New UK Standard Contractual Clauses for Personal Data Transfers

Organisations will be able to use the IDTA or the UK Addendum as a transfer mechanism to comply with the requirement under Art. 46 of the UK GDPR to provide “appropriate safeguards” for personal data when it is transferred from the UK to countries which are not covered by the UK’s “adequacy regulations”[1].

The need for these new UK clauses was brought about by a combination of the GDPR, Brexit and European case law: organisations wishing to make such personal data transfers from the UK are currently entering into the “old” standard contractual clauses from 2001 or 2004 (controller to controller) and 2010 (controller to processor) which were adopted by the European Commission under the 1995 Data Protection Directive (the “old EU SCCs”). However, these old EU SCCs do not take account of all the provisions in the UK GDPR or of the CJEU’s decision in the Schrems II case in July 2020 (which still applies in the UK as it was handed down pre-Brexit), so it was clear that the old EU SCCs could not be recognised as providing appropriate safeguards for personal data in the long term. By contrast, the new EU SCCs do take the GDPR and Schrems II into account. However, as they were adopted after Brexit, they are not valid for transfers to which the UK GDPR applies.

The promulgation of the IDTA and UK Addendum follows a consultation exercise on UK international data transfer arrangements carried out by the UK Information Commissioner (“ICO”) last autumn.

The IDTA and UK Addendum are still awaiting Parliamentary approval but, unless any objections are raised (which seems unlikely), they will come into force on 21 March 2022.

Transitional provisions

Transfer arrangements using the old EU SCCs and concluded before 21 September 2022[2] will continue to be valid until 21 March 2024 (unless the actual underlying processing operations change before that latter date).

In other words, after 21 September 2022, organisations must use the IDTA or the UK Addendum if they want to enter into new arrangements for transfers which are subject to the UK GDPR, and any existing arrangements for UK transfers based on the old EU SCCs must be replaced by 21 March 2024.

When should we use the UK Addendum and what are its pros and cons?

The UK Addendum is an “add-on” to the new EU SCCs. Most large multinational organisations will be making numerous international transfers of personal data that are subject to the EU GDPR and UK GDPR and they may already be using, or intend to use, the new EU SCCs for their data transfers from the EU. Therefore, it makes sense for these organisations to use the UK Addendum to “fold” their data flows from the UK into these EU SCCs too.

On the plus side…

Flexibility and easy execution: The UK Addendum is short, clear and flexible. In particular, there is flexibility as to how it can be executed and incorporated. The ICO has drafted the UK Addendum as a free-standing document, which should be signed by the parties, and with a tabular structure to set out details of data flows and to confirm how various optional provisions will apply. Organisations which want to execute data transfer agreements just to cover UK data could, therefore, use the UK Addendum as-is. Organisations which want to fold the UK Addendum provisions into wider group data transfer arrangements are given flexibility to do this – as the UK Addendum makes clear both that the UK-specific signatures are optional (any way of making the UK Addendum binding is acceptable) and that the table format can be altered. Also, any ICO revisions to the UK Addendum in the future will take effect automatically (this is the same in the IDTA), with provision made for an optional termination clause where such revisions cause a “substantial, disproportionate and demonstrable increase” in a party’s costs and/or risks.

On the minus side…

The fact that the UK Addendum is an “add-on” to the new EU SCCs can be a limiting factor: Use of the UK Addendum is a no-brainer in a global data transfers scenario (particularly intra-group transfers); however because it operates as an addendum to the new EU SCCs (tweaking them only insofar as to make them “work” for UK transfers), it cannot cure the deficiencies of the new EU SCCs, their main deficiency being that they do not cover all scenarios: the new EU SCCs cannot be used if the importer is directly subject to the UK GDPR on an extra-territorial basis, and they can only be used where the exporter/importer relationship “matches” the new EU SCC’s modules (for example, there is no module that can be used if a processor transfers data to another processor who is not a sub-processor). For more information on these points, see our articles on the new EU SCCs, and on the draft EDPB Guidelines on the interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V of the GDPR (“EDPB’s Art. 3/Chapter V Guidelines”).

It only works as an addendum to the new EU SCCs: When the ICO carried out its consultation last year, the ICO considered drafting addenda that could be appended to data transfer agreements issued by other countries or regions such as the New Zealand or ASEAN agreements (and not just to the new EU SCCs). However, the ICO has not issued any such addenda. The UK Addendum only works alongside the new EU SCCs.

Timing complexity: If organisations intend to implement the new EU SCCs for EU transfers and the UK Addendum for UK transfers at the same time, bear in mind that the long-stop date for replacement with the new EU SCCs is 27 December 2022 (assuming no change to the actual underlying processing before that date) - which is rather sooner than the UK Addendum long-stop date of 21 March 2024.

When should we use the IDTA and what are its pros and cons?

As noted above, the IDTA is an alternative to the UK Addendum. It is a standalone agreement intended to be used for UK transfers without having also to enter into the new EU SCCs (whereas the UK Addendum only works alongside the new EU SCCs). The IDTA is likely to be the way to go for organisations which are only UK-based and only process personal data to which the UK GDPR applies who do not need to trouble themselves with EU SCCs.

On the plus side…

Flexibility: Unsurprisingly, the IDTA closely tracks the provisions of the new EU SCCs; however, it is clearer and more user-friendly, flexible and conscious of the commercial context. For example:

• As we commented at the time of the ICO consultation, the IDTA is a single, “one-size fits all” agreement, rather than taking the modular structure of the new EU SCCs – once the tables in the IDTA are completed (covering the parties’ details, transfer description, security requirements, any extra protection clauses which may be required and any commercial provisions which the parties may want added), it can be signed as is, no cut and pasting required (although that is also allowed).
• The mandatory provisions in the IDTA cannot be changed, but parties are free to edit the tables and can also make the agreement multi-party if they want (like the new EU SCCs) – and can nominate one “lead” party to make decisions on all/some of the other parties’ behalf.
• The IDTA takes into account that the parties may already have entered into another “linked” commercial agreement (such as a master services agreement or similar) and allows for the incorporation of the terms of that “linked” agreement into the IDTA provided the rights granted under the IDTA are not affected. In particular, any audit provisions agreed under the linked agreement will apply to the IDTA - this addresses the difficulty sometimes faced when using the new EU SCCs where the latter’s broad audit rights do not contain the process or timing measures typically included in the related commercial agreement.
• The IDTA covers more scenarios than the new EU SCCs: whereas, as noted above, the new EU SCCs can only be used if the exporter/importer relationship is consistent with the new EU SCC modules, the IDTA can be used in more situations. In particular, it can be used if a processor transfers personal data to an organisation which is not its instructing controller, or its sub-processor (for example, a processor transferring data to another processor appointed by the instructing controller).
• Part 2 of the IDTA (Extra Protection Clauses) specifically allows for any additional safeguards/supplementary measures required by Schrems II and the EDPB’s associated recommendations on supplementary measures to be separately listed in the IDTA . By contrast, the new EU SCCs are not drafted in a way that allows the parties to “plug in” additional supplementary measures into the text of the agreement; drafting amendments are required to achieve this.
• The IDTA provides an additional alternative dispute resolution mechanism in the form of arbitration (the new EU SCCs generally only allow resolution through the courts although data subjects can lodge complaints with a dispute resolution body if the parties select this clause under the new EU SCCs).

It can be used even if the importer is directly subject to the UK GDPR: Happily the IDTA resolves, for the UK at least, the uncertainty that arose in relation to the new EU SCCs around their scope of application; Recital 7 of the implementing decision for the new EU SCCs states that they may only be used “to the extent that the processing by the importer does not fall within the scope of” the EU GDPR, begging the question of what clauses should be implemented where the importer does fall within the EU GDPR on an extra-territorial basis. However, the ICO has made it very clear in the IDTA that it can cover transfers even if the importer is directly subject to the UK GDPR. In this situation, the sections of the IDTA which contain UK GDPR obligations (for example, compliance with data protection principles, data breach, data subject rights etc.) are disapplied – because they apply automatically to the importer anyway under Art. 3.

Some of the more onerous requirements suggested as part of the ICO consultation did not make the final cut: For example, the draft IDTA issued as part of the consultation required that its provisions and the associated transfer risk assessment (“TRA”) should be reviewed annually, which could have been excessive particularly for low-risk transfers. Under the final IDTA laid before Parliament, review must be “at regular intervals” with the parties being able to set the frequency of review in the IDTA’s tables (Review Dates).

On the minus side…

The mandatory processor requirements under Art. 28 UK GDPR are not included: Whereas the new EU SCCs incorporate the Art. 28 GDPR requirements (i.e. when module 2 (controller to processor) of the new EU SCCs is used, it already has the appropriate mandatory processor obligations under Art. 28 built in so a separate data processing agreement is not needed between controller and processor), this is not the case with the IDTA - Clause 1.4 of the IDTA’s Mandatory Clauses makes it clear that it envisages that a linked agreement will cover this off, which it may well do in practice. However it complicates the patchwork of data transfer agreements.

Transfer risk assessments

Whether you use the IDTA or the UK Addendum as your transfer mechanism under the UK GDPR (or are still entering into the old EU SCCs for UK transfers until 21 September 2022), you must carry out a TRA before any transfer is made. This is the same exercise as required when using the new EU SCCs for EU personal data transfers, following Schrems II. The ICO sought views on its draft UK TRA as part of its consultation last year but this has not yet been finalised. Where it is determined under the TRA that the laws and practices in the “non-adequate” third country do not provide a level of protection essentially equivalent to that under the UK data protection regime, then supplementary measures must be put in place before any transfer is made (also per the Schrems II judgement).

Further guidance

The ICO has updated its Guide to the UK GDPR to reflect the above changes and to clarify the meaning of “restricted transfer” under the UK GDPR: as noted above, it is now clear that this includes transfers to importers to which the UK GDPR applies on an extra-territorial basis. The other important change is that there is now only a restricted transfer if personal data are transferred from one “legally distinct” entity to another i.e. the transfer of data by a branch in the UK to the mother organisation in a “non-adequate”, third country is not to be regarded as a restricted transfer under the UK GDPR (and hence there is no need for additional safeguards). Both of these points are in line with the EDPB’s draft Art. 3/Chapter V Guidelines (see our article on these Guidelines here).

The ICO also intends to issue clause-by-clause guidance to the IDTA and UK Addendum and guidance on transfer risk assessments – to be published “soon”.

[1] The UK has “adequacy regulations” in relation to the following countries and territories:

• the EEA countries (i.e. all EU member states plus Iceland, Norway and Liechtenstein);
• EU or EEA institutions, bodies, offices or agencies;
• Gibraltar
• countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020) i.e:
  • a full finding of adequacy for the following countries and territories: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay; and
  • a partial finding of adequacy for Japan (only covers private sector organisations) and Canada (only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act).

Note that the European Commission made an adequacy decision for the Republic of Korea in December 2021 but it has not yet been subject to a UK adequacy regulation.

[2] There was a typo in the ICO’s “International Data Transfer Agreements - Transitional Provisions” document and in the transitional provisions initially laid before Parliament on 28 January 2022 (21 September 2021 was stated instead of 21 September 2022) but this has been corrected in the version laid before Parliament on 2 February 2022.