This article considers some of the key features of the new UK GDPR specific transfer mechanisms which came into force on 21 March 2022:
- the International Data Transfer Agreement (the IDTA);
- the addendum to the 2021 EU SCCs for international data transfers (the Addendum); and
- the transitional provisions which permit organisations to continue using the 2001, 2004 and 2010 EU SCCs (the Legacy EU SCCs) for a transitional period (the Transitional Provisions) (together, the Documents).
Our key takeaways for organisations are as follows:
- Timing: The updates include a transitional period for organisations to continue using legacy transfer mechanisms, for data transfers outside of the UK, until 21 March 2024. Organisations may already be in the process of, or in any event, will be required to, update their existing EU data transfer mechanisms for data transfers outside of the EU by 27 December 2022. The Addendum, which converts the 2021 EU SCCs so they are applicable in the context of the UK GDPR, may be more practical for organisations that are subject to both the EU GDPR and UK GDPR and that can benefit from a holistic update to their data transfer mechanisms.
- Separate agreements: Organisations must consider that the IDTA does not include the data processing terms that must be put in place in accordance with Article 28. Organisations will be required to keep them in a “linked agreement” (as has become customary before the EU SCCs were refreshed). There may be practical difficulties for organisations to consider as applicable terms may be captured across multiple agreements.
- ICO guidance: The ICO has promised to publish guidance to these Documents shortly. Guidance from the ICO will be a helpful tool to assist data exporters in navigating these updates.
Chapter V of the UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)) imposes restrictions on the transfer of personal data outside of the UK. The UK GDPR came into force in 2021 and since its inception, organisations have been permitted to use standard contractual clauses issued by the European Commission (EU SCCs) to transfer personal data outside the UK. The Documents were introduced as part of a wider UK package to assist international transfers post-Brexit.
IDTA: The IDTA is a standalone agreement. It is broadly similar to the 2021 EU SCCs, but there are some divergences:
- Although the IDTA contains certain mandatory provisions which cannot be changed, it provides greater flexibility for organisations. The IDTA includes the concept of a “linked agreement” meaning that, so long as the terms of that agreement do not impinge on the terms of the IDTA, additional terms from “linked agreements” may be included to reflect the commercial relationship between the parties.
- The IDTA may be described as a more “user friendly” document for organisations. It has a tabular structure meaning parties must populate a set of tables with certain information (including the details of the parties, the data, the contemplated transfers, any linked agreements and any security requirements) and once populated, the agreement can be signed with no other changes. This differs from the modular structure of the 2021 EU SCCs that requires parties to select the modules applicable to their specific transfer scenarios and adapt the agreement accordingly.
- Further, the IDTA does not contain Article 28 data processor obligations and organisations acting as data processors will be required to implement separate data processing agreements, which is contemplated as an example of a “linked agreement” under the IDTA.
Addendum: The Addendum can be used as an alternative to the IDTA. The Addendum operates as an addendum to the 2021 EU SCCs, making only the necessary amendments to the 2021 EU SCCs so they are workable for the UK GDPR.
Transitional provisions: The transitional provisions allow organisations to continue using the Legacy EU SCCs in agreements concluded on or before 21 September 2022. This transitional period will end on 21 March 2024.
Transfer risk assessments: Transfer risk assessments are assessments that enable data exporters to determine if the transfer mechanism they intend to use for an international data transfer provides an adequate level of protection. Whichever transfer mechanism an organisation implements, an organisation must conduct a transfer risk assessment before any transfer is made, as required following the Schrems II decision. We are expecting further guidance from the ICO on this.
The ICO has confirmed that organisations can expect further guidance and support on the Documents shortly in the form of:
- clause by clause guidance to the IDTA and the Addendum;
- guidance on how to use the IDTA;
- guidance on transfer risk assessments (assessments which enable data exporters to determine if the transfer mechanism they intend to use for an international data transfer provides an adequate level of protection); and
- further clarifications on its international transfers guidance.