UK Proposes New Standard Contractual Clauses for Data Transfers to Third Countries
The Background: Transfers of personal data from the United Kingdom to third countries which do not provide an adequate level of data protection are restricted. The most common method of complying with this requirement is the use of Standard Contractual Clauses.
The Development: The United Kingdom has issued new versions of its SCCs. These are a response to the European Union's adoption of new versions of its SCCs and the need to take into account the Schrems II decision.
Looking Ahead: The new UK SCCs are expected to come into force on 21 March 2022. However, certain existing arrangements using the previous versions of the UK SCCs can still be used until 21 March 2024.
EU and UK data protection rules each restrict transfers of personal data to third countries not regarded as having an adequate level of protection, such as the United States, China, Russia and India. Data transfers are permitted where the data exporter and data importer implement one of the appropriate safeguard mechanisms specified by the EU and UK data protection regulations —these include using Standard Contractual Clauses ("SCCs"). SCCs consist of transfer provisions in an approved and fixed form. EU SCCs are approved by the European Commission and are available for transfers from the European Economic Area ("EEA"), while UK SCCs are approved by the UK Government and can be used for transfers from the UK. The EU and UK have each recognized the other's data protection rules as adequate meaning that no SCCs are required for transfers from the EEA to the UK or vice versa.
As part of the Brexit arrangements the UK approved use of the then-current EU SCCs ("Old EU SCCs") for transfers from the UK. On 4 June 2021, the European Commission adopted new SCCs ("New EU SCCs") which replaced the Old EU SCCs for transfers from the EU (please see our Alert). The United Kingdom did not immediately approve the New EU SCCs for use for transfers from the UK. This meant that companies needed to implement both the New EU SCCs to transfer data from the EEA to third countries without adequate protection for personal data and also the Old EU SCCs for transfers from the UK to such countries.
The ICO has now consulted on new SCCs for the UK ("New UK SCCs"). These were laid before the UK Parliament on 31 January 2022 and if there are no objections will come into force from 21 March 2022. Contracts entered into on or before 21 September 2021 that use the Old EU SCCs as a means of complying with the UK data protection rules for international data transfers can still be used until 21 March 2024. Other transfers that rely on SCCs should comply with the New UK SCCs from 21 March 2022.
There are two versions of the New UK SCCs. The first is an international data transfer agreement ("IDTA") which operates on a standalone basis. The second is an amendment to the New EU SCCs that allows their use for transfers from the UK ("Addendum").
The IDTA can be used to allow the transfer of personal data from the United Kingdom to any third country that does not have adequate data protection. It is substantially similar to the New EU SCCs. The IDTA allows the parties to refer to a "linked agreement" which may contain key details about the data transfer and can include additional commercial provisions.
The Addendum can be used to amend the New EU SCCs allowing their use for transfers from the UK. It makes the changes necessary to ensure that the New EU SCCs meet UK requirements. This will allow companies that are subject to both the EU and UK data protection regimes to use one data transfer arrangement to comply with both sets of requirements. In any case, companies are free to decide which version of the New UK SCCs they use.
The EU and the UK both require data exporters to carry out a transfer impact assessment when using SCCs. The ICO has said that it will issue guidance on use of the IDTA and Addendum and how to carry out a UK transfer risk assessments shortly.
Four Key Takeaways
1. The New UK SCCs allow data transfers from the UK to third countries without adequate data protection laws.
2. There are two versions of the New UK SCCs. The first is a standalone data transfer agreement. The second is an Addendum that allows use of the New EU SCCs for transfers from the United Kingdom. Companies can use the Addendum to use only one arrangement for transfers from both the EEA and UK.
3. The New UK SCCs are expected to come into force on 21 March 2022. Existing arrangements using the Old EU SCCs can still be used for transfers from the United Kingdom until 21 March 2024. Companies that rely on SCCs and are subject to the UK data protection rules should check whether they need to make changes to these arrangements.
4. Companies must conduct a data transfer impact assessment for each international data transfer from the EEA or United Kingdom when relying on SCCs.
