United Kingdom Unveils New Processes for International Data Transfers

by Max Landaw

On January 28, 2022, the United Kingdom (UK) Information Commissioner’s Office (ICO) presented before the UK Parliament two new sets of data protection clauses that are to replace the European Union’s (EU) Standard Contractual Clauses (SCCs) as a transfer mechanism for the international transfer of UK data subject personal data. One set is called the International Data Transfer Agreement (IDTA), which is a standalone set of clauses to use for international data transfers from the UK. The other is called the International Data Transfer Addendum to the new European Commission SCCs (Addendum), which can be tacked on to the current version of the EU SCCs when both UK and EU personal data are transferred internationally.

The Court of Justice of the European Union’s (CJEU) rendered judgment in the Schrems II case on July 16, 2020, invalidating the EU-US Privacy Shield as a suitable mechanism for international transfers of personal data from the EU to the United States.  In the wake of that decision, the EU drafted a new set of SCCs on June 4, 2021, which have been used since for international data transfers from the EU.  However, the ICO did not accept the new SCCs as suitable for international data transfers from the UK.  Rather, the ICO allowed the “old” SCCs in place prior to June 4, 2021, in the EU to remain as a suitable transfer mechanism.  

This has posed an issue for many contractual arrangements, particularly vendor contracts in third countries without an adequacy decision involving transfers of personal data from the EU and the UK to the United States.  Such agreements have necessitated use of both the new and old SCCs to comply with the respective EU and UK GDPR obligations, even though both laws are very similar.  With the unveiling of the IDTA and the Addendum, the UK is for the first time breaking away from the EU with their own set of clauses for international transfers.  The Addendum is a welcome change for vendor contracts that anticipate international data transfers, as the Addendum can complement current EU SCCs, avoiding redundancies and potential confusion around data privacy terms and data subject rights.

The IDTA and Addendum may be used starting March 21, 2022, assuming there are no objections from Parliament, and none are expected so far.  The ICO has also given guidance that companies may use the old EU SCCs until September 21, 2022, and that any contracts that relied on the old EU SCCs are sufficient for the purposes of UK GDPR until March 21, 2024.  After March 21, 2024, only the IDTA and the Addendum may be used for international transfers from the UK.  

While March 21, 2024, seems far away, companies that engage in data transfers from the UK should keep in mind that vendor contracts can have terms that last multiple years, well into 2024 and beyond.  Rather than scramble to update and amend these contracts near the deadline, it would be wise to start preparations for implementing the IDTA and/or the Addendum shortly after March 21, 2022.  Data processing addenda (DPA) should also be reviewed to make sure that references to any “UK SCCs” are updated to refer to the IDTA and Addendum and any successor set of clauses from the ICO.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.