Standard Contractual Clauses for personal data imports and exports to and from the UK: an update
14th January, 2021
Following the expiry of the transition period on 31 December 2020, the UK's rules on transferring personal data outside the UK have changed.
For personal data transfers to and from the EEA, the rules will continue as they were before 1 January 2021 until either (i) the European Commission adopts an adequacy decision in respect of the UK; or (ii) at the latest, six months from the date the EU-UK Trade and Cooperation Agreement came into force (i.e. 30 June 2021). Further information on the Trade and Cooperation Agreement and personal data flows can be found in our update here.
However, if the European Commission does not adopt an adequacy decision in respect of the UK, organisations in the European Economic Area (“EEA”) will need a mechanism in place to export personal data to the UK. This includes access by UK organisations to personal data stored by them on servers within the EEA. The mechanism most likely to be used will be standard contractual clauses, and the European Commission published, in late 2020, new standard contractual clauses which are likely to be adopted by it this year. These include processor to controller clauses, which could be used, once adopted by the EU, when a UK-based organisation uses a processor based in the EEA.
What about transfers from the UK outside the EEA?
The existing rules on personal data transfers will continue to apply. If the UK has not adopted an adequacy decision in respect of a country, then it is likely that standard contractual clauses will often be the most appropriate transfer mechanism to export personal data to that country.
The ICO’s guidance (available here) provides that UK controllers can continue to use the existing EU standard contractual clauses for personal data transfers, including if UK organisations already have these in place for personal data transfers. However, as these are based on transfers outside the EEA, these clauses should be amended to reflect the fact that the UK is no longer part of the EU. The ICO has therefore produced UK versions of the standard contractual clauses with suggested UK changes. These are available using the same link to the ICO guidance above. If you are transferring personal data outside the EEA from 1 January 2021 (and you do not already have standard contractual clauses in place), then you should put in place the amended UK version of the standard contractual clauses.
The ICO has stated that it intends to consult on and publish UK standard contractual clauses this year, so organisations should continue to look out for further guidance and updates.
What about supplementary measures when using standard contractual clauses?
The ICO’s guidance reiterates that controllers, when making personal data transfers using standard contractual clauses, must assess whether the standard contractual clauses alone provide protection which is essentially equivalent to the protection provided by UK data protection law. If not, organisations are required to put in place supplementary measures with the recipient of the personal data to ensure that the ‘essentially equivalent’ standard of protection is met. Further information on what these supplementary measures might be can be found in our update here.
Ward Hadaway regularly advises organisations in a variety of sectors on data protection law compliance issues and our team of data protection experts are experienced in dealing with personal data exports. For more details of how we can help you, or for guidance on any of the issues raised above, please get in touch.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.