Data transfers and the ICO consultation

When the UK formally left the European Union on 31 December 2020, it became a ‘third country’ for the purposes of applicable data protection legislation. For the flow of personal data to continue between the UK and the EU without restriction, UK data protection law must remain broadly aligned with that of the EU. However, recent developments have shown the potential for divergence, which has significant implications for UK businesses that share personal data with Europe.

As the UK left the EU, the General Data Protection Regulation (‘GDPR’) was replaced by the UK GDPR, which is supplemented by the Data Protection Act 2018. The UK GDPR shares many of the operative provisions of the GDPR, including the restriction on transferring personal data to ‘third countries’. From a GDPR perspective, the UK is now a third country, to which the transfer of personal data is generally prohibited in the absence of appropriate safeguards to ensure the protection of personal data to European standards.

Prior to the end of the transition period, there loomed a real possibility transfers of personal data from Europe to the UK would have been prohibited. For UK businesses, charities and public authorities that receive personal data from Europe, this could have been problematic. Fortunately, on 28 June 2021, the European Commission issued two adequacy decisions that enabled the free flow of data to continue from European Member States to the UK. However, these adequacy decisions were contingent on the UK data protection regime’s continuing alignment with that of the EU. The Commission’s decisions make it very clear material divergence by the UK may result in those adequacy findings being rescinded.

An area that may be starting to show the beginnings of divergence between the UK and the EU is data transfers. In June of this year, the European Commission adopted new standard contractual clauses (SCCs) to enable the transfer of personal data to third countries. SCCs are recognised as an appropriate safeguard that ensures adequate protection for personal data where it is transferred from the EU to a third country. The new SCCs address a number of well-documented deficiencies of their predecessors and provide a flexible data transfer solution that reflects the realities of current multinational businesses and their data processing arrangements.  

However, the ‘new’ SCCs are not currently recognised by the ICO for transfers of personal data from the UK to third countries. Instead, the ICO launched its own consultation in August.

The ICO consultation, which closed on 7 October, is split into 3 sections, which are as follows:

1. Proposal and plans for updates to guidance on international transfers;

2. Transfer risk assessments (‘TRA’); and

3. The international data transfer agreement (IDTA) and guidance, which will replace the Standard Contractual Clauses (SCCs) in the UK.

This appears to demonstrate an intention by the ICO to choose its own path instead of following EU guidance. Provided the UK maintains a level of data protection equivalent to European standards, it is free to do so. However, if individuals’ privacy rights are significantly diminished, this could result in the UK’s adequacy decision being rescinded. This would have widespread implications for trade between the EU and the UK. For instance, multinational businesses could be restricted in their ability to share customers’ employees’ and suppliers’ personal data with international group entities.  

Currently, there is nothing to suggest the ICO consultation could result in the UK losing its adequacy decision. However, it is perhaps an early indicator of a diverging approach. In practice, the consequence of the consultation is that multinational businesses that wish to share employees’ customers’ and suppliers’ personal data across international borders will have to negotiate two sets of rules. This is more of an inconvenience than insurmountable. That said, if future developments in the UK data protection regime lead to significant divergence, the loss of the UK’s adequacy decision could present far more of an obstacle. Data protection compliance appears to be becoming more complex rather than simplified. Increasing complexity and the pace of change presents a challenge to data protection advisers and their clients alike.  

James Castro-Edwards is privacy, cybersecurity and data strategy counsel at Arnold & Porter: arnoldporter.com; arnoldporter.com/en/people/c/castro-edwards-james