On 2 February 2022, the UK’s new International Data Transfer Agreement (“IDTA”), and new International Data Transfer Addendum (the “UK Addendum”) to the European Commission’s new standard contractual clauses (the “new EU SCCs”) were laid before Parliament, along with related transitional provisions. The IDTA and the UK Addendum are essentially the “UK version” of the new EU SCCs. The IDTA and the UK Addendum are alternatives – we explain below when each is best used.
Organisations will be able to use the IDTA or the UK Addendum as a transfer mechanism to comply with the requirement under Art. 46 of the UK GDPR to provide “appropriate safeguards” for personal data when it is transferred from the UK to countries which are not covered by the UK’s “adequacy regulations”[1].
The need for these new UK clauses was brought about by a combination of the GDPR, Brexit and European case law: organisations wishing to make such personal data transfers from the UK are currently entering into the “old” standard contractual clauses from 2001 or 2004 (controller to controller) and 2010 (controller to processor) which were adopted by the European Commission under the 1995 Data Protection Directive (the “old EU SCCs”). However, these old EU SCCs do not take account of all the provisions in the UK GDPR or of the CJEU’s decision in the Schrems II case in July 2020 (which still applies in the UK as it was handed down pre-Brexit), so it was clear that the old EU SCCs could not be recognised as providing appropriate safeguards for personal data in the long term. By contrast, the new EU SCCs do take the GDPR and Schrems II into account. However, as they were adopted after Brexit, they are not valid for transfers to which the UK GDPR applies.
The promulgation of the IDTA and UK Addendum follows a consultation exercise on UK international data transfer arrangements carried out by the UK Information Commissioner (“ICO”) last autumn.
The IDTA and UK Addendum are still awaiting Parliamentary approval but, unless any objections are raised (which seems unlikely), they will come into force on 21 March 2022.
Transfer arrangements using the old EU SCCs and concluded before 21 September 2022[2] will continue to be valid until 21 March 2024 (unless the actual underlying processing operations change before that latter date).
In other words, after 21 September 2022, organisations must use the IDTA or the UK Addendum if they want to enter into new arrangements for transfers which are subject to the UK GDPR, and any existing arrangements for UK transfers based on the old EU SCCs must be replaced by 21 March 2024.
The UK Addendum is an “add-on” to the new EU SCCs. Most large multinational organisations will be making numerous international transfers of personal data that are subject to the EU GDPR and UK GDPR and they may already be using, or intend to use, the new EU SCCs for their data transfers from the EU. Therefore, it makes sense for these organisations to use the UK Addendum to “fold” their data flows from the UK into these EU SCCs too.
On the plus side…
Flexibility and easy execution: The UK Addendum is short, clear and flexible. In particular, there is flexibility as to how it can be executed and incorporated. The ICO has drafted the UK Addendum as a free-standing document, which should be signed by the parties, and with a tabular structure to set out details of data flows and to confirm how various optional provisions will apply. Organisations which want to execute data transfer agreements just to cover UK data could, therefore, use the UK Addendum as-is. Organisations which want to fold the UK Addendum provisions into wider group data transfer arrangements are given flexibility to do this – as the UK Addendum makes clear both that the UK-specific signatures are optional (any way of making the UK Addendum binding is acceptable) and that the table format can be altered. Also, any ICO revisions to the UK Addendum in the future will take effect automatically (this is the same in the IDTA), with provision made for an optional termination clause where such revisions cause a “substantial, disproportionate and demonstrable increase” in a party’s costs and/or risks.
On the minus side…
The fact that the UK Addendum is an “add-on” to the new EU SCCs can be a limiting factor: Use of the UK Addendum is a no-brainer in a global data transfers scenario (particularly intra-group transfers); however because it operates as an addendum to the new EU SCCs (tweaking them only insofar as to make them “work” for UK transfers), it cannot cure the deficiencies of the new EU SCCs, their main deficiency being that they do not cover all scenarios: the new EU SCCs cannot be used if the importer is directly subject to the UK GDPR on an extra-territorial basis, and they can only be used where the exporter/importer relationship “matches” the new EU SCC’s modules (for example, there is no module that can be used if a processor transfers data to another processor who is not a sub-processor). For more information on these points, see our articles on the new EU SCCs, and on the draft EDPB Guidelines on the interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V of the GDPR (“EDPB’s Art. 3/Chapter V Guidelines”).
It only works as an addendum to the new EU SCCs: When the ICO carried out its consultation last year, the ICO considered drafting addenda that could be appended to data transfer agreements issued by other countries or regions such as the New Zealand or ASEAN agreements (and not just to the new EU SCCs). However, the ICO has not issued any such addenda. The UK Addendum only works alongside the new EU SCCs.
Timing complexity: If organisations intend to implement the new EU SCCs for EU transfers and the UK Addendum for UK transfers at the same time, bear in mind that the long-stop date for replacement with the new EU SCCs is 27 December 2022 (assuming no change to the actual underlying processing before that date) - which is rather sooner than the UK Addendum long-stop date of 21 March 2024.
As noted above, the IDTA is an alternative to the UK Addendum. It is a standalone agreement intended to be used for UK transfers without having also to enter into the new EU SCCs (whereas the UK Addendum only works alongside the new EU SCCs). The IDTA is likely to be the way to go for organisations which are only UK-based and only process personal data to which the UK GDPR applies who do not need to trouble themselves with EU SCCs.
On the plus side…
Flexibility: Unsurprisingly, the IDTA closely tracks the provisions of the new EU SCCs; however, it is clearer and more user-friendly, flexible and conscious of the commercial context. For example:
It can be used even if the importer is directly subject to the UK GDPR: Happily the IDTA resolves, for the UK at least, the uncertainty that arose in relation to the new EU SCCs around their scope of application; Recital 7 of the implementing decision for the new EU SCCs states that they may only be used “to the extent that the processing by the importer does not fall within the scope of” the EU GDPR, begging the question of what clauses should be implemented where the importer does fall within the EU GDPR on an extra-territorial basis. However, the ICO has made it very clear in the IDTA that it can cover transfers even if the importer is directly subject to the UK GDPR. In this situation, the sections of the IDTA which contain UK GDPR obligations (for example, compliance with data protection principles, data breach, data subject rights etc.) are disapplied – because they apply automatically to the importer anyway under Art. 3.
Some of the more onerous requirements suggested as part of the ICO consultation did not make the final cut: For example, the draft IDTA issued as part of the consultation required that its provisions and the associated transfer risk assessment (“TRA”) should be reviewed annually, which could have been excessive particularly for low-risk transfers. Under the final IDTA laid before Parliament, review must be “at regular intervals” with the parties being able to set the frequency of review in the IDTA’s tables (Review Dates).
On the minus side…
The mandatory processor requirements under Art. 28 UK GDPR are not included: Whereas the new EU SCCs incorporate the Art. 28 GDPR requirements (i.e. when module 2 (controller to processor) of the new EU SCCs is used, it already has the appropriate mandatory processor obligations under Art. 28 built in so a separate data processing agreement is not needed between controller and processor), this is not the case with the IDTA - Clause 1.4 of the IDTA’s Mandatory Clauses makes it clear that it envisages that a linked agreement will cover this off, which it may well do in practice. However it complicates the patchwork of data transfer agreements.
Whether you use the IDTA or the UK Addendum as your transfer mechanism under the UK GDPR (or are still entering into the old EU SCCs for UK transfers until 21 September 2022), you must carry out a TRA before any transfer is made. This is the same exercise as required when using the new EU SCCs for EU personal data transfers, following Schrems II. The ICO sought views on its draft UK TRA as part of its consultation last year but this has not yet been finalised. Where it is determined under the TRA that the laws and practices in the “non-adequate” third country do not provide a level of protection essentially equivalent to that under the UK data protection regime, then supplementary measures must be put in place before any transfer is made (also per the Schrems II judgement).
The ICO has updated its Guide to the UK GDPR to reflect the above changes and to clarify the meaning of “restricted transfer” under the UK GDPR: as noted above, it is now clear that this includes transfers to importers to which the UK GDPR applies on an extra-territorial basis. The other important change is that there is now only a restricted transfer if personal data are transferred from one “legally distinct” entity to another i.e. the transfer of data by a branch in the UK to the mother organisation in a “non-adequate”, third country is not to be regarded as a restricted transfer under the UK GDPR (and hence there is no need for additional safeguards). Both of these points are in line with the EDPB’s draft Art. 3/Chapter V Guidelines (see our article on these Guidelines here).
The ICO also intends to issue clause-by-clause guidance to the IDTA and UK Addendum and guidance on transfer risk assessments – to be published “soon”.
[1] The UK has “adequacy regulations” in relation to the following countries and territories:
Note that the European Commission made an adequacy decision for the Republic of Korea in December 2021 but it has not yet been subject to a UK adequacy regulation.
[2] There was a typo in the ICO’s “International Data Transfer Agreements - Transitional Provisions” document and in the transitional provisions initially laid before Parliament on 28 January 2022 (21 September 2021 was stated instead of 21 September 2022) but this has been corrected in the version laid before Parliament on 2 February 2022.