The position on international data transfers remains highly complex as a result of the perfect storm of Brexit, the CJEU Schrems II decision in 2020, new EU Standard Contractual Clauses (SCCs) and a proposed new UK international data transfer agreement (IDTA).
So far as transfers from the UK are concerned, the ICO’s consultation on its draft IDTA and guidance, which is intended to replace Standard Contractual Clauses (SCCs) for transfers from the UK, closed on 11 October 2021. We expect to see the new IDTA coming onstream in 2022. The ICO has also proposed a practical solution that the EU SCCs could be used for transfers from the UK with a short Addendum.
There is likely to be a short grace period when we can continue to use the old SCCs for new agreements, and then a 24-month period in which all existing agreements will need to be upgraded to the new format.
In the meantime, so far as transfers from the UK to countries other than in the EU (or other countries with adequacy findings) are concerned, we can continue to use the old (but not the new) EU approved SCCs, although the ICO has issued an adapted version of the EU SCCs which can be used with updated post-Brexit references.
So far as transfers from the EEA are concerned, we must now use the new (but not the old) EU SCCs. Moreover, all existing agreements based on the old EU SCCs will need to be migrated to the new EU SCCs by the end of 2022.
So, at the moment, if you have transfers from both the UK and the EEA, then a different approach is needed for each.
But it is not enough simply to sign up the IDTA / SCCs. Following Schrems II, you also need to undertake a transfer risk assessment (TRA) and, as needed, implement supplemental measures.
In this respect, the ICO has provided a draft TRA Tool as a guide to the process. This can be a relatively complex exercise but the ICO TRA Tool provides practical support. As the ICO comments, “If you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of …UK GDPR”.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.