Insights

UK-Outbound Data Flows: Standard Contracts Published and Enter Final Approval Phase

UK-Outbound Data Flows: Standard Contracts Published and Enter Final Approval Phase

Feb 01, 2022
Download PDFDownload PDF
Print
Share

On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were laid before parliament. Unless any objections are raised (this would be unusual), these documents will enter into force on 21 March 2022.

The Information Commissioner’s Office (“ICO”) launched a consultation on these documents in August 2021. As we wrote at the time, the need for the UK to put in place new transfer mechanisms has been pressing, given the adoption by the EU of updated Standard Contractual Clauses (the “EU SCCs”) in June 2021.

Once in force, the IDTA and EU Addendum will constitute the UK’s version of the EU SCCs.

What you need to know

Significant issues to be aware of include:

  1. Entry into force: Provided that no objections are raised by the UK’s parliament, the IDTA and EU Addendum come into force on 21 March 2022. At that point, the UK will then have two valid – alternative - agreements providing “appropriate safeguards” for outbound transfers of personal data from the UK for the purposes of the UK General Data Protection Regulation (“UK GDPR”).
  2. Compatibility with pre-existing EU SCCs: Companies with operations in the EU as well as the UK, and seeking to provide appropriate safeguards under both the UK GDPR and the EU GDPR, have two options. Where EU SCCs are in already place, the EU Addendum can be “bolted on” in order to satisfy the requirements of the UK GDPR. Alternatively, the full length IDTA can be used for UK-outbound transfers.
  3. Transfer Risk Assessments: Carrying out a Transfer Risk Assessment (“TRA”) continues to be a requirement in the UK, as it is in the EU, following the Court of Justice of the European Union’s decision in Schrems II in July 2020. The ICO’s consultation also featured a TRA and tool, however work on these documents is not yet complete, with the latest announcement noting that they will be published “soon”. The TRA does not need to be laid before parliament, however, and may therefore be finalised and ready to use by the time the IDTA and EU Addendum enter into force.
  4. “Repapering” deadline: While some questions remain, Transitional Provisions accompanying the documents laid before parliament state that any contracts entered into on or before 21 September 2021 (sic) on the basis of the “old” Directive Standard Contractual Clauses shall continue to provide appropriate safeguards for the purposes of the UK GDPR until 21 March 2024. (Based on the consultation, it appears likely that this is intended to refer to 21 September 2022; however, confirmation was not available at time of writing).
  5. What is a “Restricted Transfer”?: The consultation sought views on the circumstances that would give rise to a “restricted transfer” for the purposes of the UK GDPR, providing a number of scenarios for consideration (some of which appeared to differ from the position in the EU). The ICO’s position on this will be released as part of an update to the regulator’s “Guide to the UK GDPR” (this was not available at the time of writing).

Next Steps

The ICO’s announcement notes that the IDTA and EU Addendum are “immediately of use to organisations transferring personal data outside of the UK”, signalling that the regulator does not expect the documents to be amended during the parliamentary stage.

As we await confirmation of further important details and accompanying guidance, companies should start to consider how they will build the updated documents into their future agreements, and address the re-papering of existing agreements (possibly in coordination with the EU SCCs deadline of 27 December 2022).

Related Practice Areas

  • Data Privacy & Security

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.