New UK standard contractual clauses to enable the transfer of personal data from the UK internationally come into effect on 21st March 2022.
The UK GDPR regulates the transfer of personal data to countries outside of the UK or to international organisations unless the receiver of the personal data is located within a third country, territory or international organisation covered by a UK “adequacy decision” (where the UK considers the legal framework in that country, territory or international organisation provides adequate protection for individuals' rights and freedoms for their personal data).
Before personal data is sent to a country that isn't covered by an adequacy decision (for example, the United States), appropriate safeguards must be put in place before the transfer of personal data is made.
An appropriate safeguard would be before the transfer of personal data is made, the person making the transfer and the recipient entering a contract that incorporates standard data protection clauses recognised or issued under the UK GDPR (known as standard contractual clauses, SCCs or model clauses) before the transferring of data can be made.
Why have updates been made?
Following Brexit, organisations in the UK that wish to transfer personal data from the UK must use the old EU standard contract clauses (the Old EU SCCs).
However, recent developments in data protection law throughout Europe, as well as the outcome of the Schrems II case, have prompted the European Commission to create a new set of standard contract clauses in 2021 (the New EU SCCs) for use by businesses wanting to transfer personal data from the EU and therefore the Information Commissioner's Office (ICO) has been considering its own approach to data protection to address such issues.
New UK SCC's
The ICO released new data protection rules on 28th January 2022. This was part of its International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (UK Addendum). The IDTA and the UK Addendum form part of the UK's process of developing its own data protection regime after Brexit.
The IDTA and UK Addendum include new data protection provisions for businesses making restricted transfers under the UK GDPR and the Data Protection Act 2018, which will come into force on 28th March 2022 (as long as Parliament does not object).
However, transfer arrangements in the UK that use the Old EU SCCs ended before 21st September 2022 will continue to be valid until 21st March 2024 (unless the underlying processing operations change before such date).
Therefore, after 21st September 2022:
- for new arrangements – organisations must use the IDTA or the UK Addendum (as appropriate); and
- for existing arrangements – the Old EU SCCs must be replaced by 21st March 2024.
When should the UK Addendum be used?
The UK Addendum is to be used where the international transfers of personal data are subject to the EU GDPR and the UK GDPR. In this instance, the UK Addendum contains both terms to allow for the transfer of personal data from the UK and the New EU SCCs to allow for the transfer of personal data from the EU.
When should the IDTA be used?
The IDTA is an alternative to the UK Addendum and is intended to be used by UK-based organisations and only process personal data to which the UK GDPR applies.
Organisations making transfers of personal data from either the UK and/or the EU should consider the following steps:
- conduct a review of the organisation's contractual commitments and arrangements to identify:
- any new agreements where the use of the IDTA or the UK Addendum are required; or
- any existing agreements which require updating prior to 21st March 2024; and
- before making a transfer of any personal data, conduct a transfer risk assessment to identify whether supplementary measures are required before any transfer is made, i.e., whether the IDTA or UK Addendum are required within the appropriate agreements.
If you have any more questions or would like any more information regarding these changes, you can contact the Corporate Team at Myerson Solicitors.