The UK’s International Data Transfer Agreement (IDTA) and the Addendum to the new EU SCCs (Addendum), together with accompanying transitional provisions, were laid before Parliament 2 February 2022. Unless Parliament objects (which is unlikely), they will come into effect on 21 March 2022.
These transfer agreements now provide organisations with mechanisms to replace the "old" EU standard contractual clauses (old SCCs) upon which they have needed to rely previously, where no appropriate derogation applies, in order to comply with the requirement under Article 46 of the UK GDPR to provide "appropriate safeguards" for personal data transferred from the UK to countries which are not covered by the UK’s “adequacy regulations”.
Fortunately, there is no immediate rush to transition to the new documentation: there's a grace period, so the old SCCs can be used for new arrangements (for the UK only) until 21 September 2022, but all transfers based on the old SCCs must be transitioned to the IDTA or Addendum by 21 March 2024. However, organisations subject to both the EU GDPR and the UK GDPR, looking to harmonise their contractual approach to restricted transfers and achieve efficiencies by doing everything in "one hit", should be mindful of the 27 December 2022 deadline under the EU GDPR for transitioning legacy arrangements to the new EU SCCs. Whilst there may be specific circumstances where it is appropriate, we would also query why, regardless of the grace period, an organisation would use the old SCCs, when the IDTA and Addendum are available (as these arrangements would then require re-papering unless they expire or are terminated prior to 21 March 2024).
In circumstances where you use these new transfer agreements, you will still need to undertake a risk-based assessment of the law in the relevant non-adequate third country and consider whether any additional safeguards are required to protect personal data in that third country, in accordance with the Schrems II judgment.
This briefing looks at the new transfer agreements and next steps to consider.
Background to Restricted Transfers under the UK GDPR
Controllers and processors subject to the UK GDPR can transfer personal data to a third country outside the UK, if:
- an adequacy decision exists in relation to that country;
- a suitable derogation exists which covers the circumstances of the transfer (e.g. occasional transfer for a number of limited purposes or where the data subject has given explicit, informed consent to the transfer); or
- an appropriate safeguarding mechanism is used, such as standard contractual clauses or binding corporate rules, which helps to ensure that UK standards of personal data protection 'travel with the data'. When the European Commission published the old SCCs, it approved them for use in the EU which included, at that time, the UK.
The Schrems II case in 2020 established that standard contractual clauses alone were not necessarily sufficient to ensure adequate protection for data subjects and, consequently, it is now also necessary to undertake a transfer risk assessment assessing the law and practices of the country of export and, where appropriate, put in place supplementary measures to address any risks identified.
The good news is that personal data can be freely transferred between the UK and the EEA because the UK has recognised the EEA, and (for the time being at least) the European Commission has recognised the UK, as having 'adequacy', meaning equivalent levels of data protection. They have each made adequacy findings in respect of a number of other countries (see here the ICO's website for the list of countries covered by UK adequacy regulations). The UK government has also announced its intention to streamline its processes for making adequacy regulations in respect of further countries expeditiously.