The ICO’s International Data Transfer Agreements
Author: Rachel McCulloch
Clarification as to how the UK will handle international transfers of personal data post-Brexit has been long-awaited. Under UK data protection laws, organisations are required to implement valid data transfer mechanisms when transferring personal data outside the UK to countries which do not provide an adequate level of data protection.
Until now, it has been common for organisations transferring personal data outside of the UK to use the old EU standard contractual clauses (“SCCs”). Whilst these old EU SCCs were replaced on 4 June 2021 by the new EU SCCs, the UK has been waiting for its own replacements reflecting the ICO’s approach to international data transfers following Brexit.
The ICO have now announced they have laid out the following documents before the UK Parliament which will come into force on 21 March 2022, provided that no objections are raised:
- The ICO’s International Data Transfer Agreement (“IDTA”) which can be found here;
- The International Data Transfer Addendum to the new EU SCCs (“Addendum”) which can be found here; and
- A document setting out transitional provisions which can be found here.
Although they are not yet legally binding, the documents can, and should be used immediately by organisations transferring personal data outside of the UK, but note, they may need updating if changes are made before they come into force. From 21 September 2022, organisations will need to use the new documents.
1. The IDTA
This document is a standalone data transfer agreement which covers data transfers from the UK to third countries. The IDTA contains mandatory clauses which the ICO has determined effectively safeguard the data being transferred and these mandatory clauses may not be amended. The IDTA deals with the data subject’s right to information and what to do in the event of a breach.
2. Addendum to the EU SCCs
This Addendum to the new EU SCCs means that the new EU SCCs can be used for international transfers of personal data from the EU as well as the UK. Many businesses that transfer data from the EU may already be using the new EU SCCs. The Addendum makes a number of amendments to the new EU SCCs to make them compliant with UK data law requirements. International companies that will be transferring personal data to third countries from both the UK and the EU will have the choice to use the EU SCCs and the IDTA or the EU SCCs and the Addendum.
3. Document setting out transitional provisions
This is a short document setting out the amendments required to the UK Data Protection Act 2018 to disapply the old EU SCCs. It notes that contracts which conclude on or before 21 September 2022 on the basis of any Transitional Standard Clauses shall continue to be appropriate safeguards for the UK GDPR until 21 March 2024. The Transitional Standard Clauses refer to the standard data protection clause which by virtue of the Data Protection Act 2018, Schedule 21, Part 3, Paragraph 7 provide the appropriate safeguards referred to in Article 46(1) of the UK GDPR.
The ICO is developing the following additional tools to provide support and guidance which will be published shortly:
- Clause by clause guidance to the IDTA and Addendum,
- Guidance on how to use the IDTA,
- Guidance on Transfer Risk Assessments, and
- Further clarifications on international transfers guidance.
In the meantime, organisations should review their current data transfer agreements and ensure that any new contracts comply with the new rules. Key dates to be aware of are:
- 21 March 2022 the new IDTA and Addendum can be used for data transfers from the UK
- 21 September 2022 the old EU SCCs cannot be used any more for new contracts covering data transfers from the UK
- 21 March 2024 the transition period comes to an end and all contrcts will need to have been updated with the new EU SCCs and UK addendum, or the ICO’s new IDTA, whichever is appropriate.
For further information or advice, please get in touch with our Commercial and Technology Team.