As we reported in August the ICO consulted on UK plans for transfers of personal data from the UK, see here. The consultation closed on 11 October 2021 and we have been waiting since then for concrete plans to be laid before Parliament.
Finally, on 28 January 2022 the Secretary of State laid before Parliament the documents known colloquially as the new UK Standard Contractual Clauses (SCCs), namely:
- the new UK specific international data transfer agreement (IDTA) (i.e. a totally bespoke transfer mechanism for ex UK transfers only)
- the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) (i.e. a way for UK companies to use the “new” EU SCCs for UK transfers), and
- a document setting out transitional provisions.
These documents are issued under section 119A of the Data Protection Act 2018. Their purpose is to meet the requirements of Article 46 UK GDPR when there is a restricted transfer of personal data from the UK, i.e. to a non-adequate third country. As long as there are no objections, these documents will come into force on 21 March 2022. That said, the ICO has stated that:
“These documents are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval”.
Given that these documents are part of the UK government’s wider proposals to reform data protection, bringing international transfers into line with the aims of the National Data Strategy, i.e. less burdensome to business and less of a barrier to innovation, no Parliamentary objections are expected.
There is a transitional arrangement in place allowing for the old EU SCCs to be relied on for any contracts concluded prior to 21 September 2022 (yes there is a typo in the transitional provisions document which states “21 September 2021” although the ICO have confirmed this will be corrected) where “the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards” and these will remain valid until 21 March 2024.
Additional tools and further guidance are to follow, including further clarification on the ICO’s international transfers guidance and transfer risk assessments.
While UK exporters will welcome the clarification many may already have taken a decision to go with the Addendum approach, as this is the most straightforward way to legitimise UK restricted transfers. This is a highly pragmatic approach from the ICO, which no doubt has one eye on ensuring continued compliance with the UK adequacy decision from the European Commission.
However, as both the IDTA and the Addendum are recognised by the ICO as valid transfer mechanisms, it will be interesting to see whether a preference is adopted across the market. Although both the IDTA and the new EU SCCs contain comparable obligations, there are some key differences. For example, the IDTA is not intended to satisfy the requirements of Article 28 whereas the new EU SCCs do. Further, it appears it will only be on the data exporter to carry out a risk assessment in respect of the transfer under the IDTA whereas under the new EU SCCs this is a joint obligation on both data exporter and importer. There are certainly pros and cons for each approach so if you are sitting there wondering which will be the best for my organisation to use, we suspect (as with all good questions) the answer will no doubt start with…it depends!
“The IDTA and Addendum are written with the aim of helping organisations ensure they have the correct protections in place when transferring people’s data outside of the UK to countries not covered by adequacy decisions. Applying high standards of data protection to global data flows is essential in maintaining people’s trust in this eco system.”