The International Data Transfer Agreement (“IDTA”), the long awaited mechanism for international transfers of personal data originating from the United Kingdom (“UK”), is now in force as of March 21, 2022, along with a separate addendum to the EU standard contractual clauses (“UK Addendum”). These transfer mechanisms were introduced by the Information Commissioner’s Office (“ICO”) to replace the old form EU Standard Contractual Clauses for UK transfers. Companies will have until March 21, 2024 to update existing contracts, but must use the IDTA or UK Addendum for new agreements entered into from September 21, 2022.
Post Brexit, the General Data Protection Regulation as incorporated into UK law (“UK GDPR”), continues to restrict transfers of personal data to third countries. The IDTA and UK Addendum are the UK’s version of the modernized SCCs that were approved by the European Commission on June 4, 2021 (“new EU SCCs”).
The IDTA and the UK Addendum
Like the new EU SCCs, the IDTA ensures that appropriate safeguards for restricted transfers are implemented. Notably, the IDTA seeks to incorporate the ‘transfer risk assessment’ and resulting ‘supplementary measures’ required pursuant to the Schrems II (the “Schrems II – decision”) in order to protect personal data sent to countries which do not provide an adequate level of protection.
While the IDTA serves the same purpose as the new EU SCCs, it uses a different format. Unlike the new EU SCCs, which consist of four modules covering different transfer scenarios based on the classification of the importer and exporter, the IDTA is an ‘all-in-one’ agreement, with tables to complete and a tick-box system to differentiate between different processing relationships.
The ICO has recognized that organizations may transfer both EU and UK personal data and have provided a short form addendum that attaches to the new EU SCCs as an alternative to the full IDTA. The UK Addendum tailors the new EU SCCS to a UK context. The UK Addendum will most likely be the preferred option for data transfers that include both EU and UK personal data.
Another notable contrast to the new EU SCCs is that the IDTA does not contain the data processor obligations required under article 28 UK GDPR. The IDTA clarifies that it is the exporter’s obligation to conclude a separate data processing agreement, referred to as a “Linked Agreement”. The IDTA, therefore, cannot be used to replace a data processing agreement in the same way as the new EU SCCs.
The UK concept of restricted transfers
The ICO has updated its ‘Guide to the UK GDPR’ to reflect the status of the new IDTA and UK Addendum. The Guide now includes a new section on “restricted transfers”, which clarifies that an organization makes a restricted transfer if:
- the UK GDPR applies to the processing of the transferred personal data;
- it agrees to send personal data, or make it accessible, to a receiver which is located in a country outside the UK; and
- the receiver is legally distinct as it is a separate company, organization or individual. This includes transfers to another company within the same corporate group. The ICO has followed the EDPB in clarifying that personal data sent to an overseas employee is not a restricted transfer. The transfer restrictions only apply if personal data is sent outside the organization.
The ICO had previously taken the view that a transfer to an organization in a third country that is already subject to the UK GDPR should not be considered to be a “restricted transfer”. Having put this approach to a public consultation, the ICO has now confirmed that the UK will implement the stricter view, shared by EU regulators and recently confirmed by the EDPB in draft Guidelines, that a restricted transfer takes place irrespective of whether or not the UK GDPR applies to the importer.
Importantly, the new IDTA also covers transfers to such importers, already subject to the UK GDPR, while the new EU SCCs do not. The EC is expected to issue a specific – lighter – set of SCCs to govern transfers to such importers.
Now the IDTA and UK Addendum are in force, businesses should take note of the following transition periods:
- Until September 21, 2022, parties wishing to transfer personal data from the UK can choose to use either the old SCCs or use the IDTA (or the new EU SCCs together with the UK Addendum). Any contracts that incorporate the old SCCs will be continue to be valid until March 21, 2024. However, if the underlying processing operations change (e.g. as a result of a variation to the underlying contract), the parties will need to transition to the IDTA or UK Addendum at the same time. The sunset period is also subject to the important caveat that reliance on the old SCCs is only valid if they ensure that the transfer of personal data is subject to appropriate safeguards. This highlights the need for exporters to carry out a transfer impact assessment to assess the adequacy of the safeguards that will apply to the transferred data in the third country and monitor the efficacy of these safeguards. This assessment may conclude that the old SCCs need to be supplemented with additional contractual protections akin to those in the IDTA in any event.
- For new contracts entered into on or after September 21, 2022, organizations must use the IDTA, or the new EU SCCs together with the UK Addendum.
The new IDTA and UK Addendum offer a pragmatic solution for organizations transferring personal data originating from the UK and the EU, avoiding the need to include multiple agreements where both UK and EU personal data is transferred.
The ICO has proposed to publish additional guidance soon, including: (i) clause by clause guidance to the IDTA and UK addendum; (ii) guidance on how to use the IDTA; (iii) guidance on transfer risk assessments (noting also that the Schrems II decision still applies in the UK and a transfer risk assessment will need to be carried out for UK personal data transfers); and (iv) further clarifications on the ICO’s international transfers guidance.
The post UK Data Transfer Mechanism Comes Into Force appeared first on Data + Privacy + Cybersecurity Insights.