The new mechanism, known as the International Data Transfer Agreement (IDTA) is accompanied by an international data transfer addendum to the European Commission’s own standard contractual clauses for international data transfers (Addendum) and supported by transitional arrangements. The changes follow on from a consultation on international transfers of personal data undertaken by the Information Commissioner’s Office in 2021.
The IDTA seeks to incorporate measures to protect personal data being sent from the UK to jurisdictions which, without the IDTA’s measures in place, would otherwise not provide the personal data with adequate protection. The safeguards contained within the IDTA will allow legitimate data transfers to countries outside the UK. The development of the IDTA and the supporting Addendum form part of the UK’s wider aims to assist international transfers, including supporting the UK Government’s approach to adequacy agreements with other countries.
Legal bases for carrying out international data transfers
When it comes to the transfer of personal data out of the UK, there are a number of bases on which your organisation can rely. Until now, Standard Contractual Clauses (“SCCs) were the most commonly used mechanism.
SCCs are the tool originally created by the European Commission for use when organisations in EEA Member States transfer personal data to other countries. The European Commission updated its SCCs in 2021. The new SCCs must be used in place of the old SCCs for all transfers of personal data made from the EEA from 27 September 2021. All international data transfer agreements made under the old SCCs before that date must be updated and governed by the new SCCs by 27 December 2022.
Upon leaving the EU, the UK continued to allow international data transfers under the old EU SCCs. However, it was clear that the UK required to create its own version. As a result, the IDTA has been developed along with the Addendum. The Addendum allows the new EU SCCs to apply to UK data transfers where the data transfer is part of a larger coordination of data transfers in respect of which EU law applies. The Addendum operates alongside the new EU SCCs by applying non-controversial amendments to adapt the new EU SCCs to allow them to be used for transfers of personal data from the UK.
What does this mean for affected organisations?
The IDTA and the Addendum, came into effect from 21 March 2022. However, the ICO has stated that organisations “may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. All contracts on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR, until 21 March 2024. From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or its Addendum or find another way to make the restricted transfer under the UK GDPR.”
This transitional period will only apply to restricted transfers of personal data out of the UK. Where an organisation has a restricted transfer agreement out of both the UK and the EEA, the transitional period provided by the ICO will only apply to the restricted transfer in relation to the UK. The EEA restricted transfer will be subject to the 27 December 2022 deadline that the EU set.
What to do now?
Going forward, all organisations that may be affected by the IDTA should review their international data transfer processes and consider the way in which any such existing and new data transfers are documented. Any new agreements involving data transfers from the UK will need to use the IDTA or the Addendum after 21 September 2022.
If you require advice in relation to international data transfers and the IDTA, please contact a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Maya Allen, Trainee Solicitor.