Out-Law / Your Daily Need-To-Know

UK guide on data transfer codes and certification anticipated

Out-Law News | 02 Jun 2021 | 10:31 am | 2 min. read

New guidance on how businesses might use codes of conduct and certification schemes to demonstrate their compliance with rules governing international data transfers could be issued by the UK’s data protection authority in a matter of weeks, Out-Law has learned.

The Information Commissioner’s Office (ICO) confirmed that it is considering issuing guidance on the topic after the UK government reiterated its intention to be “a global champion of safe and secure data flows” and said that it was working with the ICO on “publishing new guidance on international transfers”, including “on the use of codes of conduct and certification schemes as transfer mechanisms”.

A spokesperson for the ICO told Out-Law: “We are currently working to develop our thinking and potential new guidance on how codes of conduct and certification schemes may be used to support enhanced accountability in international transfers. We hope to publish content on this topic in the coming weeks. If any organisation is thinking of developing these mechanism in this way we would encourage them to get in touch with us on [email protected] or [email protected].”

Data protection laws in the UK and EU both provide for businesses to be able to voluntarily sign up for certification of their data protection practices. Only data protection authorities or independent accredited 'certification bodies', which must have "an appropriate level of expertise in relation to data protection", can operate certification schemes.

The legislation also provides for the endorsement of industry-drafted codes of conduct that are "intended to contribute to the proper application" of the law. It is open to the ICO to approve codes designed for use within the UK.

The government’s confirmation of its ongoing work with the ICO was included in a recent response it published to a consultation it had earlier held on the UK’s national data strategy. The strategy is wide-ranging but broadly it aims to improve data use in government and better enable businesses to use data to innovate. A core component of the strategy is “championing the international flow of data”.

In its strategy response, the government said it intends to “remove unnecessary barriers to cross border data flows” as part of trade agreements the UK enters into, and it called on the EU to “swiftly complete the technical process for adopting and formalising” the draft adequacy decisions the European Commission published earlier this year in respect of the UK’s data protection regime which, if finalised, would support EU-UK data flows.

In addition to its comments on codes of conduct and certification schemes, the government also set out details of the other work it is doing together with the ICO to “provide a flexible framework for cross border transfer flows that protects UK personal data”. The work includes “using repatriated UK powers” to develop new UK standard contractual clauses (SCCs) and developing “a new expedited process” for the approval of UK binding corporate rules (BCRs).

EU SCCs are the most popular legal mechanism relied upon by businesses to comply with EU data protection laws when transferring personal data outside of the European Economic Area (EEA), while BCRs are commitments companies can make to data regulators around their handling and protection of personal data in the context of intra-group data transfers to non-EEA jurisdictions.

Out-Law asked the ICO for a progress report on the development of UK SCCs and on the new UK BCRs process. In response the ICO confirmed that work is ongoing on the SCCs and that it intends to issue draft SCCs for consultation this summer, and said that it is considering points of learning from new UK BCR process that it published referential tables and applications forms for, for both controller and processor BCRs, in January. It said it is “looking to improve and streamline the application process for organisations that wish to use BCRs as an international data transfer mechanism”.