Data Protection Law
International transfers of personal data have been shaken up in recent memory. Most obviously Brexit has placed the EU and UK in separate data protection regimes rendering any transfer between them international, meaning they are now subject to new conditions. Additionally, data transfers to the US have been disrupted by the judgement in Schrems II. This landmark case led to the striking down of the EU-US Privacy Shield which enabled free flow of data to certain US-based organisations. For more information on the impact of Brexit read our blog.
Where does it all lead? It is easy to be overwhelmed by the complexity of the legal and political implications of these developments. However, as most organisations are realising, the simple solution continues to be Standard Contractual Clauses (SCCs). After an introduction to international transfers, this blog will focus on the use and future of SCCs. Which for the majority of organisations will be the most practical data transfer mechanism.
General principle for data exports to non-UK countries
International transfers of personal data to a country outside the UK (third country) may only take place if the controller and the processor comply with certain conditions. A transfer of personal data to a third country may take place if:
- the UK has decided that the third country ensures an adequate level of protection
- the controller or processor has provided appropriate safeguards; enforceable data subject rights and effective legal remedies for data subjects are available.
Third countries with adequate levels of protection
The UK has “adequacy regulations” in relation to the following countries and territories:
- The European Economic Area (EEA) countries. These are the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden. The EFTA states are Iceland, Norway and Liechtenstein.
- EU or EEA institutions, bodies, offices or agencies.
- Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020). These include a full finding of adequacy about the following countries and territories: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. In addition, the partial findings of adequacy about: Japan – only covers private sector organisations. Canada – only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. For more details please see the EU Commission’s FAQs on the adequacy finding on the Canadian PIPEDA.
International transfers of personal data – adequate safeguards
If the third country has not been granted an adequacy decision then organisations can rely upon adequate safeguards. Schrems II has added an additional burden – before you may rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. This can be done by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data). This assessment is undoubtedly complex in many situations. The ICO intends to issue guidance on this topic in due course.
Controllers and processors may provide adequate safeguards by:
- A legally binding agreement between public authorities or bodies.
- Binding corporate rules (agreements governing transfers made between organisations within a corporate group).
- Standard data protection clauses in the form of template transfer clauses adopted by the Commission.
- Standard data protection clauses in the form of template transfer clauses adopted by the ICO.
- Compliance with an approved code of conduct approved by a supervisory authority.
- Certification under an approved certification mechanism as provided for in the GDPR.
Is the restricted transfer covered by an exception?
If you are making a restricted transfer that is not covered by UK ‘adequacy regulations’, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the UK GDPR:
Exception 1. Has the individual given his or her explicit consent to the restricted transfer?
Exception 2. Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract?
Exception 3. Do you have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for you to either enter into that contract or perform that contract?
Exception 4: You need to make the restricted transfer for important reasons of public interest.
Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.
Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.
Exception 7: You are making the restricted transfer from a public register.
Exception 8: you are making a one-off restricted transfer and it is in your compelling legitimate interests.
International transfers of personal data – Standard Contractual Clauses
You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘standard contractual clauses’ (‘SCCs’ or ‘model clauses’).
The SCCs contain contractual obligations on you (the data exporter) and the receiver (the data importer), and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.
ICO guidance on Standard Contractual Clauses
The commentary on the ICO webpage on Standard Contractual Clauses (SCCs) after the transition period ends provides guidance on what the ICO expects from UK controllers in relation to restricted transfers, i.e. when they are seeking to export personal data from the UK to entities located in countries which do not provide an adequate level of data protection. As shown above, the SCCs represent one of a number of “appropriate safeguards” available to enable such transfers to take place. SCCs are often the most practical method for organisations when it comes to data transfers.
The ICO guidance states that UK controllers can continue to use the existing EU SCCs. The guidance goes on to state:
“You are able to make changes to those EU SCCs so they make sense in a UK context provided you do not change the legal meaning of the SCCs. For example, changing references from the old EU Data Protection to the UK GDPR, changing references to the EU or Member States, to the UK, and changing references to a supervisory authority to the ICO.
Otherwise you must not make any changes to the SCCs, unless it is to add protections or more clauses on business related issues. You can add parties (i.e. additional data importers or exporters) provided they are also bound by the SCCs.”
ICO versions of the SCCS
The versions of the SCCs the ICO has created contain suggested changes. These are only suggestions but if you wish to deviate from these suggested changes they should be consistent with the principles set out in the above guidance extract and the guidance generally, i.e. it needs to make sense in a UK context and not change the legal meaning of the SCCs. The ICO versions act as a starting point therefore, making changes only where strictly necessary to make them make sense.
Schedule 21 of the Data Protection Act 2018 details the types of changes that can be made to the EU version for use by a UK controller but it does also seem to allow for use of the EU version as they are, without amendment, unless disapplied by the Secretary of State or the Information Commissioner (see paragraphs 7 and 8 of Schedule 21).
Exporting from both the UK and the EU
Ideally, if personal data is to be exported from both the UK and the EU to a jurisdiction not deemed adequate by both the UK government and the European Commission, the exports from each of the UK and the EU should be treated separately as, while virtually identical, the EU GDPR and UK GDPR are completely separate regulatory regimes. If SCCs are chosen as the appropriate safeguard, the safest option would be to have the data exports from the UK and the EU to be covered by different sets of clauses (or potentially, depending on risk, to use the EU SCCs with an additional set of amendments for the UK version).
This point is underlined in the original European Commission decision of 2004 which states each set of SCCs as a whole forms a model, so data exporters should not be allowed to amend these sets or totally or partially merge them in any manner. To meet the data transfer requirements under the UK GDPR and the EU GDPR, if a controller wants to use SCCs, they cannot be adapted beyond what has been recommended by both the ICO and the guidance from the EC on their use.
It is important to point out that, looking retrospectively, if the EU SCCs were entered into prior to the end of the transition period, they will continue to be valid for restricted transfers under the UK GDPR. There will not be a need to replace the EU SCCs contracted before 1 January 2020 with updated UK SCCs.
New Standard Contractual Clauses
On 12 November 2020 the EU Commission published standard contractual clauses for international transfers of personal data to third countries under the General Data Protection Regulation ((EU) 2016/679) (GDPR). This was a draft implementing decision and Annex. The Commission has previously indicated that these clauses would be finalised before the end of 2020 although, as they require the opinion of the EDPB and EDPS, and consultation with member states under the comitology procedure, they will now come into force in 2021.
The Commission notes that the clauses are a modernisation of the previous clauses, designed to better reflect the use of new and complex processing operations involving multiple parties, complex processing chains and evolving relationships. They are designed to be flexible and allow for a number of parties, including for parties to accede to the clauses later (“docking clause”). They are drafted in a modular approach with general clauses followed by options for different processing circumstances.
Key points of interest include that the clauses:
- Can be used by controllers and processors, including those not established in the EU but that are caught by the GDPR and cover both controller to controller and controller to processor options. They can also be used for EU processor to non-EU controller transfers and processor to sub-processor transfers, both of which are new options.
- Can be included in a wider contract and additional clauses and safeguards can be added provided these are not contradictory or prejudice the rights of data subjects.
- Should include rules for liability and indemnification between the parties and are enforceable by data subjects as third-party beneficiaries against the data exporter or importer.
What does this mean for the UK?
Under the UK-EU trade and co-operation agreement, the UK is obliged to not exercise certain powers under its own data protection legislation including producing its own SCCs during the four to six month extension period (starting on the 1st January 2021 – for more info see our blog). The ICO intends to consult on and publish new UK SCCs during 2021. With Brexit, the ICO and Secretary of State must keep the transitional arrangements for SCCs under review, and both are now able to issue new SCCs. It may be that at some point the EU SCCs will cease to be valid, for new and/or existing restricted transfers from the UK.
The extent to which the ICO, who are reviewing the new EU SCCs, are influenced by the new EU model clauses will come to be another example of how the two regimes wish to either spilt or merge. Given that the UK has already granted countries in the EU an adequacy decision (and seem to hope to get one in return), it is not overly speculative to suggest that the new EU SCCs will, in some form or another, be incorporated into UK data protection law. However, as noted above, this will not be possible until after the four to six month extension period the UK currently find themselves in.
Here to help
International transfers of personal data is a complex area of law and in a state of transition. As suggested above the most practical solution for a lot of organisations will be the use of SCCs but that’s not to say your transfers cannot be enabled any other way (see above). The extent to which organisations will have to review their positions will be based upon whether or not the EU grants the UK an adequacy decision and the extent to which the ICO incorporates the soon to be published new EU standard contractual clauses into their own. In any event organisations need to be on the lookout for when these new clauses come into force in both the EU and UK.