A proposal before the United Kingdom Parliament replaces the current “standard contractual clauses” (SCCs) used to govern data movement between the UK/EU and other countries considered to have “inadequate” equivalent data protection laws. The “International Data Transfer Agreement” tools can be used as early as late March, but will not be mandatory until September and will not fully supplant existing SCCs until 2024.
International data transfer tools seek to move UK forward
Many organizations in the UK are working with SCCs put in place prior to the complete break from the EU (and the General Data Protection Regulation) in 2021. The International Data Transfer Agreement tools are meant to reflect the changes made to the UK’s own version of the GDPR.
The International Data Transfer Agreement is the result of a 2021 request by ICO to the Department for Culture, Media and Sport (DCMS) for the development of tools and guidance specific to the UK GDPR, which began essentially as a copy of the EU GDPR but has made some changes to domestic provisions and remains in “review” status to facilitate future changes.
The new rules currently lay before Parliament and will go active on March 21 providing no objections are raised. Existing EU SCCs and those created before September 21 of this year will continue to be valid without any further action needed until that date. But as of September 21, new agreements will need to make use of an International Data Transfer Agreement tool.
Pre-existing EU SCCs will remain valid until March 21, 2024 (so long as the subject matter remains unchanged), at which time they must be replaced.
Though the UK has entirely parted ways with the foundational EU GDPR at this point, the International Data Transfer Agreement takes account of the European Court of Justice’s “Schrems II” decision establishing foreign data transfer partner adequacy. The retention of the majority of the GDPR structure keeps data flows moving between the UK and the rest of Europe, but may also complicate relationships with other countries that are not on equivalent data privacy footing (particularly the United States).
Gradually moving on from SCCs
The UK GDPR does have one key difference in the area of SCCs. In the EU, a new SCC structure was adopted in June 2021 in response to the fallout of the Schrems II decision. To be extremely general, this requires enhanced security measures for data transfers to the United States and other nations considered to have inadequate legal protections. The UK GDPR continues to allow the old SCC terms (“legacy SCCs”) to be legally viable.
SCCs that comport to the new standards that are already in place (or put in place before September) look to be usable until March 2024. But after that, the UK-specific transfer tools take over as the mandatory governing instrument. Additionally, even the older SCCs will require organizations to conduct a risk assessment for each third country partner to ensure that the terms comport with the data privacy standards required by the newer SCCs and the International Data Transfer Agreement.
Some early legal analysis indicates that the International Data Transfer Agreement has more straightforward and “user-friendly” language than the existing SCC structure, but it is unclear how quickly organizations will move to switch over. There is also a potential dispute brewing in that each region’s version of the transfer agreements includes a clause that attempts to override the other in the event of a conflict. The International Data Transfer Agreement is also open to future revisions, with the government expected to expand on its policy intentions soon.
As Linnea Solem, CEO and Founder of Solem Risk Partners, observes: “Managing GDPR compliance continues to be complex for outsourcers and service providers to adopt new contract provisions and ensure that due diligence processes align to the strengthened obligations for third party risk management (TPRM). Adopting the EU’s Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreements for new and existing data processor relationships is a much larger undertaking than simply updating contracts. The changes put a spotlight on both data governance and enforcement of data protection safeguards that impact the governance model and policies in a TPRM Program. Data governance is front and center with the guidance on international data transfers from the UK ICO. Organizations that need to comply with both GDPR and the UK’s requirements need to build out their operational plans and bring together a strong understanding of the relationship between contracts, vendor management and privacy.”
Some other small differences in the International Data Transfer Agreement include the possibility to go to arbitration to settle disputes, the governance of data transfers from sub-processors to processors, and the opportunity for parties to agree on audit provisions. Tom Garrubba, Vice President of Shared Assessments, notes: “Besides including effective and enforceable data subject rights, the IDTA contains appropriate safeguards for the transferred data. Therefore, since these are enforceable, it’s extremely important that both the outsourcer and processor are able to achieve the agreeable conditions (e.g., the security and privacy controls) over data transfer.”
Ultimately, as the Schrems II case made clear, all of this legal difficulty essentially traces back to the US government’s data interception and collection practices (and the fact that tech giants tend to be based there and do their data processing there). SCCs have managed to adapt by adding new layers of security, primarily encryption, but the threat of another legal challenge always looms. The only absolutely sure way to avoid GDPR fines would be for the US to pass a GDPR-equivalent federal data privacy law, and to end the legal provisions that allow access to foreign data outside of legitimate investigations of serious crimes. There is also the question of extralegal data collection, as the Snowden case pointed out; a recently declassified CIA program allowing for bulk collection also indicates that American intelligence agencies are not even following their own rules when it comes to the domestic population, much less the data of foreigners flowing from overseas to the likes of Facebook and Google.