What’s this all about?
The UK’s international data transfer instruments are now in force, which this article looks at in brief.
EU GDPR regulates international data transfers, which can only be made in certain ways and subject to various conditions. EU Standard Contractual Clauses (“SCCs”) have been a widely used data transfer instrument for data transfers from the EU. In 2021 new SCCs came into force, i.e. replacing the pre-2021 EU SCCs.
Following Brexit, the UK is no longer part of the EU. UK GDPR has replaced EU GDPR for the UK – UK GDPR (along with the UK Data Protection Act 2018) regulates international data transfers (known as “restricted transfers”). The UK has accordingly had to develop its own legal international data transfer instruments, which consist of: the International Data Transfer Agreement (“IDTA”); and, the Addendum to the 2021 EU SCCs.
Generally-speaking and put in very simple terms, the IDTA is for use solely for data transfers from the UK whilst the Addendum is for use (as voluntarily chosen by the parties involved) for data transfers from both the UK and the EU (but read the Addendum carefully to make sure that it does apply to your situation).
Those Dates In Full
There are a number of important dates concerning the new UK data transfers instruments regime that need to be borne in mind as follows:
- 21 March 2022 = the IDTA and the Addendum entered into force;
- 21 March – 21 September 2022 = data transfers using the pre-2021 EU SCCs (i.e. as concluded before 21 September 2022) will continue to be valid until 21 March 2024 (unless the underlying data processing operations change before this latter date) – reliance on the pre-2021 EU SCCs is a question of choice on the part of the parties involved, i.e. the IDTA and the Addendum (whichever applies) can be used if the parties so wish instead;
- 22 September 2022 onwards = it will be mandatory for organizations in the UK to use the IDTA and the Addendum (whichever applies) for new data transfers from the UK (i.e. transfers starting on 22 September 2022); and,
- 21 March 2024 onwards = it will be mandatory for organizations in the UK who have been using the pre-2021 EU SCCs (i.e. as entered into either on or before 21 September 2022 included) to change over and use the IDTA or the Addendum (whichever applies).
Do your Schrems due diligence!
Whether the IDTA is being used or the pre-2021 SCCs are being used or the 2021 EU SCCs are being used you must undertake so-called Schrems due diligence, i.e. you have to check whether protections available under EU GDPR or UK GDPR (whichever applies) are equivalent in the country to where personal data will be sent to and if the result of the due diligence is that there are concerns in this regard then consideration must be given to putting in place appropriate contractual, technical or organizational measures to address those concerns; in UK terms this due diligence is called a “transfer risk assessment”.
What about guidance?
In due course the UK’s ICO will be issuing the following guidance about data transfers from the UK:
- Clause by clause guidance to the IDTA and Addendum;
- Guidance on how to use the IDTA;
- Guidance on transfer risk assessments; and,
- Further clarifications on international transfers guidance.
The publication date for all of this guidance is still unknown.
Organizations should consider setting aside time and resources to deal with these new UK data transfer instruments and the eventual guidance in order to be able to get fully to grips with this new UK regime.
We have written about data transfers extensively, including here https://www.corderycompliance.com/datatransfer-eutous/, here https://www.corderycompliance.com/uk-idta/, here https://www.corderycompliance.com/edps-on-data-trf-compliance/, here https://www.corderycompliance.com/edpd-guidance-international-data-transfers/, here https://www.corderycompliance.com/eu-new-sccs-for-idts/, here https://www.corderycompliance.com/german-dpas-start-dt-enforcement/, here https://www.corderycompliance.com/cnpd-enforces-schrems3/, and here https://www.corderycompliance.com/eu-dpa-decisions-approved/
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The new UK data transfer instruments can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785