As of 21 March 2022, the UK International Data Transfer Agreement (“IDTA”) and an addendum to the European Commission’s new Standard Contractual Clauses (“New EU SCC”) (“Addendum”) have been approved by the UK Parliament. This long-awaited approval is good news for organisations subject to the UK GDPR. Such organisations now have two UK GDPR-compliant transfer mechanisms at their disposal ((i) the IDTA or (ii) the Addendum) for transfers of personal data from the UK to third-party organisations and group companies located in third countries that are not covered by the UK’s adequacy decisions (unless an alternative transfer mechanism or derogation applies), such as the U.S.
Separately, on 25 March 2022, President Biden and European Commission President Ursula von der Leyen made a joint press statement announcing that they have an agreement in principle on a new framework for transatlantic data flows between the EU and U.S.
This Alert summarises, at a high level, the key impacts and significance of these developments and outlines the practical steps that businesses should now be taking to ensure continued compliance with the UK GDPR requirements applicable to cross-border transfers of personal data.
Transfers from the EU: Transatlantic Breakthrough?
The U.S. and EU’s recent press release will bring a sigh of relief for many large multinational organisations, which transfer a significant volume of personal data between the EU and the U.S. The Schrems II decision in July 2020 invalidated the EU-U.S. Privacy Shield (to which U.S. organisations could self-certify) with immediate effect (as reported by us here), which left many organisations that engage in steady transatlantic transfers of personal data in an uncertain GDPR compliance position.
Details of the new data pact have not yet been released. However, the press statement reassures organisations that the aim of the new agreement will be to enable predictable and trustworthy data flows between the EU and the U.S. Only time will tell if this can be achieved (and sustained without future legal challenge) in practice. It is speculated that an agreement between the EU and U.S. will be adopted this spring. The UK is conducting separate negotiations with the U.S. to address data flows from the UK.
Transfers from the UK: The Need for the UK IDTA and Addendum
Prior to 21 March 2022, organisations making personal data transfers from the UK to the U.S. (and other third countries) have been relying on the old EU standard contractual clauses (“Old EU SCCs”), which did not take into account the UK GDPR and the CJEU’s decision in Schrems II. Organisations subject to the UK GDPR were not obliged to consider the New EU SCC because they were adopted after Brexit (further information on cross-border transfers post Schrems II and Brexit has been reported by us here). Therefore, the IDTA and Addendum provide much-awaited clarity and an effective solution to organisations wishing to comply with the requirement under Article 46 of the UK GDPR to provide “appropriate safeguards” for personal data transferred from the UK to third countries.
What is the IDTA?
The IDTA is essentially a standalone contract made up of four parts:
- Extra Protection Clauses;
- Commercial Clauses; and
- Mandatory Clauses.
The UK data protection regulator, the ICO, has confirmed that the IDTA is an appropriate safeguard for parties wishing to comply with the UK GDPR without needing to enter into the New EU SCCs — for example, when transfers only concern transfers from the UK (and not the EU).
What is the Addendum?
Organisations may now use the Addendum to apply and incorporate the New EU SCCs when transferring personal data from both the EU and the UK to third countries. Accommodating Brexit, the Addendum replaces references from EU laws to UK laws. Notably, the Addendum works in connection with the New EU SCCs. Organisations that currently have the Old EU SCCs in place cannot therefore add on the Addendum without updating the Old EU SCCs to the New EU SCCs or simply opting to use the IDTA instead. It is worth noting however, that where the Old EU SCCs are in place to legitimise transfers from the EU (rather than solely from the UK), these will need to be updated and replaced with the New EU SCCs by 27 December 2022 in any event.
The IDTA and the Addendum are alternatives – we set out below when each is best used.
The IDTA or Addendum — Which Mechanism is Suitable for your Organisation?
Large multinational organisations — The Addendum
Large multinational organisations that are making numerous international transfers of personal data are likely to be subject to the EU GDPR and UK GDPR. Therefore, practically it is likely to be more convenient for organisations to streamline their data transfer arrangements and to use the New EU SCCs with the Addendum. Fortunately, the Addendum is clearly drafted and acts as an “add-on” to the new EU SCCs.
Organisations only based in the UK — The IDTA
Alternatively, organisations that are not subject to the EU GDPR and only need to comply with the UK GDPR can opt to use the IDTA. Given the extra-territorial effect of both laws, it is worth noting that UK-based organisations will need to comply with the EU GDPR in addition to the UK GDPR (and so the IDTA may not be appropriate) if they offer goods or services to, or monitor behaviour of, individuals in the EU. The IDTA provides organisations with: a standardised “one-size fits all” agreement to comply with the UK GDPR; allows parties to incorporate relevant commercial agreements into the IDTA (provided that the rights under the IDTA are not affected, for example audit provisions); covers more scenarios than the new EU SCCs; and provides for arbitration to be used as an alternative to court. Note that the IDTA does not include the controller to processor data processing provisions that are mandatory under Article 28 of the UK GDPR (unlike the New EU SCCs), so these must be addressed in a linked agreement where required.
What is a Transfer Risk Assessment (“TRA”)?
Organisations must carry out a TRA before using the IDTA or Addendum. This is a similar exercise as for a ‘Transfer Impact Assessment’, which is required when using the new EU SCCs for ex-EU personal data transfers, applying the reasoning in the Schrems II judgment. A TRA ensures that the IDTA or the Addendum are suitable safeguards to be used when transferring personal data to restricted jurisdictions because the TRA can be used to check that local laws and practices do not override provisions of the IDTA or New EU SCCs as applied by the Addendum.
Key Dates and Deadlines
The deadline for organisations to enter into the IDTA or Addendum to address their data flows outside of the UK/EU depends on the following key dates relating to when transfer arrangements were concluded:
- if a contract was concluded before 21 March 2022 and included the Old EU SCCs, the Old EU SCCs within that contract can be relied on until 21 March 2024, provided that (i) the processing operations that are the subject matter of the contract remain unchanged; and (ii) reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards (save where ex-EU transfers are also implicated under the EU GDPR, in which case the Old EU SCCs need to be replaced with the New EU SCCs by 27 December 2022 (in respect of any ex-EU transfers); or
- if a contract is concluded between 21 March 2022 and 21 September 2022, the UK has set out transitional provisions permitting new contracts concluded during this grace period to use the Old EU SCCs for such UK-only transfers until 21 March 2024 (provided that the processing operations under the contract remain unchanged); or
- if a contract is concluded after 21 September 2022, then all new contracts for ex-UK personal data transfers will need to contain either the IDTA or Addendum (as appropriate).
Next Steps for Businesses
In light of the recently approved IDTA and Addendum, organisations will need to consider and take the following practical steps:
- Understand your cross-border personal data transfers. For example:
- to which jurisdiction is personal data being transferred from the UK?
- what are the roles of the respective parties to the transfer (e.g., controller, processor or sub processor)?
- in respect of what contracts / transfers is your organisation reliant on the Old EU SCCs (and do such contracts implicate solely ex-UK transfers, ex-EU transfers or both)?
- Confirm which agreements will need to be updated in light of the deadlines set out in the transitional provisions. In particular, focus on the agreements where there is a significant volume of personal data being transferred out of the UK/EU, or where personal data is being transferred under the Old EU SCCs. Taking a phased, risk-based approach may be helpful if there is a significant volume of contracts to address. Organisations may wish to address contracts with key service providers and its intragroup data transfer agreements first, before turning to contracts under which a lower volume of personal data is transferred.
- Consider the UK safeguard that is the most appropriate for your organisation. Consider which UK mechanism is most appropriate for the relevant transfer (is it more convenient to simply update the Old EU SCCs to the New EU SCCs and use the Addendum, or enter into the IDTA?).
- Carry out a TRA. Consider whether the laws and practices in the relevant third country provide a level of protection that is “essentially equivalent” to that under the UK data protection laws, and if not, whether (and what) supplementary measures can be taken before any transfer is made (following the reasoning in the Schrems II judgment).
- An implementation timeline. We recommend organisations required to revisit and repaper their ex-UK/EU data transfers in light of these developments maintain an implementation tracker to ensure all relevant data flows are addressed in advance of the deadlines discussed above. Noting that different deadlines are at play for repapering contracts with respect to ex-UK and ex-EU transfers of personal data.