situations.
The year is 2022. Data transfers are entirely occupied by the new Standard Contractual Clauses. Well, not entirely… One country still holds out against the invaders. (With apologies to Goscinny & Uderzo)
In truth, the situation was not quite so simple in the UK. As a result of Brexit, EU law had been converted into UK law, which meant that GDPR and Schrems II came along for the ride. The Commission confirmed that the version of GDPR preserved under UK law – perhaps understandably named UK GDPR – was “adequate”. This permitted the free flow of personal data from the EEA to the UK to continue without the need for any SCCs. So far so good.
IDTA or SCC addendum
But the new SCCs were published after Brexit so the ICO partly ignored them. The ICO’s official line had been that UK organisations transferring data to third countries should use the old SCCs, but with updates to replace references to the defunct Directive. Because Brexit. It then ran a consultation over the future of data transfers from the UK. It indicated it would adopt its own International Data Transfer Agreement and perhaps a UK addendum to the new SCCs. And the Department for Culture, Media and Sport (DCMS) has now laid this approach before Parliament. The new documents come into force on 21 March 2022.
Under the transition arrangements, organisations can continue to use the old SCCs until 21 September 2022. Transfers may continue under them until 21 March 2024. From that point, data transfers must be on the basis of the IDTA or the addendum (or another suitable way). The ICO has indicated that organisations must still undertake a risk assessment before transferring personal data to ensure it will actually be protected.
This is the kind of half-way house that many had been awaiting. Those who have already adopted the new SCCs need simply adopt the new UK addendum. For those still using the old SCCs, they can use either the IDTA or the addendum. It will be interesting to see how many opt for one over the other.
The IDTA has been drafted to allow for updates to UK data protection laws. The UK government consulted on proposed reforms last year and is expected to publish its intentions soon. We await to see whether these reforms will affect the UK’s compliance with GDPR. If so, that could see the EU Commission cancel its decision that UK data protection laws are adequate. This would mean data transfers from the EU to the UK would have to be under the SCCs too. And maybe data transfers UK to the EU would have to be under the IDTA.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.
[…] Furthermore, since Brexit means the UK is outside this data transfer regime while still adhering to GDPR standards, so we can expect the ICO to mimic this arrangement like it has with its own IDTA. […]
[…] adequacy status at risk. That would mean data transfers to and from the EU would have to be under standard contractual clauses or a new UK-style privacy shield. Still, let’s not get ahead of ourselves. Let’s wait […]