In a final step following the consultation on international data transfers carried out by the ICO last year (The ICO consults on international data transfers post-Brexit (Part 1 – UK SCCs) | Fieldfisher), on 2 February 2022 the Department for Culture, Media and Sport laid the ICO’s new International Data Transfer Agreement (IDTA) and the addendum (UK Addendum) to the European Commission’s standard contractual clauses (EU SCCs) before Parliament. These documents, issued under Section 119A of the Data Protection Act 2018, will provide Appropriate Safeguards required under UK GDPR to transfer UK personal data to countries not covered by adequacy decisions. If no objections are raised in Parliament (which, we think is likely, given that these documents form part of the wider government package aimed to assist international data transfers), they will come into force on 21 March 2022.
For 6 months, i.e. until 21 September 2022, it will be possible to choose whether to use the legacy SCCs (the old EU SCCs) for new data transfers or one of the new UK transfer mechanisms.
The existing transfer arrangements which incorporate the old SCCs, will remain valid in relation to deals already in place for a further 24 months, as long as the processing operations remain unchanged. In many cases, there will be a good argument for switching to one of the new UK transfer tools before 21 March 2024. As this final deadline falls less than a year and three months after the deadline for repapering the EU SCCs, it will make sense for international organisations to harmonise their repapering projects, to cover both EU and UK data flows at the same time.
The choice between the IDTA and the EU SCCs (with the UK Addendum)
A particularly welcome development (especially for those organisations that process both the UK and EEA data) is the adoption of the UK Addendum to the EU SCCs, as an alternative to the IDTA. The use of the EU SCCs in conjunction with the UK Addendum (which essentially includes tweaks to the EU SCCs to make them work for UK data transfers), is bound to be the preferred choice for such organisations. In fact, many may have already decided to adopt this approach as it allows them to use just one set of SCCs for transfers of all their European data (i.e. the EU SCCs with the addition of the UK Addendum for UK data). This pragmatic solution proposed by the ICO should help reduce complexities introduced to data transfers by Brexit, which is a good news for international businesses and the UK’s digital economy.
The UK transfer instruments contain comparable obligations to those covered in the EU SCCs, with a few notable differences. You can see details on key differences at our table UK IDTA v EU SCCs.
Whilst for the reasons mentioned above, we expect take-up of the IDTA by international businesses to be very low, it will be interesting to see to what extent purely UK focused organisations or UK government departments and agencies will adopt the IDTA.
The main changes from the Consultation drafts
The overall structure, style and substance of the IDTA remain much the same as the draft published during the ICO’s consultation. Notable changes from that draft (see our earlier blog (The ICO consults on international data transfers post-Brexit (Part 1 – UK SCCs) | Fieldfisher for detail on the Consultation draft) include:
- The obligation to ensure that there is a separate data processing agreement (enforceable throughout the term of the IDTA) satisfying Article 28 requirements (Linked Agreement) now falls on the exporter and not on both parties as it was initially proposed in the draft.
- The obligation on the importer to provide the exporter – before receiving any transferred data – with all relevant information regarding local laws and practices, the protections and risks and any other information required for the exporter to carry out a transfer risk assessment.
- Explicit provision confirming that the parties may include provisions in the Linked Agreement that will enhance their rights otherwise covered in the IDTA (such enhanced rights may be subject to commercial terms under the Linked Agreement but this will not affect the rights granted under the IDTA).
- The exporter’s obligation to carry out reasonable checks to assess the importer’s ability to comply with the IDTA or to provide appropriate safeguards has been extended from the initial checks to also reviews throughout the term of the IDTA.
- Whilst a mandatory formal review of the IDTA has been retained, the parties can now choose regular review periods less frequent than once a year or instead commit to reviewing the IDTA each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment.
- More detailed data breach notification obligations imposed on the importer.
- The importer’s duty to provide the data subject with a copy of their transferred data is no longer ‘free of charge’ but instead at no greater cost than it would be able to charge under the UK data protection laws – an interesting sign of the likely changes on the horizon of the UK data protection law.
- The lack of recognition – in the Consultation draft – that the importer may have an overriding obligation under its local law to keep the data after the IDTA ends, has been corrected in the final version.
Whilst the amendments to the substance of the UK Addendum are minor, there is a noticeable change to its structure. It is now a longer document, as it incorporates a tabular approach similar to that adopted in the IDTA and requires the parties to input more details (e.g. selected modules of the EU SCCs and optional clauses).
Updates to the ICO guidance on international transfers
Alongside the release of the new data transfer tools, the ICO has also made a small but important update to its Guide to UK GDPR (clarifying its approach to a ‘restricted transfer’) and announced that further detailed guidance on international data transfers will be published soon.
The ICO has clarified that all data transfers to receivers located in a non-adequate country outside the UK (including those who are subject to UK GDPR under its long-arm jurisdictional reach) will be treated as ‘restricted transfers’. This puts an end to the concept of a “GDPR bubble” and brings the ICO’s approach back into alignment with the stricter approach adopted in the EU (See our blog What’s a data transfer under the GDPR? | Fieldfisher).
Further ICO guidance (which is expected to include clause by clause guidance to the IDTA and the UK Addendum and guidance on transfer risk assessments) will be helpful for organisations looking to implement a pragmatic approach to data transfers. With decisions on whether to opt for the IDTA or the UK Addendum, how to roll out the UK Addendum or the IDTA for existing and new contracts and how to factor the UK developments into existing international data transfer projects, there is certainly a lot to consider.
As with the EU SCCs, it is also important to bear in mind that exporters will still have to consider the consequences of the Schrems II decision. Neither the IDTA nor the UK Addendum will automatically mean that no further steps are needed before a transfer can occur – a risk assessment is still needed and supplementary measures may be needed.
We will be discussing all this in our webinar in March, so if you are interested, please do tune in for more insights (you can register via GoTo Webinar).