Last year the UK issued proposals concerning international data transfers from the UK (which we reported on here https://www.corderycompliance.com/uk-consultation-scc-idta/). The International Data Transfer Agreement (IDTA) and related materials have now been published and if all goes according to plan will become law this March 2022. This article looks at this latest development in brief.
What’s this all about?
Under EU GDPR, international data transfers can only be made in certain ways and subject to various conditions. These include relying on country Adequacy Decisions (see here for our article about the EU’s Adequacy Decisions for the UK https://www.corderycompliance.com/eu-dpa-decisions-approved/), Binding Corporate Rules, and, probably the most relied on mechanism by organisations, Standard (Model) Contractual Clauses (SCCs). In sum, SCCs consist of a contract entered into between a data exporter and a data importer that impose certain data protection obligations on both parties.
Following Brexit, the UK is no longer part of the EU. UK GDPR has replaced EU GDPR for the UK – UK GDPR (along with the UK Data Protection Act 2018) regulates international data transfers (so-called restricted transfers). The new EU 2021 SCCs (which we’ve made a film about here https://www.corderycompliance.com/new-eu-sccs/) only apply to data transfers from the EU/EEA. Accordingly the UK has had to develop its own legal international data transfer instrument, i.e. the UK’s own SCCs, namely the IDTA.
What are the highlights?
On 28 January 2022 the IDTA was officially put before the UK Parliament along with the so-called International Data Transfer Addendum to the European Commission’s SCCs, and Transitional Provisions.
The upshot is that data exporters will be able to use the IDTA or the Addendum as an international data transfer tool to comply with Article 46 of UK GDPR when making restricted transfers.
The IDTA and Addendum replace the current SCCs for international data transfers and they take into account the due diligence requirements of the so-called Schrems ruling of the European Court of Justice (which we reported on and made a film about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/).
It is worth noting that the Transitional Provisions state that “Contracts concluded on or before 21 September 2021 on the basis of any Transitional Standard Clauses shall continue to provide appropriate safeguards for the purpose of Art 46(1) of the UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.”
Parliament must give its approval, but if no objections are raised, the IDTA, the Addendum and the Transitional Provisions come into force on 21 March 2022.
The ICO will publish the results of the consultation in due course. The ICO is also developing and will in due course also publish the following additional tools to provide support and guidance to organisations:
- Clause by clause guidance to the IDTA and Addendum;
- Guidance on how to use the IDTA;
- Guidance on transfer risk assessments; and,
- Further clarifications on the international transfers guidance
What are the takeaways?
The materials are detailed and complex therefore organizations should consider setting aside time and resources to deal with them in order to be able to get fully to grips with them, bearing in mind the expected entry into force date of 21 March 2022. Note also that, according to the ICO, “These documents are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval”.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The IDTA, Addendum and Transitional Provisions can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785