Here we discuss how the new International Data Transfer Agreement (IDTA) and UK addendum differ from the previous UK SCCs along with the timeline for implementing them.
- What are the UK standard contractual clauses (UK SCCs)?
- What is a restricted transfer?
- What is a third country?
- How have transfers previously been made?
- How should transfers now be made?
- Which approach should you adopt, IDTA or Addendum?
- Do I still need to carry out a transfer risk assessment (TRA)?
- Contract remediation and next steps
What are the UK standard contractual clauses (UK SCCs)?
We finally have clarification on the transfer of personal data to outside the UK. The new UK International Data Transfer Agreement (IDTA), with an addendum to the European Commission’s standard contractual clauses for international data transfers ('UK Addendum'), came into force on 21 March 2022. Collectively these will be referred to as the UK standard contractual clauses (UK SCCs), essentially the UK version of the new EU standard contractual clauses (new EU SCCs).
The point for clarification was much needed since the new EU SCCs were published following Brexit (UK’s exit from the EU).
Companies that have been using current arrangements for transfers using the old EU SCCs have until 21 March 2024 to complete implementation of the UK SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
What is a restricted transfer?
This is a transfer covered by Chapter V of the UK GDPR (Retained EU General Data Protection Regulation (EU 2016/679)). The UK GDPR restricts transfer of personal data outside the UK unless there is a provision permitting the restricted transfer in accordance with the UK GDPR.
Data exporters in the UK will be able to use the IDTA or the new EU SCCs with the UK Addendum as a transfer mechanism when making a restricted transfer.
Essentially a restricted transfer may take place if the Data Importer is located in a third country covered by the UK adequacy regulations or adequate safeguards, such as the UK SCCs.
The ICO below, provides a helpful checklist to assess whether restricted transfers can take place:
- Are we planning to make a restricted transfer of personal data outside of the UK?
If no, you can make the transfer. If yes go to Q2.
- Do we need to make a restricted transfer of personal data in order to meet our purposes?
If no, you can make the transfer without any personal data. If yes go to Q3.
- Are there UK ‘adequacy regulations’ in relation to the country or territory where the receiver is located or a sector which covers the receiver (which currently includes countries in the EEA and countries, territories or sectors covered by existing EU ‘adequacy decisions’)?
If yes, you can make the transfer. If no go to Q4.
- Are we putting in place one of the ‘appropriate safeguards’ referred to in the UK GDPR?
If yes, go to Q5 If no go to Q6.
- Having undertaken a risk assessment, we are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
If yes, you can make the transfer. If no, go to Q6.
- Does an exception provided for in the UK GDPR apply?
If yes, you can make the transfer. If no, you cannot make the transfer in accordance with the UK GDPR.
Should you reach the end of the checklist without finding a provision permitting the restricted transfer, then you will be unable to make that restricted transfer.
What is a third country?
This is a country or territory outside the UK. A non-adequate third country is one that lacks an adequacy decision from the EU Commission. Currently provisional arrangements are in place so that the UK adequacy regulations include countries and territories covered by European Commission adequacy decisions. These will be duly reviewed by the ICO.
How have transfers previously been made?
For UK personal data restricted transfers, Data Exporters from the UK were advised by the ICO to continue to use the old EU SCCs as an adequate transfer mechanism until such time the UK SCCs were published.
How should transfers now be made?
There is a grace period until 21 March 2024 where organisations whose contracts rely on the old EU SCCs will continue to be valid so long as the underlying data processing operations remain the same. However, after this date, these legacy contracts must be renegotiated and replaced by the IDTA or new EU SCCs and the UK Addendum.
- 21 March 2022 – the IDTA and UK Addendum comes into force
- 21 September 2022 – Organisations may continue to enter into the old EU SCCs until this date (grace period)
- 22 September 2022 – Organisations must rely on the IDTA or the new EU SCCs and UK Addendum
Which approach should you adopt, IDTA or Addendum?
The IDTA and the UK Addendum are alternative ways to ensure UK personal data is protected where there is a restricted transfer.
The approach your organisation uses depends on your operations, for example, international organisations that have operations across the UK and EEA jurisdictions will likely prefer the new EU SCCs plus the UK Addendum, rather than adopting the IDTA. It simply replaces terms that are EU specific with UK specific language. Organisations that have already implemented the new EU SCCs for data transfers may find adopting the UK Addendum as a quicker and more simple fix.
The IDTA, however, is a standalone agreement (unlike the new EU modular approach), that can be used by a controller or a processor. Just like the new EU SCCs, it places contractual obligations on Data Exporters and Data Importers which also takes into account, the Schrems II decision.
The ICO, in due course, will publish tools to provide support to organisations, these will consist of:
- Clause by clause guidance to the IDTA and Addendum
- Guidance on how to use the IDTA
- Guidance on transfer risk assessments
- Further clarifications on our international transfers guidance
Do I still need to carry out a transfer risk assessment (TRA)?
In short, yes. You will need to carry out a TRA if you are making a restricted transfer and you wish to rely on one of article 46 transfer tools. The Schrems II judgement emphasises that before you rely on an Article 46 transfer tool, you must conduct a risk assessment. All UK based Data Exporters must carry out a transfer risk assessment of restricted transfers. To assist companies, the ICO has published a draft international transfer risk assessment and tool.
The tool should determine whether the IDTA can provide sufficient safeguards or whether further protections are required before the restricted transfer takes place.
Contract remediation and next steps
- Adopt an approach in line with your business operations, whether to put in place an IDTA or UK Addendum to the new EU SCCs.
- Scope all contracts where the use of the IDTA or the UK Addendum are required.
- Conduct a TRA to identify whether supplementary measures (UK SCCs) are required within the appropriate agreements.
- Where you have relied on the old EU SCCs, begin to conduct TRAs for restricted transfers.
We understand conducting transfer risk assessments or deciding whether to use the IDTA or the UK Addendum are complex tasks. Our specialist lawyers are on hand to assist you in identifying any restricted transfers and ensure that you have adequate safeguards in place to ensure compliance with the UK GDPR regime.