The Information Commissioner’s Office (ICO) is working to create new UK Standard Contractual Clauses (SCCs) for international data transfers, which should be released for consultation this summer.
What are SCCs?
SCCs are standard sets of contractual terms which the sender and the receiver of the personal data enter into. They include contractual obligations which help to protect personal data when it leaves the EEA and the UK and allow for the transfer of personal data outside of the protection of GDPR. They contain obligations for the data exporter and receiver (importer), as well as rights for the individuals whose personal data is transferred.
How do they work currently?
Currently, the UK use the current EU SC’s which remain valid for a period.
So why change?
The EU is also updating its SCCs, which will replace the current mechanisms. As the UK is no longer part of the EU, the new EU SCCs would not be valid for transfers from the UK. Therefore, the ICO is planning to issue “bespoke” UK SCCs for international transfers, to ensure data can flow without disruption.
EU updated SCCs
The new EU SCCs widen the scope of transfer scenarios and acknowledge that the chain of data processing is not always straightforwardly controller to processor. They are more modular in approach and cover more scenarios than the current EU SCCs.
Next steps
Until we see the proposed UK SCC’s, it’s difficult to assess the impact they will have. Meanwhile it is acceptable in the very short term to use the current EU SCCs and thought will need to be given to whether to use the new EU Updated SCCs and the new UK SCCs when developed.
The ICO is planning to publish the UK SCCs later this year.