Following a consultation run by the UK's privacy regulator, the Information Commissioner's Office ("ICO") in 2021, the UK's Secretary of State has laid before Parliament an international data transfer agreement ("IDTA"), international data transfer addendum to the EU standard contractual clauses for international data transfers ("Addendum"), and a document setting out transitional provisions. If approved by Parliament, these documents will come into force on 21 March 2022.
Following Brexit, the UK recognised the EU and EEA Member States as providing adequate protection for individuals' rights and freedoms for their personal data. Similarly, the EU adopted an adequacy decision in respect of transfers of personal data from the EU and EEA to the UK. These adequacy decisions allow for a seamless flow of personal data between the EU, EEA and the UK. However, to legitimise the transfer of personal data from the UK to jurisdictions outside of the EU and EEA, appropriate safeguards need to be put in place. To comply with this requirement, organisations often rely on the use of standard contractual clauses ("SCCs") which impose certain contractual obligations on the data exporter and data importer.
The European Commission published its most recent version of the SCCs ("New EU SCCs") in mid 2021 to address certain deficiencies in the old SCCs ("Old EU SCCs"). The New EU SCCs apply to transfers from the EEA to jurisdictions outside the EEA, but do not apply to transfers from the UK to jurisdictions outside the EEA. As a result, UK organisations have needed to continue to rely on the Old EU SCCs for such transfers. Once approved by Parliament, the IDTA and Addendum will replace the need for UK organisations to use the Old EU SCCs.
The IDTA may be used as a standalone agreement, or may be incorporated into a commercial agreement. The IDTA is not significantly different in substance to the new EU SCCs. Similar to the New EU SCCs, the IDTA addresses some of the deficiencies in the Old EU SCCs, including transfers of personal data from processor to processor, and the impact of the ECJ's judgment in Schrems II, which invalidated the EU-US Privacy Shield. The New EU SCCs require the parties to conduct a transfer impact assessment taking into account various factors, including the laws and practice of the recipient country and the contractual, technical and organisational safeguards put in place during transmission and processing of data. Similarly, the IDTA requires data exporters to undertake a transfer risk assessment to consider the local laws, practices, and risks which might render the protections provided by the IDTA insufficient.
However, there are a number of ways in which the IDTA departs from the New EU SCCs:
- The IDTA recognises that the parties may have entered into a separate commercial agreement (referred to as the `Linked Agreement' in the IDTA) and allows for the parties to incorporate the terms of the Linked Agreement into the IDTA.
- The IDTA allows parties to resolve disputes arising out of or in connection with the IDTA through arbitration whereas the New EU SCCs include mandatory jurisdiction and governing law provisions.
- The parties are able to agree on audit provisions in the Linked Agreement. The audit provisions in the IDTA will only apply where the Linked Agreement does not provide an audit mechanism.
- Unlike the New EU SCCs, the IDTA does not adopt a modular structure which can be complex to put in place. It also imposes reduced obligations on the importer in some circumstances. For example, where a data importer experiences a data breach, the New EU SCCs require the data importer to notify the supervisory authority. In contrast, the IDTA does not require this. This is likely to be welcomed by UK data exporters because it gives them greater control over the flow of information following a data breach.
The Addendum is designed to be used with the New EU SCCs, and it contains technical provisions that enable the New EU SCCs to work within the UK data protection regime. It is anticipated that the Addendum will be used by global organisations that transfer personal data to jurisdictions outside of both the EEA and the UK.
- Availability of the IDTA and Addendum - If approved by Parliament, the IDTA and Addendum will be available for use by UK organisations from 21 March 2022.
- Grace period for transfers from UK only - Organisations can continue to rely on the Old EU SCCs to legitimise restricted transfers from the UK only under existing agreements entered into on or before 21 September 2022 until 21 March 2024.
- Grace period for transfers from the UK and EEA - A shorter grace period to these transfers to align with the EU's deadlines for use of the Old EU SCCs. Existing agreements entered into before 27 September 2021 incorporating the Old EU SCCs remain valid and provide appropriate safeguards for the purposes of the EU GDPR only until 27 December 2022.
- If approved by Parliament, organisations should use the IDTA, or the New EU SCCs and Addendum, to legitimise new restricted transfers from the UK and EEA from 21 March 2022.
- Existing agreements for transfers from the UK only that rely on the Old EU SCCs will need to be amended to incorporate the IDTA, or the New EU SCCs and Addendum, by 21 March 2024. Existing agreements for transfers from the UK and EEA that rely on the Old EU SCCs will need to be amended by 27 December 2022.
- Although organisations that transfer data out of the UK only will have a choice of using the IDTA or the Addendum, some may prefer to use the IDTA due to the relative simplicity of putting it in place, as well as the slightly more favourable terms for the data importer where there is a data breach, which in turn benefits the UK exporting organisation.