21 February 2022
Radar - February 2022 – 3 of 4 Insights
Data transfers from the UK and EU to third countries without adequacy agreements must be underpinned by a recognised data transfer mechanism. The best solution will, following the Schrems II decision, usually be Standard Contractual Clauses (often with supplementary measures).
Following on somewhat belatedly from the introduction of the GDPR, the EC published revised Standard Contractual Clauses in June 2021 for the purposes of transfers from the EU. By then, however, the UK had left the EU and the new SCCs did not apply in the UK. This left data exporters in the uncomfortable position of using the old SCCs, potentially alongside new EU SCCs for cross-border businesses.
The ICO has laid the UK's new international data transfer agreement (IDTA), the international data transfer addendum to the EC's standard contractual clauses (Addendum) and a document setting out transitional provisions before Parliament. Providing no objections are raised, they will come into force on 21 March 2022. The IDTA and Addendum will replace the current UK SCCs for international transfers and take the Schrems II decision into account.
Under Paragraph 7, Part 3, Schedule 21 of the Data Protection Act 2018, transitional provisions allowed SCCs issued under the Data Protection Directive to be used as an appropriate safeguard for international data transfers. The ICO refers to these as Transitional Standard Clauses (TSCs).
Provisions laid out for the transition to the new IDTA are that contracts concluded on or before 21 September 2022 on the basis of the TSCs shall continue to be treated as providing adequate safeguards for the purpose of Article 46(1) UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged, and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
The ICO is developing additional tools to provide support and guidance which will be published soon. These will cover:
The ICO says the IDTA and Addendum are "immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval". Although they are not yet legally binding, we take this to mean that the IDTA and Addendum can and should be used immediately but that they may need minor updates if changes are made between now and when they come into force. Given there were no substantive changes between the draft and final versions, we do not expect any in the next few months.
Most businesses will want to focus on the Addendum as it covers them for exports from the EU and the UK. There is even an argument in favour of using the Addendum over the rather long IDTA where businesses are only exporting data from the UK. It will work for the transfers, and importers will be more familiar with the EU SCCs appended to it.
This consists of:
The Addendum is designed to be appended to the EU SCCs but states that in the event of any conflict between the Addendum and UK data protection law, UK data protection law will prevail. Despite wording to the contrary in the EU SCCs, the Addendum sets out the following hierarchy with some slightly confusing definitions:
The Addendum incorporates the EU SCCs subject to changes to take account of governing law, jurisdiction and to make them work in the UK.
You can find out more about the latest on data transfers, including the IDTA and Addendum by listening to our webinar on 22 February. We'll also be discussing the recent regulatory scrutiny of Google Analytics, rumours of Privacy Shield 2.0, and the UK's proposals for going its own way on adequacy agreements with third countries.
by Multiple authors