This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.
Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
To address this confusion, the ICO issued a toolkit of SCCs in the form of two documents:
- International Data Transfer Agreement (“IDTA”). This document is the equivalent of the new EU SCCs for international data transfers from the UK to countries without “essentially equivalent” privacy laws. The IDTA may be executed as a standalone agreement to accompany an underlying agreement or master services agreement to comply with UK Data Protection Laws. Like the new EU SCCs, the IDTA places extensive contractual obligations on both importers and exporters of personal data, including obligations that take into account the European Court of Justice decision in Schrems II.
- UK Addendum to EU’s 2021 SCCs. This Addendum allows companies subject to both UK Data Protection Laws and GDPR to secure international data transfers without executing a separate and independent agreement such as the IDTA. The Addendum is a nine-page document that amends certain clauses of the new EU SCCs so that exporters of personal data can simply use the new EU SCCs for international data transfers from the UK.
A natural question for businesses is whether they should use the IDTA or the Addendum when transferring personal data to third countries. At this time, the EU Commission has remained silent regarding the IDTA and the Addendum, but businesses that operate in both the UK and EU need to comply with both GDPR and UK Data Protection Act 2018. Because the EU Commission has not approved the use of the IDTA with amendments to recognize international data transfers from the EU, organizations with global operations and third-party vendor data flows may ensure compliance by using the new EU SCCs with the Addendum. Doing so is a more efficient and cost-effective strategy than using the IDTA and building additional mechanisms upon it.
The IDTA and the Addendum are currently in effect. ICO has confirmed in the “transitional provisions” that organizations entering into the “old” EU SCCs with UK incorporating language on or before September 21, 2022, will remain a valid means of making international transfers until March 21, 2024. This is similar to the EU Commission’s “grace period” for relying upon the “old” EU SCCs for international data transfers outside of the EU. Under the Commission’s grace period, organizations are no longer permitted to enter into the old EU SCCs, but can rely upon such SCCs in agreements executed prior to September 27, 2021, until December 27, 2022.
International data transfers can be incredibly technical and implicate several international laws and regulations. As part of any data governance program or contract review process, we recommend mapping and classifying the data transfers and working with counsel to confirm compliance efforts. For more information on the IDTA and Addendum, Data Processing Agreements, or other privacy matters, please contact Taft’s Privacy and Data Security team.