The International Data Transfer Agreement entered effect in March 2022 as an alternative mechanism to EU standard contractual clauses.
New UK data transfer tools – the International Data Transfer Agreement (IDTA) (essentially the UK’s equivalent to the EU standard contractual clauses) and a separate UK addendum to be used in conjunction with the EU standard contractual clauses (UK Addendum) – came into force on 21 March 2022.
These documents, issued under Section 119A of the Data Protection Act 2018, provide appropriate safeguards required under UK GDPR to transfer UK personal data to countries not covered by adequacy decisions.
For six months, i.e. until 21 September 2022, it will be possible to choose whether to use the legacy SCCs (the old EU SCCs) for new data transfers or one of the new UK transfer mechanisms.
The existing transfer arrangements, which incorporate the old SCCs, will remain valid in relation to deals already in place for a further 24 months, as long as the processing operations remain unchanged.
In many cases, there will be a good argument for switching to one of the new UK transfer tools before 21 March 2024. As this final deadline falls less than a year and three months after the deadline for repapering the EU SCCs, it will make sense for international organisations to harmonise their repapering projects, to cover both EU and UK data flows at the same time.
The choice between the IDTA and the EU SCCs (with the UK Addendum)
A particularly welcome development (especially for organisations that process both the UK and EEA data) is the adoption of the UK Addendum to the EU SCCs, as an alternative to the IDTA.
The use of the EU SCCs in conjunction with the UK Addendum (which includes tweaks to the EU SCCs to make them work for UK data transfers), is bound to be the preferred choice for such organisations.
Many may have already decided to adopt this approach as it allows them to use just one set of SCCs for transfers of all their European data (i.e., the EU SCCs with the addition of the UK Addendum for UK data).
This pragmatic solution proposed by the ICO should help reduce complexities introduced to data transfers by Brexit, which is a good news for international businesses and the UK’s digital economy.
The UK transfer instruments contain comparable obligations to those covered in the EU SCCs, with a few notable differences (see details on key differences: UK IDTA v EU SCCs).
The main changes from the consultation drafts
The overall structure, style and substance of the IDTA remain much the same as the draft published during the ICO’s consultation.
Notable changes from that draft (see The ICO consults on international data transfers post-Brexit (Part 1 – UK SCCs) | Fieldfisher for detail) include:
- The obligation to ensure there is a separate data processing agreement (enforceable throughout the term of the IDTA) satisfying Article 28 requirements (Linked Agreement) now falls on the exporter and not on both parties as was initially proposed in the draft.
- The obligation on the importer to provide the exporter – before receiving any transferred data – with all relevant information regarding local laws and practices, the protections and risks and any other information required for the exporter to carry out a transfer risk assessment.
- Explicit provision confirming the parties may include provisions in the Linked Agreement that will enhance their rights otherwise covered in the IDTA (such enhanced rights may be subject to commercial terms under the Linked Agreement but this will not affect the rights granted under the IDTA).
- The exporter’s obligation to carry out reasonable checks to assess the importer’s ability to comply with the IDTA or to provide appropriate safeguards has been extended from the initial checks to also reviews throughout the term of the IDTA.
- While a mandatory formal review of the IDTA has been retained, the parties can now choose regular review periods less frequent than once a year or instead commit to reviewing the IDTA ‘each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment’.
- More detailed data breach notification obligations imposed on the importer.
- The importer’s duty to provide the data subject with a copy of their transferred data is no longer ‘free of charge’ but instead at no greater cost than it would be able to charge under the UK data protection laws – an interesting sign of the likely changes on the horizon of the UK data protection law.
- The lack of recognition – in the consultation draft – that the importer may have an overriding obligation under its local law to keep the data after the IDTA ends, has been corrected in the final version.
While the amendments to the substance of the UK Addendum compared to the initial draft are minor, there is a noticeable change to its structure.
It is now a longer document, as it incorporates a tabular approach similar to that adopted in the IDTA and requires the parties to input more details (e.g. selected modules of the EU SCCs and optional clauses).
Updates to the ICO guidance on international transfers
Alongside the release of the new data transfer tools, the ICO has also made a small but important update to its Guide to UK GDPR (clarifying its approach to a ‘restricted transfer’) and announced that further detailed guidance on international data transfers will follow.
The ICO has clarified that all data transfers to receivers located in a non-adequate country outside the UK (including those who are subject to UK GDPR under its long-arm jurisdictional reach) will be treated as ‘restricted transfers’. This puts an end to the concept of a “GDPR bubble” and brings the ICO’s approach back into alignment with the stricter approach adopted in the EU (See: What’s a data transfer under the GDPR? | Fieldfisher).
Further ICO guidance (which will include clause-by-clause guidance to the IDTA and the UK Addendum and guidance on transfer risk assessments) will be helpful for organisations looking to implement a pragmatic approach to data transfers.
With decisions on whether to opt for the IDTA or the UK Addendum, how to roll out the UK Addendum or the IDTA for existing and new contracts and how to factor UK developments into existing international data transfer projects, there is certainly a lot to consider.
As with the EU SCCs, it is also important to bear in mind that exporters will still have to consider the consequences of the Schrems II decision.
Neither the IDTA nor the UK Addendum will automatically mean that no further steps are needed before a transfer can occur – a risk assessment is still required and supplementary measures may be needed.
How Condor can help
Condor offers an end-to-end solution to the SCC repapering requirement by providing the technology and resources to projects involving hundreds or thousands of contracts.
By utilising a combination of project management and technology together with a scalable team of lawyers and paralegals structured to meet the client’s needs, Condor can provide a solution on time and with the comfort of fixed pricing.