On 28 January 2022, the UK Government Department for Digital, Culture, Media & Sport (DCMS) laid before the UK Parliament its International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (UK Addendum) to the European Commission’s Standard Contractual Clauses (EU SCCs). If no objections are raised by the UK Parliament, the IDTA and the UK Addendum will come into force on 21 March 2022.
The UK’s Information Commissioner’s Office (ICO) welcomed this latest development and confirmed they will release further guidance in the coming weeks. This will include updating their general guidance on international transfers, to which certain amendments have already been made, including helpful clarification that transfers by a data controller to its employees within the same company will not constitute “restricted transfers” (see further below). The ICO will also provide new guidance on the UK Transfer Risk Assessment tool (TRA). The TRA helps assess the data protection safeguards in place in the countries in which the personal data is being transferred to and which are not deemed by the UK to have adequate data protection laws, so called “third countries”.
Companies will now need to carefully consider implementing the IDTA, the TRA and the new guidance for transfers of personal data from the UK to third countries, such as the U.S., including where those transfers are to affiliates.
What is the background to the IDTA?
In August 2021, the ICO launched a public consultation on its draft IDTA and guidance on restricted transfers (Consultation). The Consultation was launched following publication by the European Commission of its EU SCCs and the European Data Protection Board’s Schrems II guidance – in particular, as following the UK’s departure from the EU, the EU SCCs do not automatically apply in the UK. You can read our blog about the previous Consultation here.
It is important to note that under the new UK position on international data transfers, businesses will have a choice to either use (i) the IDTA which is a new UK specific form of data transfer agreement; or (ii) the current EU SCCs but with the new UK Addendum, which effectively conforms EU specific references to the UK references as discussed further below.
- Existing guidance updated: Whilst the ICO has indicated further guidance is pending, it did update its guidance to reflect the status of the new UK Addendum and IDTA, and included a new section addressing what constitutes a “restricted transfer”. According to the ICO, a restricted transfer is made (i) when the UK GDPR applies to the processing in question; (ii) you agree to send or make accessible personal data to a receiver in a country outside of the UK; and (iii) the receiver is legally distinct from you as it is a separate company, organisation or individual. This includes transfers to another company within the same corporate group. However, the ICO goes on to say that “if you are sending personal data to someone employed by you or by your company or organisation, this is not a restricted transfer”.
- Further guidance to come: As mentioned above, the ICO is yet to provide guidance on the IDTA and the UK Addendum stating that they will shortly publish: (i) further clause by clause guidance to the IDTA and the UK Addendum; (ii) practical guidance on how to use the IDTA; and (iii) guidance on the TRA. The ICO has also stated that it will publish responses to its public consultation and further clarifications on its international transfers guidance. The guidance will be important for businesses to consider as it will help inform a practical approach to compliance.
- Commencement and Transitional Provisions: The ICO has stated that the new IDTA and new UK Addendum are “ immediately of use” although they do not officially come into force until 21 March 2022, as they are technically still awaiting Parliamentary approval. According to the ICO, contracts involving data transfers from the UK and concluded before 21 September 2022 can continue to use the old EU SCCs until 21 March 2024 provided that the “processing operations” in question remain the same and the SCCs continue to provide “appropriate safeguards” under the UK GDPR. For contracts concluded after 21 September 2022 it will be necessary to use the new IDTA or UK Addendum. Despite these transitional provisions many businesses may want to use the new IDTA or new UK Addendum going forward.
- Choosing between the IDTA and the UK Addendum: A key practical question that businesses should answer before the transition date of 21 September 2022 is whether they will opt for the brand new IDTA for international transfers or use the new UK Addendum which will be appended to the EU SCCs. On a practical level, businesses which already rely on the EU SCCs may be inclined to simply use the UK Addendum, whilst purely UK based businesses may wish to switch to the IDTA. In both cases, organizations will need to consider the differences between the IDTA and the UK Addendum when finalizing their approach to restricted transfers from the UK.
- Changes to the IDTA: The overall structure and content of the IDTA remains much the same as the draft IDTA published as part of the Consultation . However, there are certain notable amendments including, for example: (i) the IDTA does not contain Article 28 GDPR data processor obligations and the IDTA now makes clear that it is the exporter’s obligation (and not a joint obligation between the parties) to have a separate data processing agreement called a “Linked Agreement” which complies with Article 28 of the GDPR; (ii) the IDTA now makes clear that if clauses are “incorrectly” removed by the parties from the IDTA then these clauses may still apply; and (iii) the IDTA now requires exporters to “demonstrate” that their IDTA provides “appropriate safeguards” including through filling out Table 4 on Security Requirements and setting out any “Extra Protection Clauses” relating to heightened technical, organizational and contractual protections the parties will adhere to. Importers are also required to meet the higher standard of ensuring they have provided the exporter with information regarding any local laws and practices relating to data before receiving any data rather than just prior to entering the IDTA.
- Changes to the UK Addendum: The new UK Addendum to the EU SCCs laid before Parliament is different in structure to the draft version published during the Consultation. In particular, the Addendum incorporates a tabular approach i.e., similar to the IDTA, requiring the parties to identify, for example, which Modules of the EU SCCs are being used and which optional clauses are being selected. There are also minor amendments to the provisions designed to tailor the EU SCCs to comply with the UK GDPR.
Dealing with data transfers from the UK
Businesses should closely review the new IDTA and the UK Addendum as well as the TRA Assessment and new UK Guidance on international data transfers to consider the impact. Businesses will also need to review their data flows from the UK and decide whether to opt for the IDTA or the UK addendum as well as how practically to roll out the IDTA or UK Addendum for existing and new contracts for transfers from the UK, whether to group companies, vendors, customers or other third parties. For international businesses that also have data transfers from the EU and who are already engaged in putting in place the new EU SCCs, the UK developments will add yet another layer of complexity to carefully consider and factor into existing international data transfer projects.