Insights
UK-Outbound Data Flows: Standard Contracts Published and Enter Final Approval Phase
Feb 01, 2022On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were laid before parliament. Unless any objections are raised (this would be unusual), these documents will enter into force on 21 March 2022.
The Information Commissioner’s Office (“ICO”) launched a consultation on these documents in August 2021. As we wrote at the time, the need for the UK to put in place new transfer mechanisms has been pressing, given the adoption by the EU of updated Standard Contractual Clauses (the “EU SCCs”) in June 2021.
Once in force, the IDTA and EU Addendum will constitute the UK’s version of the EU SCCs.
What you need to know
Significant issues to be aware of include:
- Entry into force: Provided that no objections are raised by the UK’s parliament, the IDTA and EU Addendum come into force on 21 March 2022. At that point, the UK will then have two valid – alternative - agreements providing “appropriate safeguards” for outbound transfers of personal data from the UK for the purposes of the UK General Data Protection Regulation (“UK GDPR”).
- Compatibility with pre-existing EU SCCs: Companies with operations in the EU as well as the UK, and seeking to provide appropriate safeguards under both the UK GDPR and the EU GDPR, have two options. Where EU SCCs are in already place, the EU Addendum can be “bolted on” in order to satisfy the requirements of the UK GDPR. Alternatively, the full length IDTA can be used for UK-outbound transfers.
- Transfer Risk Assessments: Carrying out a Transfer Risk Assessment (“TRA”) continues to be a requirement in the UK, as it is in the EU, following the Court of Justice of the European Union’s decision in Schrems II in July 2020. The ICO’s consultation also featured a TRA and tool, however work on these documents is not yet complete, with the latest announcement noting that they will be published “soon”. The TRA does not need to be laid before parliament, however, and may therefore be finalised and ready to use by the time the IDTA and EU Addendum enter into force.
- “Repapering” deadline: While some questions remain, Transitional Provisions accompanying the documents laid before parliament state that any contracts entered into on or before 21 September 2021 (sic) on the basis of the “old” Directive Standard Contractual Clauses shall continue to provide appropriate safeguards for the purposes of the UK GDPR until 21 March 2024. (Based on the consultation, it appears likely that this is intended to refer to 21 September 2022; however, confirmation was not available at time of writing).
- What is a “Restricted Transfer”?: The consultation sought views on the circumstances that would give rise to a “restricted transfer” for the purposes of the UK GDPR, providing a number of scenarios for consideration (some of which appeared to differ from the position in the EU). The ICO’s position on this will be released as part of an update to the regulator’s “Guide to the UK GDPR” (this was not available at the time of writing).
Next Steps
The ICO’s announcement notes that the IDTA and EU Addendum are “immediately of use to organisations transferring personal data outside of the UK”, signalling that the regulator does not expect the documents to be amended during the parliamentary stage.
As we await confirmation of further important details and accompanying guidance, companies should start to consider how they will build the updated documents into their future agreements, and address the re-papering of existing agreements (possibly in coordination with the EU SCCs deadline of 27 December 2022).
Related Practice Areas
-
Data Privacy & Security