Data transfer news
After the UK’s departure from the EU, the new Information Commissioner and the UK Government have taken the next steps to separate UK GDPR from its EU origins.
On Friday 28 January 2022, the Department for Culture, Media and Sport (DCMS) laid the following documents before Parliament:
- International Data Transfer Agreement (IDTA)
- International Data Transfer Addendum to the European Commission’s standard contractual clauses (the Addendum)
- Document setting out transitional provisions as to the use of the current standard data protection clauses for international transfers
This is a significant development for organisations that do, or intend to, transfer personal data outside of the UK.
The IDTA and Addendum are a new set of standard contractual clauses which will replace the EU standard contractual clauses currently being used to facilitate international transfer of personal data, and the IDTAis part of the wider UK package to assist international transfers.
The background
The UK GDPR prohibits transfers of personal data outside of the UK (a Restricted Transfer). Under the UK GDPR, organisations within the UK (Exporters) cannot make a Restricted Transfer unless:
- the DCMS has made an adequacy decision for the relevant country that allows transfer of personal data to that country (Article 45 of the UK GDPR). There are currently adequacy decision in place for the member states of the European Union, member states of EFTA, Gibraltar, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and; Uruguay; or
- if there is no adequacy decision for the relevant country, there is an appropriate safeguard in place as set out in article 46 of the UK GDPR. One such safeguard set out in article 46 of the UK GDPR is that Exporters may use standard data protection clauses issued by DCMS pursuant to section 17C of the Data Protection Act 2018.
The current position and ICO consultation
Currently, UK data exporters continue to rely on the standard contractual clauses issued by the European Commission back in 1995 (the Old EU SCCs).
Whilst the EU published new standard contractual clauses in 2021 (the New EU SCCs), these are not in force in the UK as they were published post-Brexit.
The IDTA – what are they and when to use them?
Following a consultation by the Information Commissioner, DCMS has now published the final form IDTA and laid it before Parliament.
The IDTA are a new set of standard contractual clauses which will replace the use of the Old EU SCCs by UK data exporters. These are designed as standard contractual clauses which are to be used when making a Restricted Transfer (where there is no adequacy regulation in place for the recipient country). They also take into account the European Court of Justice’s judgment in Schrems II on transfers to the US (see below for further details).
The ICO deem that the provisions of the IDTA contain appropriate safeguards for the transferred data and ensures that the transferred data enjoys similar protection to that given to personal data by the UK GDPR, including effective and enforceable data subject rights.
They are potential options to be used when Exporters wish to perform a Restricted Transfer to a recipient country which does not benefit from an adequacy regulation and are entered into by the Exporter and the recipient organisation.
The Addendum – what is it and when to use it?
In addition to the IDTA, the DCMS have also published the Addendum which is an alternative options to the IDTA and designed to work alongside the New EU SCCs so as to make them work in the context of Restricted Transfers from the UK. These may, in particular, be attractive to multi-national Exporters who are familiar with the New EU SCCs and routinely use these (such as pan-European organisations who have a presence in the UK but transfer data from the UK and outside the EU).
Again the ICO deem that the provisions of the Addendum together with the New EU SCCs contain appropriate safeguards for the transferred data and are another potential options to be used when Exporters wish to perform a Restricted Transfer to a recipient country which does not benefit from an adequacy regulation and are entered into by the Exporter and the recipient organisation.
Beware! The IDTA or Addendum alone will not suffice – risk assessment
The European Court of Justice’s judgment in Schrems II stated that relying on standard contractual clauses such as the EU SCCs or the IDTA alone would not be enough to ensure adequate protection when performing a Restricted Transfer. Whilst a judgment of the ECJ, it remains binding on the UK. Therefore, before making a Restricted Transfer Exporters must also consider the legal context in the recipient country and make an assessment of the level of protection provided by the standard contractual clauses (such as the IDTA) in the destination country. Where the laws of the destination country (or state) do not provide adequate protection, the use of the IDTA is not enough, and the data exporter must not transfer the data.
When consulting on the IDTA, the ICO also consulted on a Transfer Risk Assessment Tool (TRA) and produced a draft TRA to assist Exporters in their risk analysis. Following the consultation, neither the ICO nor DCMS have confirmed whether the TRA will be published and further news is awaited (although there is no requirement for this document to be laid before Parliament and therefore it may well be the case that the TRA will be published due course).
Guidance
When consulting on the IDTA, the ICO also consulted on a updating its guidance in relation to international transfers, but have not yet published such updated guidance. The ICO have indicated that they are developing additional tools to provide support and guidance to organisations which will be published soon, including:
- Clause by clause guidance to the IDTA and Addendum
- Guidance on how to use the IDTA
- Guidance on transfer risk assessments
- Further clarifications on our international transfers guidance
What next?
On the assumption that there is no Parliamentary objection to the documents (which we believe to be unlikely given Parliament has other priorities at the moment), the documents will lay before Parliament for a period of 40 days after which they will come in to force on the 21 March 2022. However, the ICO state that the documents are “immediately of use to organisations transferring personal data outside the UK, subject to the caveat that they come into force on the 21 March 2022.” This suggests that Exporters can start to use the IDTA immediately.
The DCMS have also published transitional provisions that provide guidance as to Exporters’ transition from the EU SCCs to the IDTA. In short, this means that where an Exporter seeks to rely on standard contractual clauses for Restricted Transfers:
- where contracts for the Restricted Transfer are concluded on or before 21 September 2022, the Exporter may rely on either:
- the Old EU SCCs but must replace the EU SCCs with the IDTA before the 22 March 2024;
- the IDTA; or
- the Addendum and New EU SCCs;
- where contracts for the Restricted Transfer are concluded after 21 September 2022 the IDTA or the Addendum and New EU SCCs must be used.
Data transfer timescales
The timescales are illustrated in the below table:
Up to and including 21 September 2022 | From 22 September 2022 to 21 March 2024 | From 22 March 2024 | ||
---|---|---|---|---|
"New" international data transfers that are "new" that commence during the relevant period listed in table headings | Old EU SCCs | Where contract is concluded on or before 21 September 2022 can use Old EU SCCs and can continued to be use for that contract until 21 March 2024 – BUT MUST BE REPLACED WITH IDTA BY 22 MARCH 2024. | Where contract is concluded on or after 22 September 2022 CANNOT use Old EU SCCs and must use IDTA or the Addendum. | Where contract is concluded on or after 22 September 2022 CANNOT use Old EU SCCs and must use the IDTA or the Addendum. |
IDTA OR Addendum (with New EU SCCs) | Can be used. | MUST be used. | MUST be used (including for those where contract concluded prior to 22 March 2024 if they rely on Old EU SCCs). | |
International data transfers where contracts concluded prior to 22 September 2022 | Old EU SCCs | Where contract is concluded on or before 21st September 2022 can use Old EU SCCs (or IDTA or Addendum) – BUT MUST BE REPLACED WITH IDTA OR ADDENDUM BY 22 MARCH 2024. | Where contract relies on the Old EU SCCs and was concluded before 22 September 2022, then those Old EU SCCs can continued to be used for that contract PROVIDED THAT the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards. HOWEVER MUST BE REPLACED BY THE IDTA OR THE ADDENDUM BY 22 MARCH 2024. | The Old EU SCCs used in the contract MUST be replaced by the IDTA or the Addendum by 22 March 2024. |
IDTA OR Addendum (with New EU SCCs) | Can be used. | Can be used. | MUST be used for all international data transfers (including those that exist prior to 22 March 2024 if they rely on Old EU SCCs). |
Key points
- Consider and map out your current and proposed future international data transfers – where are you transferring to (e.g. does the country benefit from a adequacy regulation or not) and do you have a lawful basis under the UK GDPR to perform the international transfer
- For international data transfers to countries which do not have an adequacy decision, do you need to undertake an analysis of the legal context in the recipient country and make an assessment of the level of protection provided by the standard contractual clauses (such as the IDTA) in the destination country?
- Consider the contractual arrangements you have in place and will need in place in the future
- Do you currently use the Old EU SCCs? If so, you will need to consider and plan future arrangements, including whether to move on to the IDTA or the Addendum and New EU SCCs
How Blake Morgan can help
Our data protection experts work with business and organisations to help them navigate these issues. Should your organisation suffer a data breach, then Blake Morgan’s expert data protection lawyers can assist with your response – from determining whether the breach needs to be reported to the ICO or notified to data subjects and practical steps to take in response to the breach to dealing with claims for compensation as a result. Contact us at [email protected] for specific advice and support.
Enjoy That? You Might Like These:
articles
articles
articles