Following the consultation run by the Information Commissioner’s Office (“ICO”) in 2021, the UK’s international data transfer agreement (the “IDTA”) and international data transfer addendum (the “UK Addendum”) to the European Commission’s Standard Clauses (the “New EU SCCs”) have been laid before parliament. Assuming that there are no objections, the IDTA and the UK Addendum will come into effect on 21 March 2022.
The New EU SCCs were implemented last year to help businesses legitimise the transfer of personal data from the EEA but they do not apply to transfers from the UK. This meant that UK organisations were left needing to continue using the old EU standard contractual clauses (“Old SCCs”) although they had become outdated. The IDTA and the UK Addendum address that disconnect and offer organisations new transfer tools to safeguard personal data that is to be transferred outside of the UK to a “third country” not covered by adequacy decisions.
In essence, the IDTA is the UK’s answer to the New EU SCCs and it can be deployed as a standalone agreement or it can be incorporated into a wider commercial arrangement. Similarly to the New EU SCCs, the IDTA provides a package of clauses that can be adapted for various transfer scenarios (including processor to processor and processor to controller transfers). It also reflects the impact of the Schrems II judgment and the need to carry out a transfer risk assessment.
The UK Addendum
The UK Addendum is intended to complement the New EU SCCs and contains provisions that are designed to make the New EU SCCs operable under UK law. This “light-touch” document is an attractive alternative to organisations that make transfers from the UK and the EU to third countries. The UK Addendum could easily be “bolted on” as a supplement to existing or new contracts formed using the New EU SCCs to ensure that UK data flows are also protected.
The ICO has laid out a document to the parliament (alongside the IDTA and the UK Addendum), which sets out transitional provisions in relation to the Old SCCs. Organisations may continue to enter into new contracts on the basis of the Old SCCs until 21 September 2022 and all contracts entered into by that date can rely on the Old SCCs to safeguard transfers under UK GDPR until 21 March 2024.
Action to Take
Any organisation that transfers personal data from the UK to a third country should be taking the following action whilst we wait for the new transfer tools to come into effect:
consider the pros and cons the IDTA and the UK Addendum and determine which would suit the transfers made by your organisation.
devise an implementation strategy for new contracts. The new transfer tools prioritise new contracts and those that are up for renewal as the new transfer tools will have to be used for contracts entered into from 22 September 2022.
keep an eye on existing contracts that use the Old SCCs. They will continue to be valid until 21 March 2024 and they may rank low on your list but they should not be forgotten.
watch out for further updates/ guidance from the ICO especially in relation to risk assessment guidance if your organisation is involved in transfer of data to countries that may not have adequate laws or procedures in place to safeguard transfer of data.