Following the conclusion of the Information Commissioner's Office ("ICO") 2021 consultation on the UK's draft international data transfer agreement and accompanying methodology, the Secretary of State laid before Parliament the final version of the transfer documents on 28 January 2022.
Collectively, the following documents are intended to be used by organisations transferring personal data outside of the UK in order to comply with their obligations under the UK GDPR:
- the finalised international data transfer agreement ("IDTA") (available here);
- the addendum to the European Commission's standard contractual clauses for the international transfer of personal data to third countries (the "UK Addendum") (available here); and
- transitional provisions guidance covering the use of both documents (available here).
Unless any opposition is received by Parliament, these new measures will come into force on 21 March 2022. For further information about the August 2021 ICO consultation and the legal background informing it, see our blog post here.
The new IDTA and the UK Addendum are intended to replace the existing version of the European Commission's standard contractual clauses (the "Old SCCs") for the purposes of making restricted transfers of personal data out of the UK. The UK Addendum in particular is intended to be appended to the new EU standard contractual clauses, which came into force on 27 September 2021 (the "New EU SCCs"). For further detail on this update and the practical effects, please see our previous blog post here.
The IDTA includes appropriate safeguards capable of legitimising restricted transfers to other countries outside the UK. Crucially, the IDTA seeks to incorporate the 'supplementary measures' required pursuant to the ECJ's judgement in Schrems II in order to protect personal data being sent to countries which, without these measures in place, would otherwise not provide adequate protection. The IDTA will likely be most useful for UK-centric organisations who transfer data out of the UK only.
Comparatively, the UK Addendum will be useful for multi-national organisations spanning both the EEA and the UK. It is designed to be used in combination with the New EU SCCs, to which it applies a range of non-controversial amendments in order to adapt the New EU SCCs for use in a UK context. The UK Addendum consequently provides an alternative to the IDTA route whereby the New EU SCCs, in combination with the UK Addendum, can be used to validate a transfer from the UK, in a similar way to which the Old SCCs are currently used.
For multi-national organisations whose transfer arrangements are already predicated upon the use of the New EU SCCs to transfer data outside of the EEA but will also be making restricted transfers out of the UK, the UK Addendum means that effectively only one transfer regime needs to be negotiated for transfers out of both jurisdictions. The UK Addendum and the IDTA can therefore be considered an "either/or" mechanism, dependent upon the requirements of the organisation concerned.
Timeframes for implementation
Provided that no objections are raised by Parliament, both the IDTA and the UK Addendum will be available to organisations to use from 21 March 2022 onwards.
According to the ICO documentation, for any agreements entered into on or before 21 September 2022 incorporating the Old SCCs, organisations can still rely on the Old SCCs to validate restricted transfers of personal data out of the UK until 21 March 2024, a generous grace period compared to the timeframes imposed by the EU in relation to the New EU SCCs.
It is worth noting that only arrangements which involve a restricted transfer out of the UK alone will be subject to this grace period i.e. if an organisation has an arrangement in place which involves making restricted transfers out of both the EEA and UK, the longer grace period will only apply to the UK restricted transfer and the EEA element will need to be addressed in accordance with the deadlines set by the EU. By way of a reminder, existing agreements (entered into before 27 September 2021) incorporating the Old SCCs remain valid and provide appropriate safeguards for the purposes of the EU GDPR until 27 December 2022.
Following 21 March 2024, organisations will no longer be able to rely upon the old SCCs for making restricted transfers out of the UK and contractual arrangements incorporating the Old SCCs will need to be have been repapered to incorporate either the IDTA or the New EU SCCs coupled with the UK Addendum.
The ICO is also set to publish further supporting materials to assist organisations to navigate these new arrangements in due course. Such materials should include explanatory notes to both the IDTA and the Addendum and guidance on transfer risk assessments and on international transfers more generally. These materials will provide welcome interpretative guidance to assist organisations to incorporate these new documents into their existing transfer arrangements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.