Under data protection law in both the UK and EU there is a general prohibition on the transfer of personal data outside of the UK or EU respectively unless adequacy or safeguards are in place prior to the transfer.
One of the safeguards that may be used are standard contractual clauses (SCCs), which form part of the contract between an exporter and importer of personal data and seek to contractually impose key aspects of data protection law that the importer is not otherwise subject to.
Following the UK’s withdrawal from the EU, the UK retained the GDPR in English law (UK GDPR) and has been utilising the old standard contractual clauses previously approved by the EU Commission (Old EU SCCs) as an appropriate safeguard for international personal data transfers.
Last year, the European Commission adopted new standard contractual clauses (New EU SCCs) – see our previous article here for more information. The New EU SCCs are intended to be more consistent with the GDPR and to a certain extent seek to take into account the Schrems II judgment – for more information on Schrems II, see our previous article here. In light of Schrems II, businesses now need to consider in certain circumstances undertaking Transfer Impact Assessment also known as Transfer Risk Assessments (TIA or TRAs). However, the New EU SCCs are not recognised under English law and so cannot be used for international transfers of personal data without further input.
IDTA and UK Addendum
As of 22 March 2022, the Information Commissioner’s Office (ICO) has introduced the following documents as an appropriate safeguard for the purpose of making restricted international transfers of personal data under the UK GDPR:
- an international data transfer agreement (IDTA); and
- an international data transfer addendum to the New EU SCCs (UK Addendum).
What should my organisation be doing in light of the changes?
If your organisation is making international transfers of personal data outside the UK, you should:
- Consider and understand what transfers you are carrying out, in particular:
- Identify your contracts and transfers that are relying on the Old EU SCCs for UK transfers
- understand the roles of the parties (e.g. controller, processor or subprocessor)
- Update the information relevant to the contracts and transfers, for example, reviewing the nature, purpose and subject-matter of the processing under any relevant agreement
- Consider if the New EU SCCs would be an appropriate way forwards together with the UK Addendum
- Consider which of your organisation’s agreements will need to be updated, in particular, those agreements where data is being transferred under the Old EU SCCs. See below for further information on the deadlines for implementation
- Prepare to carry out Transfer Risk Assessments, in particular consider:
- The facts of your restricted transfers including the type of personal data transferred, the categories of data subject as well as the purpose, format and method of transfer
- The destination country, including whether there are UK adequacy regulations in relation to that country, its legal and court system and its laws regulating third parties access to personal data; and
- The potential impacts on and harms to data subjects of the transfer
- Consider what UK safeguard you are going to implement, whether this is the IDTA or the UK Addendum and how you will include such safeguard in your relevant agreements
What is a Transfer Risk Assessment (TRA)?
The ICO has stated that, in order to use the IDTA or the UK Addendum, organisations will need to carry out a TRA to make sure that the IDTA or the UK Addendum works as intended in the country where the personal data is being transferred.
Organisations should use a TRA to check that local laws and practices do not override the protections of the IDTA or the New EU SCCs as applied by the UK Addendum. A TRA would assist organisations in ensuring that the protections for data subjects are similar to the UK’s.
What is the International Data Transfer Agreement (IDTA)?
Under the UK GDPR, controllers and processors of personal data cannot transfer that data to a country outside of the UK unless:
- that country is covered by UK adequacy regulations;
- an exception covers the transfer; or
- the transfer is made under appropriate safeguards.
The ICO has stipulated that the IDTA is an appropriate safeguard that can be used by organisations to make transfers of personal data from the UK to third countries without the need to enter into the New EU SCCs. Fundamentally, the IDTA is a contract that can be used by parties which ensures that the relevant protections for data subjects of the transferred data are sufficiently similar to those offered under UK data protection law.
What is the UK Addendum?
The UK Addendum incorporates and applies the New EU SCCs to transfers of personal data from the UK and it replaces references from EU laws and requirements to UK laws and requirements.
The UK Addendum is an alternative safeguard to the IDTA and would allow organisations to use the EU SCCs for international data transfers from the EU as well as the UK within the same agreement. It is important to note that the UK Addendum only works in connection with the New EU SCCs and cannot be relied upon if the parties are using the Old EU SCCs in their agreement.
What are the deadlines for my organisation to implement the IDTA or the UK Addendum?
For contracts concluded before 21 March 2022 that include the Old EU SCCs for transfers of personal data from the UK, these can be relied until 21 March 2024.
For contracts concluded between 21 March 2022 and 21 September 2022, the UK set out transitional provisions that permit new contracts concluded during this grace period to use the Old EU SCCs for transfers of personal data from the UK until 21 March 2024, provided that the processing operations under the contract remain unchanged.
For contracts concluded after 21 September 2022 under which personal data is transferred from the UK, these will all need to contain either the IDTA or the UK Addendum.