Under the General Data Protection Regulation (the UK GDPR), adopted by the Data Protection Act 2018, businesses are prohibited from transferring personal data to a recipient in a country which is not covered by a European Commission (EC) adequacy decision, unless an exception applies.
Standard contractual clauses
The most commonly used exception is found in Article 46(2)(d) of the UK GDPR, namely for the data exporter and data importer to enter into a set of standard clauses approved by the ICO. These standard clauses require the data importer to provide “adequate safeguards” that provide an equivalent level of data protection to the UK GDPR.
The old Standard Contractual Clauses are being replaced in the UK by:
- An International Data Transfer Agreement (IDTA) and
- A data transfer addendum to the new European Commission Standard Contractual Clauses (the Addendum).
These documents take into account recent developments within data protection legislation, including the Schrems II decision.
What is the International Data Transfer Agreement?
On 2 February 2022, the Secretary of State laid before Parliament the International Data Transfer Agreement, and it has been approved for use from 21 March 2022. Any organisations that transfer personal data from the UK to other countries not covered by adequacy decisions should familiarise themselves with the International Data Transfer Agreement.
The ICO has stipulated that the International Data Transfer Agreement is an appropriate safeguard that can be used by organisations to make transfers of personal data from the UK to countries overseas, without the need to enter into the new EU Standard Contractual Clauses. In essence, the International Data Transfer Agreement is a contract that can be used by parties which ensures that the relevant protections for data subjects of the transferred data are sufficiently similar to those offered under UK data protection law.
Organisations can adopt either the International Data Transfer Agreement or the Addendum. Like the old Standard Contractual Clauses, the International Data Transfer Agreement or Addendum must be adopted in their approved form, without modifications, other than to complete the details of the parties and the nature of the processing.
What is the UK Addendum?
The UK Addendum incorporates and applies the new EU Standard Contractual Clauses to transfers of personal data from the UK and it replaces references to EU laws and requirements with references to relevant UK laws and requirements.
The UK Addendum is an alternative safeguard to the International Data Transfer Agreement and would allow organisations to use the EU Standard Contractual Clauses for international data transfers from the EU as well as the UK within the same agreement. It is important to note that the UK Addendum only works in connection with the New EU Standard Contractual Clauses and cannot be relied upon if the parties are using the old EU Standard Contractual Clauses in their agreement.
UK contracts under old Standard Contractual Clauses and a grace period
Contracts under the old, pre-GDPR, EU Standard Contractual Clauses, that are entered into on or before 21 September 2022 will continue to be compliant until 21 March 2024, provided the subject matter of the contract processing remains unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
During this grace period, businesses will not need to abandon contract negotiations under the old Standard Contractual Clauses. Instead, they will need to complete such contracts on or before 21 September 2022 and ensure that they are replaced by another lawful mechanism by 21 March 2024. This benefit only applies to personal data transfers solely from the UK to third countries; this is because transfers from the EU should no longer be done under the old Standard Contractual Clauses.
Contracts concluded after 21 September 2022, under which personal data is transferred to third countries from the UK, will need to contain either the International Data Transfer Agreement or the UK Addendum.
To conclude, both the International Data Transfer Agreement and the UK Addendum have been well received by the UK’s data protection community, as they alleviate concerns of inconsistency with the EU GDPR and threats to the UK adequacy decision of the European Commission.
The ICO is expected to publish:
- clause by clause guidance to the IDTA and UK Addendum
- guidance on how to use the IDTA
- guidance on transfer risk assessments and
- responses to their consultation on the IDTA and UK Addendum.
Businesses should start proactively updating template agreements and ensure that the correct mechanism is relied upon to ensure continued compliance with UK GDPR and for international companies with the EU GDPR too.