New UK International Data Transfer Tools: What does it mean for you?
On 21st March 2022, the new UK International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum (“UK Addendum”) to the updated EU Standard Contractual Clauses (“SCCs”) entered into force.
UK organisations can now use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries i.e. those countries without an adequacy decision.
Background
The adoption of the new IDTA and Addendum in the UK comes after the European Union introduced new Standard Contractual Clauses for restricted data transfers in June 2021 and follows an extensive consultation period by the Information Commissioners Office (“ICO”).
The IDTA and Addendum replace the old EU SCCs which remained in use in the UK following Brexit.Both tools allow data controllers within the UK to meet their safeguarding obligations under Article 46 for international personal data transfers.
What is the IDTA and Addendum?
The IDTA contains a set of contractual requirements that organisations can use when transferring data to a third country. Like the new EU SCCs, the IDTA contains detailed information about the security arrangements and supplementary measures adopted to protect the data.
The UK Addendum allows organisations involved in processing the data of both UK and EU citizens to make use of new EU SCCs to transfer data externally from both UK and EU.
Regardless of whether organisations are relying on the IDTA or the new EU SCCs alongside the UK Addendum, they will also need to carry out a Transfer Risk Assessment (“TRA”) to ensure the safeguards provided by the IDTA or Addendum are enforceable in the third country and assess whether the recipient country provides a level of data protection which is “essentially equivalent” to the UK. A final version of the ICO draft Transfer Risk Assessment has not been published as yet, however, it is expected imminently.
Impact on organisations
In summary, data exporters can now use the IDTA as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. However they can instead opt to use the new EU SCCs alongside the Addendum.
It is anticipated that international organisations are likely to adopt an all in one approach through the EU SCCs alongside the UK Addendum. For those organisations already using the new EU SCCs in existing agreements and who transfer data from both UK and EU, it may be more pragmatic to use the UK Addendum to meet their data protection obligations.
Those organisations likely to favour the IDTA are UK based organisations transferring personal data who do not operate in the EU or who have not yet began to use the new EU SCCs.
Key dates to note:
- For new contracts and transfers concluded from 21 September 2022 the old EU SCCs cannot be used. In this case, organisations must use the new IDTA or incorporate the Addendum to supplement use of new EU SCCs.
- For existing contracts and transfers using the old SCCs at present, organisations may continue to use the old SCCs until 21 March 2024 when the two year transition period expires. This is provided the processing or contract remains unmodified.
- For modified contracts and transfers, these are to be treated as a new contract/transfer. As such organisations can continue to enter into the old SCCs, even for new transfers until 21 September 2022 and then continue to rely upon them until 21 March 2024.
If you would like any further information or advice on these issues please contact Laura Cunningham from the Commercial team.