ICO consults on SCC replacement
By Sarah Pearce
The Information Commissioner’s Office (ICO) has launched, on 11 August 2021, a public consultation on its draft international data transfer agreement (IDTA) (consultation available here). Coming just two months after the European Commission adopted new Standard Contractual Clauses (SCCs), the idea is that the ICO’s IDTA will replace the existing SCCs for transfers outside of the UK, taking into account both Brexit and the now infamous Schrems II decision of the European Court of Justice.
The consultation is split into three sections: (1) proposal and plans for updates to guidance on international transfers (the Guidance), (2) transfer risk assessments (TRA) and (3) the IDTA.
The Guidance aspect of the consultation seeks feedback on the interpretation of the extraterritorial effects of Article 3 of the UK GDPR and the appropriate safeguards under Chapter V UK GDPR. The consultation also considers the derogations available under Article 49 UK GDPR and the interpretation of “necessary and proportionate”.
The ICO has produced a TRA tool to assist organisations when completing the risk assessment required following the Schrems II decision. The ICO note that the TRA tool is only one method of carrying out the risk assessment and organisations are free to use other appropriate methods.
The consultation suggests a three-step approach to using the TRA tool. First, the organisation must confirm that the tool is suitable for the restricted transfer i.e. if the restricted transfer is considered high risk after assessing the factors such as the nature of the importer and any onward transfers, the tool may not be appropriate. The ICO stress that the TRA tool is designed to assist with ‘routine restricted transfers’ only. Second, the organisation must assess whether the IDTA is enforceable in the destination country. If there is concern over the IDTA’s enforceability, a supplementary risk assessment is required to consider whether there is the risk of harm to data subjects. Finally, step three is to assess the destination country’s regime for regulating third-party access to personal data (including surveillance). After step three, the transfer can go ahead if the destination country’s regime for regulating third-party data access is sufficiently similar to principles which underpin the UK regime or alternatively, if the possibility of third-party access is minimal or the risk of harm to data subjects is low, even if third-party access did take place.
The IDTA is intended to be one of the appropriate safeguards under Chapter V UK GDPR. The consultation includes a template IDTA, guidance on how to complete it, guidance templates and frequently asked questions.
The IDTA does not follow the same modular approach as the new SCCs, instead opting for separate tables containing details of the parties, the transfer, the transferred data, and security requirements. The rest of the IDTA is made up of extra protection clauses, commercial clauses, and mandatory clauses. Whilst the initial parts of the IDTA are subject to input form the parties, the mandatory clauses must be included without any amendment. The mandatory clauses form the parties’ obligations in relation to the transfer and include information such as how the IDTA provides appropriate safeguards.
The consultation seeks opinion on various aspects of the IDTA such as whether it provides an effective safeguard for data subject rights and whether it provides a risk-based implementation of the UK GDPR and Schrems II.
The consultation also seeks input on the ICO’s intention to produce guidance templates on, amongst others, the optional TRA extra protection clauses, optional commercial clauses, and a multi-party IDTA. The ICO is also considering issuing an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions, such as the EU SCCs. The addendum would amend the EU SCCs to work in the context of UK data transfers saving the need for a separate agreement.
The consultation is open until October 7 2021 and seeks feedback on a number of aspects so it will be interesting to see the extent to which the ICO maintains its approach. What is clear is that the ICO is looking to distinguish itself and the mechanisms for restricted transfers from the UK thus reducing the possibilities for organisations to simply replicate a “UK Version” of the EU SCCs as some businesses had hoped; more thought will be required. We will continue to monitor the situation and provide further updates as to developments in this area.