Legal briefing | 02 Mar 2022 |

ICO Finalises UK International Data Transfer Agreements

The UK’s International Data Transfer Agreement (IDTA) and the Addendum to the new EU SCCs (Addendum), together with accompanying transitional provisions, were laid before Parliament 2 February 2022. Unless Parliament objects (which is unlikely), they will come into effect on 21 March 2022.

These transfer agreements now provide organisations with mechanisms to replace the "old" EU standard contractual clauses (old SCCs) upon which they have needed to rely previously, where no appropriate derogation applies, in order to comply with the requirement under Article 46 of the UK GDPR to provide "appropriate safeguards" for personal data transferred from the UK to countries which are not covered by the UK’s “adequacy regulations”.

Fortunately, there is no immediate rush to transition to the new documentation: there's a grace period, so the old SCCs can be used for new arrangements (for the UK only) until 21 September 2022, but all transfers based on the old SCCs must be transitioned to the IDTA or Addendum by 21 March 2024. However, organisations subject to both the EU GDPR and the UK GDPR, looking to harmonise their contractual approach to restricted transfers and achieve efficiencies by doing everything in "one hit", should be mindful of the 27 December 2022 deadline under the EU GDPR for transitioning legacy arrangements to the new EU SCCs. Whilst there may be specific circumstances where it is appropriate, we would also query why, regardless of the grace period, an organisation would use the old SCCs, when the IDTA and Addendum are available (as these arrangements would then require re-papering unless they expire or are terminated prior to 21 March 2024).

In circumstances where you use these new transfer agreements, you will still need to undertake a risk-based assessment of the law in the relevant non-adequate third country and consider whether any additional safeguards are required to protect personal data in that third country, in accordance with the Schrems II judgment.

This briefing looks at the new transfer agreements and next steps to consider.

Background to Restricted Transfers under the UK GDPR

Controllers and processors subject to the UK GDPR can transfer personal data to a third country outside the UK, if:

an adequacy decision exists in relation to that country;
a suitable derogation exists which covers the circumstances of the transfer (e.g. occasional transfer for a number of limited purposes or where the data subject has given explicit, informed consent to the transfer); or
an appropriate safeguarding mechanism is used, such as standard contractual clauses or binding corporate rules, which helps to ensure that UK standards of personal data protection 'travel with the data'. When the European Commission published the old SCCs, it approved them for use in the EU which included, at that time, the UK.

The Schrems II case in 2020 established that standard contractual clauses alone were not necessarily sufficient to ensure adequate protection for data subjects and, consequently, it is now also necessary to undertake a transfer risk assessment assessing the law and practices of the country of export and, where appropriate, put in place supplementary measures to address any risks identified.

Adequacy

The good news is that personal data can be freely transferred between the UK and the EEA because the UK has recognised the EEA, and (for the time being at least) the European Commission has recognised the UK, as having 'adequacy', meaning equivalent levels of data protection. They have each made adequacy findings in respect of a number of other countries (see here the ICO's website for the list of countries covered by UK adequacy regulations). The UK government has also announced its intention to streamline its processes for making adequacy regulations in respect of further countries expeditiously.

In June 2021, the European Commission published its new Standard Contractual Clauses ("New EU SCCs") for the transfer of data outside the EEA (see our briefing on the New EU SCCs here). The New EU SCCs do not apply to transfers from the UK and so organisations subject to the UK GDPR have until now been left to use the old SCCs. The IDTA and Addendum replace the old SCCs and take into account UK GDPR, Brexit and the Schrems II case.

Recent clarification on what constitutes a Restricted Transfer

Are standard contractual clauses required for transfers to organisations established outside the UK that are already subject to UK GDPR?

Yes, they are. Under Article 3(2) of UK GDPR, companies established outside the UK that offer goods or services to people in the UK or monitor their behaviour are subject to the UK GDPR in respect of the relevant processing activities. Previously, the ICO took the view that the fact that importers were already subject to the UK GDPR meant that there was no need for additional safeguards. The ICO has changed its stance and recently confirmed that transfers to data importers that are subject to the UK GDPR under these long-arm jurisdiction provisions will be treated as restricted transfers that require additional protections using the new transfer tools. This approach is now consistent with the EU approach, which was recently confirmed by the European Data Protection Board.

What about transfers outside the UK within the same legal entity?

There is only a restricted transfer if personal data are transferred from one legal entity to another, so you will not need standard contractual clauses if for example you are transferring personal data to a branch or employee of the same legal entity located outside the UK.

The two options: the IDTA or the Addendum?

Organisations can choose between the IDTA and the Addendum, the consultation drafts of which we previously wrote about here.

The IDTA retains the same structure as the consultation draft, which includes standard clauses to use across all controller/processor scenarios and reflects the impact of Schrems II. Unlike the New EU SCCs, which are in modular format, the IDTA is an all-in-one (fairly lengthy) agreement and includes tables to be completed (often by way of tick-boxes) with details of the transaction. One drawback is that it does not deal with the Article 28 data processor clauses, but instead anticipates that these will be addressed via a linked agreement (such as a data processing agreement or services agreement). Although the mandatory provisions in the IDTA cannot be changed, in certain respects, the IDTA is more flexible than the New EU SCCs because of this baked-in concept of a linked agreement, which allows the incorporation of additional terms to reflect the commercial context, provided that they do not impinge upon the rights granted under the IDTA. For example, the audit provisions from the linked agreement will apply to the IDTA (e.g. stipulating timing and process measures for audit). The option for arbitration as an alternative dispute mechanism (whereas the New EU SCCs have mandatory jurisdiction and governing law clauses) and the fact that the IDTA is not confined to the transfer scenarios contemplated by the four modules of the New EU SCCs are further examples of the potential flexibility which the IDTA offers over the New EU SCCs.
The Addendum provides organisations with an alternative to the IDTA by amending the New EU SCCs for data transfers from the UK. Businesses operating across the UK and EU (including for intra-group transfers) will most likely prefer to use the Addendum over the IDTA. As an add-on to the New EU SCCs, introducing fairly limited changes simply to make them work for UK transfers, the Addendum shares the same advantages (it contains the Article 28 processing provisions) and constraints (the limited transfer scenarios) as the New EU SCCs. With less new text than the IDTA (also in tabular format), it is an attractive option for organisations that are already familiar with the New EU SCCs.

Expected further guidance from the ICO

The ICO has said that it will soon publish:

Clause by clause guidance to the IDTA and Addendum.
Guidance on how to use the IDTA.
Guidance on transfer risk assessments.
Further clarifications on its international transfers guidance.

What next?

The ICO appears to envisage that these transfer tools can be used straightaway notwithstanding the 21 March 2022 effective date, as it refers to them being "immediately of use". Nevertheless, there is sufficient time for an orderly transition to the new transfer agreements, as the old SCCs can be used until 21 September 2022 and legacy contracts do not need to be transitioned until 21 March 2024, provided the underlying processing operations remain unchanged and, importantly, the clauses ensure the transfer is subject to appropriate safeguards i.e. are compliant with Schrems II.

You can make preparations to transition to the new agreements in the following ways:

If you have not already done so, review and record all data processing activities, which involve restricted transfers by you, your processors or sub processors and the transfer mechanism on which they currently rely
Determine which of the IDTA or Addendum would better suit the transfers made by your organisation and start to create templates
Keep a look out for the new guidance from the ICO (and our briefings on the same)
Create an implementation strategy for new contracts: you are likely to want to prioritise these in view of the 21 September 2022 cut-off, after which you will no longer be able to use the old SCCs for new arrangements.
Triage existing contracts based on the old SCCs to assess the best time to transition, watching out for renewal dates as an opportunity to update. Other factors to consider are:
- do you need to comply with an existing contractual obligation to update to the new transfer mechanism?
- does the arrangement also involve restricted transfers subject to the EU GDPR which will need updating prior to 27 December 2022?
- will the restricted transfer continue beyond 21 March 2024? If not, no further action may be required - subject to the point below about changes which occur in the meantime to the processing activity
- is the processing activity due to change? If so, you should treat it in the same way as a new transfer from the point the change comes into effect
Remember that, regardless of the tool that you choose to use - the IDTA, the Addendum or (for the time being only) the old SCCs - you will still need to undertake a Schrems II transfer risk assessment before any transfer is made.