The UK’s new international data transfer mechanisms – the International Data Transfer Agreement ("IDTA") and the International Data Transfer Addendum (the "Addendum") – were introduced in March 2022. Organisations should be reminded that, unless other grounds for an international transfer apply, contracts involving the international transfer of personal data from the UK entered on or after 22 September 2022 must use one of these new mechanisms.
The UK General Data Protection Regulation ("UK GDPR") prohibits UK organisations from exporting personal data to countries which do not ensure an adequate level of protection unless an exception applies.
To date, the most commonly used exception has allowed transfers to be made by UK organisations if they enter into EU Standard Contractual Clauses ("EU SCCs") with the importing party. The EU SCCs, the use of which were endorsed by the UK following Brexit, require the data importer to provide adequate safeguards that ensure an equivalent level of data protection to the UK GDPR. The European Commission introduced new SCCs in 2021 ("New EU SCCs") which replace the previous SCCs which date back to 2010 and earlier.
What do the new mechanisms mean for UK organisations?
The IDTA and the Addendum replace the old EU SCCs. This means that UK organisations can use either (i) the IDTA or (ii) the Addendum with the New EU SCCs when making restricted international data transfers from the UK that comply with the UK GDPR.
UK data exporters can no longer use the old EU SCCs for all new transfers. This is because since the 22 September 2022, the IDTA and Addendum are the only mechanisms organisations can use to make new international data transfers from the UK.
Since 22 September 2022 new international data transfers from the UK must either be based on:
- the IDTA; or
- the Addendum to the New EU SCCs.
Until 21 March 2024, contracts concluded on or before 21 September 2022 for international data transfers from the UK which are based on the old EU SCCs will remain valid, provided:
- the processing operations that are the subject matter of the contract remain unchanged; and
- reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
From 22 March 2024, the old EU SCCs will no longer be deemed to provide appropriate safeguards for UK GDPR purposes and all contracts that use them for UK international data transfers will need to be amended or replaced to use the IDTA or the Addendum.
In summary, for personal data transfers from the UK:
- Since 22 September 2022, organisations should ensure all new contracts use either the IDTA or the Addendum.
- until 22 March 2024, and provided data processing operations do not change for data transfers from the UK, organisations will not need to amend their existing contracts which rely on the old EU SCCs. Organisations should, however, take steps to review their existing contracts and transition from the old EU SCCs in an orderly manner so they are not left scrambling around to amend contracts in March 2024.
Organisations should also not forget that they should conduct a transfer risk assessment before transferring personal data from the UK and implement additional safeguards to manage or mitigate any risks identified.
Should you require any advice or assistance with the international transfer of personal data, please contact a member of our Data Protection and Cyber Security team.
This article was co-written by Ussamah Nasar, Trainee Solicitor.