UK international data transfer agreements laid before Parliament
Published on 3rd Feb 2022
Businesses relieved of uncertainty regarding data transfers outside of the UK as the ICO signals that agreements are almost finalised
This week the UK Information Commissioner's Office (ICO) announced that the ICO's International Data Transfer Agreement (IDTA), International Data Transfer Addendum to the EU standard contractual clauses (SCCs), and a document setting out transitional provisions have been laid before the UK Parliament. Provided no objections are raised before Parliament, the documents will enter into force on 21 March 2022.
Under the UK General Data Protection Regulation (UK GDPR), organisations transferring personal data outside of the UK (data exporters) to organisations in countries not providing adequate protection (data importers) must put in place a data transfer mechanism. The most common (and arguably only) data transfer mechanism for transfers outside of the UK is currently the standard contractual clauses previously adopted by the European Commission (the old EU SCCs).
However, the old EU SCCs had long required an overhaul following the coming into force of the EU GDPR. On 4 June 2021, the European Commission replaced them with the new EU SCCs for transfers of personal data outside of the EEA (under the EU GDPR). In light of Brexit, the new EU SCCs did not apply in the UK and as a result organisations have eagerly been awaiting the UK's equivalent.
In August 2021, the ICO published its equivalent in the form of a draft IDTA, and a draft UK addendum to the new EU SCCs for public consultation (along with other draft guidance documents, including an international transfer risk assessment and tool). The ICO's announcement this week signals the final step in the process for finalising these documents.
The new UK documents
The IDTA is the UK's home-grown equivalent of the new EU SCCs, to cover data transfers outside of the UK (under the UK GDPR). The IDTA takes a slightly different form to the new EU SCCs and will most likely be used by organisations who only transfer personal data outside of the UK.
For organisations that also transfer personal data outside of the EEA, the UK will recognise the new EU SCCs as providing appropriate safeguards for transfers out of the UK, subject to the parties also putting in place the UK addendum to the EU SCCs. This addendum makes a number of amendments to the new EU SCCs for transfers subject to the UK GDPR, to take account of UK law requirements.
The transitional document sets out the amendments required to the UK Data Protection Act 2018 to disapply the old EU SCCs, including the timeframes for when this will take effect.
What are the next steps?
According to the ICO, provided the documents receive no objections in Parliament, they will enter into force on 21 March 2022, at which point:
- For new contracts entered into between 21 March 2022 and 21 September 2022, the parties will have three options for transfers of personal data outside of the UK: (i) use the old EU SCCs; (ii) use the UK IDTA; or (iii) use the new EU SCCs together with the UK addendum to the EU SCCs.
- For contracts already entered into on or before 21 September 2022, organisations can continue to use the old EU SCCs, "provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards". However, these agreements will need to be updated by no later than 21 March 2024 to replace the old EU SCCs with either the IDTA, or the new EU SCCs together with the UK addendum to the EU SCCs.
- For new contracts entered into on or after 21 September 2022, organisations will be legally required to use the UK IDTA, or the new EU SCCs together with the UK addendum to the EU SCCs.
The ICO also states that the IDTA and UK addendum to the EU SCCs "are immediately of use to organisations transferring personal data outside of the UK". This comes with the caveat that they will not legally come into force until 21 March 2022 and are still subject to Parliamentary approval. However, it is an indication that parties to data transfer agreements can now with more confidence make contractual provision to use the documents, conditional on their coming into force.
The ICO is planning to publish "soon" additional guidance for organisations, which include: (i) clause by clause guidance to the IDTA and UK addendum to EU SCCs; (ii) guidance on how to use the IDTA; (iii) guidance on transfer risk assessments; and (iv) further clarifications on the ICO's international transfers guidance.
Osborne Clarke comment
The Schrems II decision and Brexit have caused considerable uncertainty in international data transfers in recent years, so this announcement will come as a relief for organisations who have been eagerly awaiting the finalisation of the UK's version of the standard contractual clauses for international data transfers.
In particular, organisations transferring personal data outside of both the UK and EEA will welcome the news that the UK government still plans to recognise the new EU SCCs, subject to a UK addendum, which will avoid the need to include multiple sets of standard contractual clauses in commercial agreements touching both UK and EEA data subjects' personal data.
It is a pity that the additional guidance documents are not yet available and clarifications have not been published alongside the new documents. It is hoped that these will be available soon, so that organisations can most effectively plan which form of transfer documents to use.
If you require further advice on what this means for updating your commercial agreements to comply with international data transfer requirements, please contact one of our experts below.