The UK has finalised a new International Data Transfer Agreement to be used for transfers of personal data abroad. Simultaneously, an addendum to the EU Standard Contractual Clauses, currently used for such transfers in the UK, has also been laid before Parliament. Both will come into force for use in the UK from 21 March 2022.
Transferring personal data from the UK to another country is known as a restricted transfer. It is only permitted in certain circumstances, including where an adequacy decision has been granted in favour of that other country by the UK, i.e. that country’s privacy laws provide an adequate level of protection (this applies for all countries of the EEA, New Zealand, Canada and Switzerland, among others), or where a safeguarding mechanism in the form of a data transfer agreement has been put in place between the companies sending and receiving the personal information.
In the UK, an old form of EU Commission-approved Standard Contractual Clauses (“SCCs”) is currently used as such a transfer mechanism, however the new documents before Parliament will mean that this changes going forward.
Data controllers will now have two options of contractual document to implement to ensure personal data is protected:
1. International Data Transfer Agreement (“IDTA”): a new agreement to be executed between the relevant parties. This is generally said to be a more user-friendly document than the EU SCCs, is wider in scope, and is likely to be preferable.
2. International Transfer Addendum to the EU SCCs (“UK Addendum”): to be entered into in addition to the existing EU SCCs. This is likely to be the preferred option where a business wishes to transfer personal data from both the UK and the EU to the rest of the world.
• Existing agreements: Fortunately, organisations relying on existing contracts which adopt the EU SCCs, have until 21 March 2024 to implement their new preferred mechanism of protection, provided the processing operations remain the same during this time.
• New agreements: For any new contracts concluded on or after 21 September 2022, between a UK entity and another from abroad, the UK Addendum or the UK IDTA must be used.
• After 21 March 2024, the old EU SCCs on their own will no longer be valid.
Whichever mechanism is used, organisations must additionally consider how safe the transfer is in reality. Due diligence in the form of a transfer impact assessment should be undertaken. Concerns have previously been raised in particular in relation to transfers to the US.
If you would like our advice in relation to transfers of personal data abroad, or implementing a suitable transfer mechanism for your data transfers, please get in touch.
Madeleine Rhodes email: MRhodes@redfernlegal.com