ICO confirms UK’s data transfer clauses, and admits error
Insight
For a short while on Monday (31 January), confusion reigned where the ICO had – we assume! – meant to bring clarity.
Any number of UK advisers, businesses and other organisations – and many overseas – had been waiting for news of the ICO’s International Data Sharing Agreement (IDTA): along with the associated addendum, Transfer Risk Assessment (TRA) tool, and transitional provisions. We’ve not seen any update to the draft TRA put out in August 2021, but as of this week the other three are now all present and (eventually) correct.
What is an IDTA?
The IDTA, for those not following closely, is the UK’s version of the EU’s Standard Contractual Clauses (or SCCs – the contractual mechanism intended to regulate international data transfers out of the EEA). As such, it is intended to apply to transfers out of the UK to "third countries" (to use the EU’s term) lacking an adequacy decision from the EU Commission. An advanced draft of the IDTA had been under consultation in September and October last year, along with an Addendum designed to tuck in alongside the EU’s new SCCs (in force since 27 June 2021) and make them operable under UK law post-Brexit.
What happened this week?
The good news in the ICO’s announcement (initially made on 31 January) was that Parliament was, apparently, all set to confirm our IDTA and show that Britain was open for business with the world. We also had a starting date – 21 March 2022 – where they were due to come into force, pending any objections in Parliament, and even a helpful suggestion (see here) that organisations could get started on using them right away.
But that was where the confusion began to creep in: what if organisations did not want to proceed on the basis of the ICO’s caveat, i.e. that the SCCs were not yet in force and subject to Parliamentary approval? Well, they were down on options, it seemed. The announcement and updated ICO guidance linked through to a document on Transitional Provisions which – at least until Wednesday that week – suggested that organisations could not rely on the old EU SCCs for existing and ongoing processing activities unless they were entered into prior to 21 September 2021 (last year).
In other words, it appeared that – contrary to all indications in last autumn’s consultation – not only was there no grace period to complete contracts already under negotiation under the old SCCs, but any organisations who had in good faith put in place the old SCCs in the interim (as the only available contractual option for transfers out of the UK) were suddenly staring at immediate non-compliance.
Fortunately, although very much without fanfare (other than a couple of tweets by @ICOnews on Tuesday and Wednesday afternoon), the deadline date has been confirmed as a typo. As many had begun to assume, the correct date was intended to be 21 September 2022. That meant a six month grace period, if preferred, to put contracts / data sharing agreements in place under the old SCCs, following which they would remain valid until 21 March 2024.
The remaining hiccup to resolve was that the typo was not simply on a press release: it was present in the document laid before Parliament, and specifically the language intended to disapply and replace the relevant provision of the Data Protection Act 2018 (that’s Paragraph 7 of Part 3 in Schedule 21, for those wanting to check) under the Information Commissioner’s statutory powers. So, as the ICO confirmed in a pinned tweet on Wednesday afternoon: it has had to re-lay the IDTA documentation before Parliament, having initially done so last Friday (28 January).
Will that affect, then, the date it comes into force – 21 March 2022 – and have knock-on effect for the grace period? Hopefully not, but no doubt the ICO will let us know in due course: via social media or otherwise.
Should we be using the new IDTA?
This is a much broader question, and one we will be releasing further views on in due course – including as ICO guidance and explanatory notes are published. In the plus column, the UK IDTA is more practical, shorter and less jargon-filled than the new EU SCCs.
On the downside, we don’t yet know what the EU Commission thinks of the IDTA. Post-Brexit, their view does not affect the UK law position: and as of now, the UK enjoys the benefit of a positive adequacy decision, so flows of data from the EU ought to be free and easy. However, if the EU Commission (or the EDPB, or any EU Member State supervisory authority) were to express formal doubts about the IDTA’s effectiveness, it could trigger a debate about data flows into the UK from the EEA – ie where UK-based organisations are then relying on IDTAs for any onward transfers of data – and put our fragile adequacy decision into the spotlight.
The main health warning with the IDTA, of course, is that it can only serve transfers out of the UK: so multi-territorial data sharing arrangements involving the EEA cannot rely on the IDTA alone. Many organisations, especially those with global data flows (in-group or otherwise), are likely to reach for the new EU SCCs and deal with UK exports on the basis of the ICO’s Addendum. Others, having spent much time and effort putting in place arrangements under the old EU SCCs before the EU and UK got out of sync last year, may yet decide to crack on with existing or pending agreements under the old SCCs for the time being.
Casting a shadow over all these options is the Schrems II decision – which both the new EU SCCs and the IDTA intend to reflect and accommodate. In each case, however, the devil may be in the detail of the Data Transfer Impact Assessment (or TRA, in the ICO’s version) which seeks to justify the risk applicable to each transfer. In other words, nothing is yet nearly as easy as it should be.
Territorial scope
A welcome area of clarification is that the ITDA has brought the UK position, arguably, ahead of the EU in one respect. The ICO has confirmed the IDTA will validly cover transfers to organisations located in third countries even if they are directly regulated under Article 3 of UK GDPR.
This remains an area of confusion when it comes to the new EU SCC decision, owing to its troublesome Recital 7 which suggests SCCs cannot be used for transfers to importers in third countries who are directly regulated by (EU) GDPR. The EU Commission is still considering what to do about this, mooting yet another set of SCCs for these transfers. However, the UK position is now clear: transfers to such organisations will need a safeguard of this nature before they can take place lawfully, and the IDTA will do the job.
Summary
To re-cap on where things currently stand for transfers out of the UK to third countries without an EU adequacy decision:
- The new IDTAs take effect on 21 March 2022 (subject to Parliamentary approval).
- The ICO has suggested they can be used immediately (with that caveat about Parliamentary approval).
- You can keep using the old SCCs up to 21 March 2024 provided they are in place by 21 September 2022 (and assuming your processing does not change materially in the meantime).
- Finally, the longstop date to switch over from any remaining SCCs to IDTAs is 21 March 2024.
If you require further information about anything covered in this blog, please contact Owen O'Rorke, Alan Baker, Ian De Freitas or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2022