10 February 2022

The UK International Data Transfer Agreement and the UK Addendum to the new EU SCCs Laid before the UK Parliament

Post Brexit, divergence between the UK and the EU rules on international data transfers were expected, yet pragmatism prevailed in the UK's first proposed related reforms to be adopted on 21 March 2022 (the UK Data Transfer Instruments).

As the judgement of the European Court of Justice on Schrems II dated 16 July2020 ("Schrems II")[1] forms part of retained EU law, it was anticipated that Schrems II requirements would find their way into the new UK Data Transfer Package.

Following the 2021 public consultation of the Information Commissioner's Office (ICO) on data transfers outside the UK[2], there has been expectations from businesses and governments alike that the ICO could open the way to new interpretations of Schrems II and new transfer mechanisms. Hot on the heels of this first part of a wider data transfer package: the announcement of the UK Department for Digital, Culture, Media and Sport (DCMS) on 26 August 2021 of brand new UK Global Data Plans[3]. The plan included a new UK approach to adequacy assessments complemented by a Mission Statement[4] and the ‘UK Adequacy Manual (template[5] and guidance[6]). It also proposes brand new data adequacy partnerships with ten countries namely, the United States, Australia, Republic of Korea, Singapore, Dubai International Finance Centre and Colombia (Priority 1), India, Brazil, Kenya and Indonesia (Priority 2), as set out in a UK data partnership map[7].

As a third step, the DCMS further developed its agenda to champion international flows of data using flexible, innovative approaches and removing “unjustified barriers to international data transfers” in its consultation on a proposed reform of UK Data Protection Laws called "Data: A New Direction" which ran from 10 September to 19 November 2021. Trading carefully between exploring the possibilities to support international data transfers away from Schrems II and recognising the importance to maintain interoperability between the UK’s regime and other regimes, the ICO strikes a balance with the new proposed UK Data Transfer Instruments.

On 2 February 2022, the DCMS laid the international data transfer agreement (IDTA), the international data transfer addendum to the EU Commission standard contractual clauses (UK Addendum), together with an explanatory note of transitionary provisions before Parliament. This step is the final stage prior to the IDTA and UK Addendum becoming incorporated into UK data protection law if no objections is received.

We will take a closer look at the IDTA and the UK Addendum as new transfer mechanisms (Section 1), at the calendar for implementation set out in the transitional provisions (Section 2) before considering what will come next for the UK Data Transfer Package (Section 3).

SECTION 1 - New Transfer Mechanisms: the IDTA and the UK Addendum

SECTION 2 - Calendar for Implementation: Transitional Provisions

SECTION 3 - What is next for the UK Data Transfer Package.

SECTION 1. NEW TRANSFER MECHANISMS: THE IDTA AND THE UK ADDENDUM

The new UK Data Transfer Instruments are to be adopted less than a year after the adoption of the new Standard Contractual Clauses (EU SCC) adopted by the EU Commission on 4 June 2021. They offer significant improvements, fully reflect the EU GDPR and incorporate the Schrems II requirements. For further information on the EU SCCs, please see here[8].

The new EU model clauses use a modular approach that cover four types of data relationships: controller to controller, controller to processor, processor to processor, and processor to controller.

A – A new generation of international modal clauses and data transfers

In the UK, the IDTA and the UK Addendum to the EU SCCs are the ICO's new approach to tacking international transfers in a post-Brexit landscape. Both are mechanisms meant to allow data controllers to meet their safeguarding obligations under article 46 of the UK GDPR in relation to international transfers of personal data.

The IDTA replaces the EU SCCs which have continued to be relied upon, to date, to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. The UK Addendum to the EU SCCs is merely incorporating and replacing references to EU laws by references to UK laws and allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK.

The documents laid before parliament do take into account the ICO consultation on Data Transfers and the ICO has confirmed that the detailed responses received during this consultation will be published in due course.

We previously discussed this new approach in detail: to read our discussion please see here[9].

B - IDTA versus UK Addendum

In practice, UK businesses will need to make a choice between using the IDTA or using the EU SCCs and the UK Addendum. The choice may be guided by the specific nature and jurisdictions concerned by data transfers for a given business.

We expect that international companies may be inclined to use all in one solution that is the combination of the EU SCCs and the UK Addendum. Businesses which are already using EU SCCs in their agreements and may transfer personal data both from the UK and the EU may find it more practical to simply use the UK Addendum to meet their UK data protection obligations.

Conversely, UK based businesses transferring personal data from the UK to Third Countries, which may not have transitioned yet to the new EU SCCs or which may not operate in the EU are likely to be good candidates for using the IDTA.

SECTION 2. CALENDAR FOR IMPLEMENTATION: TRANSITIONAL PROVISIONS

The ICO has clearly stated that the new IDTA and UK Addendum may be “immediately of use” even though they will not come into force officially until 21 March 2022, pending Parliamentary approval.

A - Explanatory Notes

In the package laid before Parliament, the ICO have included an explanatory note of Transitional Provisions[10] setting out the time period allowed between the use of the previous transfer mechanisms (the old EU SCCs) and the new IDTA and UK Addendum. The transitional provisions provide an explanation of when the incorporation of the IDTA and the UK Addendum should become mandatory in contracts and transactions.

The note provides clarity on the calendar proposed to transition contracts that contain or rely upon the old EU SCCs, meaning the clauses issued under the European Commission Decision 2001/497/EC and European Commission Decision 2010/87/EU.

B - Key Dates

The laying before Parliament is the final step in the process to bring the IDTA and the UK Addendum into general use if no objection is raised within 40 days (negative procedure).

From 21 March 2022, the approved IDTA or the UK Addendum to the EU SCCs can be used to legitimise transfers from the UK.
From 21 September 2022, the old EU SCCs cannot be used anymore to legitimise transfers from the UK for new contracts.
From 21 March 2024, the 2-year transition period expires. All contracts will need to incorporate either the IDTA or the UK Addendum to legitimise transfers from the UK.

SECTION 3. WHAT'S NEXT FOR THE UK DATA TRANSFER PACKAGE

On 31 January 2022, the ICO published its statement[11] of endorsement to the DCMS laying the new UK Data Transfer Instruments before Parliament and reminded that it is continuing to develop additional related tools and guidance.

We expect further guidance and support to be published by the ICO to help with the transition to IDTA and UK Addendum. Currently, the ICO have already updated its data transfer guidance to incorporate the IDTA and the new UK Addendum as well as a new section on what constitutes a “restricted transfer”.

A restricted transfer is made:

when the UK GDPR applies to the data transfer;
a sender agrees to send or make accessible personal data to a recipient located in a Third Country; and
the recipient is legally distinct from the sender as it is a separate company, organisation or individual. This includes transfers to another company within the same corporate group. but excludes the case where personal data is sent to an employee.

However, we expect further direction to be provided on the wider data transfer issues. Remaining guidance to be published includes:

Clause by clause guidance to the IDTA and UK Addendum;
Guidance on how to use the IDTA;
Guidance on transfer risk assessments; and
Further clarifications on the international transfers guidance.

The ICO currently notes, that the additional guidance should be published shortly. This timeline will hopefully run alongside the transition period dates (as discussed above).

In conclusion, the IDTA and the UK Addendum have been welcomed by the UK data protection community as they do not create concerns of inconsistency with the EU GDPR or threat to the UK Adequacy decision of the European Commission. The two stem approach by the ICO grants business flexibility in how to approach an international data transfer and follows the risk based approach championed by the UK GPDR. Nonetheless, businesses will need to start to proactively updating template agreements and ensure that the correct mechanism is relied upon to ensure continued compliance with UK GDPR and for international companies with the EU GDPR as well.

For further information on the new UK Data Transfer Package developments please see our Data Download webinar series: here[12].

Footnotes

[1]Judgment of the Court (Grand Chamber) of 16 July 2020

[2]The consultation ran from 11 August to 11 October 2022

[3]UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare

[4]UK approach to international data transfers

[5]Manual Template

[6]International data transfers: building trust, delivering growth and firing up innovation

[7]UK Data Partnership Map

[8]Please see: INTERNATIONAL DATA TRANSFERS

[9]The UK ICO's consultation on data transfers outside of the UK towards a new model data transfer contract

[10]International Data Transfer Agreements – Transitional Provisions