If your business transfers personal data out of the UK, you will need to ensure that your transfers comply with UK international data transfer laws.
Here we discuss the UK’s International Data Transfer Agreement (IDTA) and UK addendum and how these documents can serve as appropriate safeguards for international data transfers.
Jump to:
- What are the UK standard contractual clauses (UK SCCs)?
- What is a restricted transfer?
- What is a third country?
- How should transfers be made?
- Which approach should you adopt – the IDTA or EU SCCs and UK Addendum?
- Do I still need to carry out a transfer risk assessment (TRA)?
- Contract remediation and next steps
What are the UK standard contractual clauses (UK SCCs)?
The UK’s International Data Transfer Agreement (IDTA), with an addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum), came into force on 21 March 2022.
Collectively these are essentially the UK’S standard contractual clauses (UK SCCs), the UK version of the EU standard contractual clauses (new EU SCCs).
The IDTA is a legal contract which has been published by the UK ICO to safeguard personal data which is sent outside of the UK to certain third countries. The IDTA is designed to be a user-friendly and simple document for organisations to use for international data transfers.
In contrast, the EU SCCs are contracts which have been produced by the European Commission, which are for the purposes of safeguarding personal data which is sent outside of the EU to certain third countries. The EU SCCs look different to the UK IDTA – they adopt a modular format and include separate provisions for various types of data-sharing scenarios.
UK businesses have a choice to use either:
- The IDTA as a standalone document; or
- The EU SCCs, with a specific UK Addendum document that modifies the EU SCCs to comply with UK data protection law. It is essential that organisations using the EU SCCs adopt the UK Addendum for the purposes of compliance with UK data protection laws.
What is a restricted transfer?
This transfer is covered by Chapter V of the UK GDPR (Retained EU General Data Protection Regulation (EU 2016/679)). The UK GDPR restricts transfers of personal data outside the UK unless there is a provision permitting the restricted transfer that complies with the UK GDPR.
Data exporters in the UK can use the IDTA or the EU SCCs with the UK Addendum as a transfer mechanism when making a restricted transfer.
Essentially a restricted transfer may take place if the data importer is located in a third country covered by the UK adequacy regulations or adequate safeguards, such as the UK SCCs.
The Information Commissioner’s Office (ICO) provides a checklist to assess restricted transfers and whether they can take place:
- Are we planning to make a restricted transfer of personal data outside of the UK?
If not, you can make the transfer. If yes go to Q2. - Do we need to make a restricted transfer of personal data to meet our purposes?
If not, you can make the transfer without any personal data. If yes go to Q3. - Are there UK ‘adequacy regulations’ about the country or territory where the receiver is located or a sector which covers the receiver?
If yes, you can make the transfer. If no go to Q4. - Are we putting in place one of the ‘appropriate safeguards’ referred to in the UK GDPR, such as the IDTA or Binding Corporate Rules?
If yes, go to Q5. If no go to Q6. - Having carried out a risk assessment, are we satisfied that for the data subjects of the transferred data, the relevant protections under the UK data protection regime will not be undermined?
If yes, you can make the transfer. If no, go to Q6. - Does an exception provided for in the UK GDPR apply?
If yes, you can make the transfer. If no, you cannot make the transfer in accordance with the UK GDPR.
Should you reach the end of the checklist without finding a provision permitting the restricted transfer, then you will be unable to make that restricted transfer.
What is a third country?
This is a country or territory outside the UK. A non-adequate third country is one that lacks an adequacy decision. An adequacy decision means that the country has been assessed to provide adequate protection for personal data and you may send personal data there without putting additional measures in place.
The ICO’s guide to international transfers duly reviews and updates the countries which are deemed to be adequate.
How should transfers be made?
Organisations whose existing contracts relied on the old EU SCCs could previously consider them valid until 21 March 2024, provided the underlying data processing operations remained unchanged. This grace period has now passed. As a result, legacy contracts must now be reassessed and, where appropriate, updated to incorporate the IDTA or the new EU SCCs and the UK Addendum.
Which approach should you adopt – the IDTA or EU SCCs and UK Addendum?
The IDTA and the UK Addendum are alternative ways to ensure UK personal data is protected where there is a restricted transfer.
The approach your organisation uses depends on your operations, for example, international organisations that have operations across the UK and EEA jurisdictions will likely prefer the new EU SCCs plus the UK Addendum, rather than adopting the IDTA. The UK Addendum simply replaces terms that are EU specific with UK specific language. Organisations that have already implemented the new EU SCCs for data transfers may find adopting the UK Addendum as a quicker and simpler fix.
The IDTA, however, is a standalone agreement (unlike the new EU modular approach), that can be used by a controller or a processor. Just like the new EU SCCs, it places contractual obligations on Data Exporters and Data Importers which also considers the Schrems II decision.
When considering the choice between the IDTA or EU SCCs and UK Addendum, consider factors such as:
- Whether your business transfers personal data from the UK only, or also from the EU.
- How familiar are you with the EU SCCs? If you have spent considerable time already putting in place EU SCCs, the UK Addendum and EU SCCs may be a viable option.
This is a complex topic and legal advice from a specialist data protection lawyer on which documentation is suitable for your business is advisable. A data protection lawyer can consider your business locations, and its data flows, and can advise on the most suitable mechanism to adopt for your purposes.
The ICO, in due course, will publish tools to provide support to organisations, these will consist of:
- Clause-by-clause guidance to the IDTA and Addendum.
- Guidance on how to use the IDTA.
Do I still need to carry out a transfer risk assessment (TRA)?
In short, yes. You will need to carry out a TRA if you are making a restricted transfer, and you wish to rely on one of Article 46 transfer tools.
A TRA is essentially a mandatory risk assessment for restricted transfers being made from the UK to assess the risks of the data transfer and whether any additional safeguards are required to ensure an adequate level of protection for the personal data being transferred.
The Schrems II judgement emphasises that before you rely on an Article 46 transfer tool, you must conduct a risk assessment. All UK-based Data Exporters must carry out a TRA for restricted transfers.
To assist companies, the ICO has published transfer risk assessment guidance and a tool.
The tool will help determine whether the IDTA can provide sufficient safeguards or whether further protections are required before the restricted transfer takes place.
Contract remediation and next steps
Consider the following next steps as a business transferring personal data out of the UK:
- Adopt an approach in line with your business operations when determining whether to put in place an IDTA or UK Addendum to the new EU SCCs.
- Scope all contracts where the use of the IDTA or the UK Addendum are required.
- Conduct a TRA to identify whether supplementary measures are required within the appropriate agreements.
We understand conducting transfer risk assessments or deciding whether to use the IDTA or the UK Addendum are complex tasks. Our specialist lawyers are on hand to assist you in identifying any restricted transfers and ensure that you have adequate safeguards in place to ensure compliance with the UK GDPR regime.