What's the issue?
Data transfers from the UK and EU to third countries without adequacy agreements must be underpinned by a recognised data transfer mechanism. The best solution will, following the Schrems II decision, usually be Standard Contractual Clauses (often with supplementary measures).
Following on somewhat belatedly from the introduction of the GDPR, the EC published revised Standard Contractual Clauses in June 2021 for the purposes of transfers from the EU. By then, however, the UK had left the EU and the new SCCs did not apply in the UK. This left data exporters in the uncomfortable position of using the old SCCs, potentially alongside new EU SCCs for cross-border businesses.
What's the development?
The ICO has laid the UK's new international data transfer agreement (IDTA), the international data transfer addendum to the EC's standard contractual clauses (Addendum) and a document setting out transitional provisions before Parliament. Providing no objections are raised, they will come into force on 21 March 2022. The IDTA and Addendum will replace the current UK SCCs for international transfers and take the Schrems II decision into account.
Transitional provisions
Under Paragraph 7, Part 3, Schedule 21 of the Data Protection Act 2018, transitional provisions allowed SCCs issued under the Data Protection Directive to be used as an appropriate safeguard for international data transfers. The ICO refers to these as Transitional Standard Clauses (TSCs).
Provisions laid out for the transition to the new IDTA are that contracts concluded on or before 21 September 2022 on the basis of the TSCs shall continue to be treated as providing adequate safeguards for the purpose of Article 46(1) UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged, and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Further guidance
The ICO is developing additional tools to provide support and guidance which will be published soon. These will cover:
- clause by clause guidance to the IDTA and Addendum
- guidance on how to use the IDTA
- guidance on Transfer Risk Assessments
- further clarifications on international transfers guidance.
What does this mean for you?
The ICO says the IDTA and Addendum are "immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval". Although they are not yet legally binding, we take this to mean that the IDTA and Addendum can and should be used immediately but that they may need minor updates if changes are made between now and when they come into force. Given there were no substantive changes between the draft and final versions, we do not expect any in the next few months.
Most businesses will want to focus on the Addendum as it covers them for exports from the EU and the UK. There is even an argument in favour of using the Addendum over the rather long IDTA where businesses are only exporting data from the UK. It will work for the transfers, and importers will be more familiar with the EU SCCs appended to it.
Read more
IDTA
This consists of:
- tables – can be completed largely through tick boxes
- extra protection clauses
- commercial clauses
- mandatory clauses to which only limited changes can be made, for example, to deal with the parties, update cross-referencing, and remove sections expressly stated not to apply to the selections made by the parties in parts of Table 2.
Addendum
The Addendum is designed to be appended to the EU SCCs but states that in the event of any conflict between the Addendum and UK data protection law, UK data protection law will prevail. Despite wording to the contrary in the EU SCCs, the Addendum sets out the following hierarchy with some slightly confusing definitions:
- Addendum – the International Data Transfer Addendum which is made up of the Addendum incorporating the Addendum EU SCCs.
- Addendum EU SCCs – the version of the Approved EU SCCs to which the Addendum is appended, as set out in Table 2 including the Appendix information.
- Approved Addendum – the template Addendum issued by the ICO and laid before Parliament on 28 January 2022, as it is revised under section 18 DPA 18.
- In the event of any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs, the Approved Addendum will prevail unless the inconsistent or conflicting terms of the Addendum EU SCCs afford greater protection for data subjects.
- Where the Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the EU GDPR, the parties acknowledge nothing in the Addendum impacts the Addendum EU SCCs.
The Addendum incorporates the EU SCCs subject to changes to take account of governing law, jurisdiction and to make them work in the UK.
More on data transfers
You can find out more about the latest on data transfers, including the IDTA and Addendum by listening to our webinar on 22 February. We'll also be discussing the recent regulatory scrutiny of Google Analytics, rumours of Privacy Shield 2.0, and the UK's proposals for going its own way on adequacy agreements with third countries.
Sign up here
