Since the UK left the EU, there has been a lot of speculation about how the UK will regulate restricted transfers of personal data between the UK and third countries in compliance with the UK GDPR. After some delay, on 28th January 2022, the UK International Data Transfer Agreement (“IDTA”), the International Data Transfer Addendum to the EU Standard Contractual Clauses (“the UK Addendum”), and a document setting out the transitional provisions as to the use of the current SCCs for international data transfers, were put before UK Parliament for approval. The introduction of these new instruments will encompass the approach the UK will take in respect of international transfers post-Brexit. This blog provides an explanation of these reforms and offers practical advice about steps organisations can take to adapt to the upcoming changes.
The Issue
The UK GDPR limits the ability of UK organisations to transfer personal data outside of the UK (“restricted transfer”) where there are not appropriate safeguards in place offer individuals a level of protection equivalent to that provided under the UK GDPR. Where personal data transfers take place between the UK and third countries, it is necessary for the UK exporting organisation to put in place an appropriate transfer mechanism to ensure that the personal data being exported is offered an adequate level of protection. The transfer mechanisms available are found under Article 46 of UK GDPR and one of the most common mechanisms relied upon by UK organisations is the EU approved standard contractual clauses (“SCCs”). These clauses can be easily incorporated into the data processing clauses within commercial agreements. In 2021, the EU replaced the original EU standard contractual clauses with a new version of the SCCs, which aligns with the EU GDPR. However, the new clauses, in their current format, are only available for use by organisations in the EU. This means organisations within the UK, now a non-EU country, are in a position where they must rely on another transfer mechanism or continue to use the now superseded version of the EU SCCs, which are no longer fit for purpose and may not offer an adequate level of protection for personal data.
The solution
Last autumn, the ICO published a consultation on proposed new personal data transfer mechanisms for the UK, namely, a standalone UK International Data Transfer Agreement (“IDTA”), designed for use by UK data exporters and also an addendum to the new EU Standard Contractual Clauses to make these compatible for use under UK law post-Brexit, together with some draft guidance on the implementation of these documents.
On the 31st January 2022, the ICO confirmed that the IDTA and UK Addendum has been laid before Parliament as the new instruments that will replace the EU SCCs to ensure UK organisations are complaint with Article 46 of the UK GDPR going forward. The IDTA will become the UK’s version of the SSCs. The UK Addendum is essentially an add-on to the New EU SCCs modifying the document, to tailor it to UK law. It will achieve this by replacing EU law references and incorporating references required for compliance under UK law. Both mechanisms take account of the famous Schrems II decision of July 2020, which raised questions about the effectiveness of the SCCs as a transfer mechanism and highlighted the need for organisations to undertake transfer impact assessments and, where appropriate, put in place supplementary measures, in addition to the SCCs, to enhance the protection of personal data. Unless objections are raised, the documents will enter into force on 21 March 2022 and will have an immediate impact on international data flows from the UK.
The impact
IDTA vs UK Addendum
The introduction of the IDTA and UK Addendum will be beneficial to UK organisations as they will have a fit for purpose means to transfer personal data from the UK to third countries where other mechanisms available under Article 46, such as adequacy, are not suitable. However, there is no doubt that there will be a period of adjustment to the new regime.
In practice UK organisations will have to decide which mechanism is the best fit for their organisation. Businesses based solely in the UK may decide that the IDTA is a better fit for their organisational needs. Whereas, UK organisations with an EU presence may use the UK Addendum to fulfil their UK obligations and to maintain a degree of consistency with their other EU offices. Arguably, the UK Addendum may be more convenient to UK organisations as it will require less change from the New EU SSCs, and will bring a near unified approach post-Brexit between EU and UK organisations.
The key dates
There are some timelines your organisation should be aware of in order to prepare for these instruments coming into force. These are as follows:
- While UK organisations may begin using the IDTA or UK Addendum for the New EU SSCs now, we would recommend waiting until the 21st March 2022 to avoid duplication of work.
- Use of the Old EU SSCs will cease to be effective for transfers from the UK for any new agreements after the 21st September 2022. However, contracts concluded between the 21st March 2022 and 21st September 2022 may continue to use the Old EU SSCs, as well as choosing to implement the new IDTA or UK Addendum.
- Any agreements concluded after 21st September 2022 will have to use the IDTA or UK Addendum to the New EU SSCs.
- All agreements will require to utilise either the IDTA or UK Addendum for transfers of personal data from the UK to third countries by the 21st March 2024. All UK agreements using the Old EU SSCs must be updated by this deadline.
The next steps
There are practical steps your organisations can to take now to prepare for the upcoming changes. We would recommend doing the following to prepare your organisation:
- Keep updated with ICO Guidance. The ICO should be publishing further clarification and guidance ahead of the March 2022 deadline. This will include: Clause by clause guidance to the IDTA and UK Addendum, How to use the IDTA, Guidance on transfer risk assessments and Further clarification on international transfer guidance.
- Assess the advantages and disadvantages to your organisation before choosing which mechanism to use.
- Devise an internal strategy to ensure all agreements are up to date by the March 2024 deadline. Organisations should start sooner rather than later as this is likely to be a time consuming activity.
- Begin to triage your agreements which govern restricted transfers into those which are most important to your organisations needs and those which are perhaps more risky. You should prioritise these arrangements for review in order that a transfer impact assessment can be carried out (as necessary) and subsequent updates to these agreements can be resolved.
- Decide what method you will adopt going forward until 21st September 2022 deadline.
- Contact our Data Protection Team at Thorntons to get bespoke advice and support from us regarding changes required for your organisation.
Insight from Morgan O'Neill, Director Data Protection Services. For more information contact Morgan on 03330 430350.