In short: no, not currently.
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data protection regime relating to SCCs.
Can UK controllers and processors rely on the new SCCs?
The EU’s new SCCs were adopted after the expiry of the Brexit transition period. This means that they are not recognised by UK law as a means of providing “appropriate safeguards” for outbound international transfers of personal data regulated under the UK General Data Protection Regulation. There is no indication at present that either the UK government or the Information Commissioner’s Office intend to take action to address this position.
For the time being, UK controllers may continue to rely on the old EU SCCs when transferring personal data to third countries, including using them to document new transfers from the UK. The ICO has confirmed that organisations may amend the old EU SCCs to ensure they make sense when used for transfers from the UK, for example, by updating references to applicable legislation, or removing references to “the EU” or “Member States”. The old EU SCCs should not otherwise be amended, unless it is to add protections or deal with commercial matters in ways that do not dilute the protections provided.
What does the future hold?
It has been announced that the ICO intends to publish a UK-specific set of SCCs (the “UK SCCs”) for consultation in July 2021. Organisations conducting personal data transfers to third countries from both the UK and the EU should therefore keep developments under review over the summer period. Depending on timings, it is possible that such organisations may need to include both the EU’s new SCCs and the UK’s SCCs in future contracts.
“Championing the international flow of data” is one of the key missions underlying with UK’s National Data Strategy. Speaking at a conference organised by Privacy Laws & Business on 5 July 2021, the UK Minister of State for Media and Data, John Whittingdale, stressed the UK’s commitment to developing international transfer tools, including codes of conduct and certification, and to adopting adequacy decisions independently of the EU. This suggests we can expect to see significant developments in the UK’s data protection framework in the months ahead.