Since Brexit, on 31 January 2020, the EU and the UK's development of the General Data Protection Regulation ("GDPR") could begin to diverge. The European Commission adopted new Standard Contractual Clauses for the transfer of personal data from the EEA to Non-GDPR adequate countries (the "New EU SCCs").
Separately, but in a similar vein, on the 28th of January 2022, the UK's Information Commissioner's Office ("ICO") announced that the international data transfer agreement (the "IDTA"), which is ofttimes referred to as the 'UK standard contractual clauses', can indeed be used as an appropriate safeguard for transferring data outside of the UK and ensuring compliance with the UK GDPR (the retained EU law version of the GDPR).
This overlapping update to contractual transfer mechanisms have given companies additional regulatory burdens. To simplify the process, for organisations that transfer personal data outside of the EU/EEA, the UK will recognise the New EU SCCs as appropriate safeguards for transfers out of the UK, subject to the parties also using the international data transfer addendum ("IDTA Addendum") in addition to the New EU SCCs. This allows organisations to use only one set of SCCs: the New EU SCCs together with the IDTA Addendum, instead of both the New EU SCCs and the IDTA.
See here for further background information on the IDTA.
Deadline
For contracts entered into on or after 21 September 2022 (the "IDTA deadline"), organisations transferring UK originated personal data will be required to use the IDTA, or the New EU SCCs together with the IDTA Addendum.
What next?
In light of the fast-approaching IDTA Deadline, organizations conducting restricted transfers from the EU/ EEA or the UK to third countries not covered by EU 'adequacy decisions' need to take immediate action and incorporate either the IDTA or the New EU SCCs together with the IDTA Addendum in order to ensure compliance with the UK GDPR. Find the list of the countries recognised by the European Commission as providing adequate protection here.
The ICO has published additional guidance to provide support to organisations navigating this transition. See the ICO's statement here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.