A New Approach to UK Data Transfers
February 17, 2022
The UK Information Commissioner’s Office (ICO) published the final form of the International Data Transfer Agreement (IDTA), along with a separate addendum to the EU Standard Contractual Clauses (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK.
If approved by Parliament, assuming there are no objections, these documents will come into effect on March 21, 2022.
The International Data Transfer Agreement (IDTA)
The UK has taken a fresh look at the contract terms that are needed to ensure adequate protection of transferred personal data to meet the UK GDPR’s standard. Overall, the draft agreement is written in clear, direct, simple language. Organizations will welcome the flexibility and pragmatism of the IDTA. It reflects the UK’s openness to recognizing that a larger – and important – contractual framework virtually always surrounds personal data transfers. The IDTA may be used as a standalone agreement or may be incorporated into a commercial agreement.
From a practical perspective, the IDTA is not significantly different in substance to the New EU SCCs. It follows that the IDTA addresses some of the deficiencies in the Old EU SCCs, including transfers of personal data from processor to processor, and the impact of the ECJ’s judgment in Schrems II, which invalidated the EU-US Privacy Shield. Unlike the New EU SCCs, which have four modules to cover the main variants of transfers, the IDTA is an all-in-one agreement. While it is considered long, much of its length is due to its useful “tick if it applies” tables and helpful glossary. It also addresses some additional data flow variations that are not expressly covered in the EU SCCs.
As a reminder, the New EU SCCs require the parties to conduct a transfer impact assessment (also called “TIAs”) considering various factors, including the laws and practice of the recipient country and the contractual, technical, and organizational safeguards put in place during transmission and processing of data. Similarly, the IDTA requires data exporters to undertake a transfer risk assessment to consider the local laws, practices, and risks which might render the protections provided by the IDTA insufficient.
However, there are several ways in which the IDTA departs from the New EU SCCs. Some examples:
- The IDTA recognizes that the parties may have entered into a separate commercial agreement (referred to as the ‘Linked Agreement’ in the IDTA) and allows for the parties to incorporate the terms of the Linked Agreement into the IDTA.
- Moreover, the parties are able to agree on audit provisions in the Linked Agreement. The audit provisions in the IDTA will only apply where the Linked Agreement does not provide an audit mechanism.
- The IDTA allows parties to resolve disputes arising out of or in connection with the IDTA through arbitration whereas the New EU SCCs include mandatory jurisdiction and governing law provisions.
- The IDTA does not adopt a modular structure which can be complex to put in place. It also imposes reduced obligations on the importer in some circumstances. For example, where a data importer experiences a data breach, the New EU SCCs require the data importer to notify the supervisory authority. In contrast, the IDTA does not require this. This is likely to be welcomed by UK data exporters because it gives them greater control over the flow of information following a data breach.
The UK Addendum to the EU SCCs – A little backtracking
Following Brexit, the UK did not immediately adopt the EU’s “New” 2021 SCCs. Instead, the UK continued to permit data exporters making restricted transfers to use a lightly adapted UK form of the “Old” SCCs . As of March 21, 2022, UK data exporters now have the option of using the new EU SCCs simply by completing the SCCs and adding the UK’s SCCs Addendum. This Addendum is a brief document that contains technical provisions that enable the New EU SCCs to work within the UK data protection regime. This will most likely be the preferred route for data transfers that include EU-origin as well as UK-origin personal data. It is anticipated that the Addendum will be used by global organisations that transfer personal data to jurisdictions outside of both the EEA and the UK.
What Should Companies Actually Do Now?
* they may need to be amended if objections are raised in Parliament although it seems unlikely to happen.
** provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those SCCs ensures that the transfer of the personal data is subject to appropriate safeguards.
That means, among other things, that you have done a transfer impact assessment and adopted measures to satisfy the requirements of the Schrems II decision. Given that the safeguards in the pre- EU GDPR SCCs are substantially less comprehensive than those required by the UK GDPR, we recommend taking steps as soon as possible to replace existing UK SCCs with the new IDTA (or the UK Addendum coupled with the new EU SCCs).
Irrespective of whether companies use the Old UK SCCs or the New UK SCCs, they will need to perform a data transfer impact assessment (DTIA, also referred to by the ICO as “transfer risk assessment” (TRA)) and, if appropriate, implement supplementary measures before the transfer in accordance with the Schrems II ruling.
Considering the above, the next step is now for the UK Parliament to approve the New UK SCCs, which are expected to become effective on March 21, 2022. The ICO announced that it will issue further guidance on this topic, including:
i) a “clause-by-clause guidance” for the IDTA and Addendum,
ii) a guidance on how to use the IDTA,
iii) a guidance on DTIAs, and
iv) further clarifications on international transfers guidance.