On 21 March 2022, new rules came into force regarding personal data transfers to countries outside the UK. If your organisation is transferring personal data to countries that do not have an adequate level of data protection, then you will need to start making plans to adhere to the new rules.
On 21 March 2022, new rules came into force regarding personal data transfers to countries outside the UK. If your organisation is transferring personal data to countries that do not have an adequate level of data protection, then you will need to start making plans to adhere to the new rules.
BACKGROUND
UK GDPR and the UK Data Protection Act 2018 require the implementation of appropriate safeguards when transferring personal data outside the UK to jurisdictions which have not been certified as having an adequate level of data protection. For example, Australia, USA and India are not covered by the UK’s adequacy regulations. One of the appropriate safeguards that can be used is standard contractual clauses (“SCCs”), a very common data transfer mechanism.
For a data transfer to be lawful the data exported must ensure that adequate safeguards are put in place in respect of that personal data. SCCs are standard data protection clauses containing obligations on the data exporter and the data importer (i.e. the receiver of the personal data), which provide for rights and effective legal remedies for the individuals whose personal data is being transferred. Where used appropriately, SCC’s can provide ‘adequate safeguards’ and can therefore be used as a lawful basis for transfer.
POSITION PRIOR TO BREXIT
Prior to the implementation of the EU GDPR the European Commission had issued two sets of controller to controller transfer standard contractual clauses and one set of controller to processor standard contractual clauses.
These EU SCC’s could be used by organisations within the EU when transferring their data to other jurisdictions. Whilst the UK was part of the EU, UK organisations could therefore benefit from the protection afforded by adopting the appropriate EU SCCs and many did so.
POSITION IMMEDIATELY FOLLOWING BREXIT
Following the UK’s exit from the EU the situation became more complicated.
The UK Information Commissioner (who is the authority responsible for ensuring the security of personal data in the UK) confirmed that the EU SCC’s issued prior to the end of the transition period could still be used for the purposes of data transfers from the UK.
However, on 21 June 2021 the EU Commission issued new SCC’s which provided clauses not only for controller to controller and controller to processor transfers but also processor to sub-processor transfers. These new SCC’s were also drafted to take into account the requirements of the EU GDPR.
The new EU SCC’s were not approved for use for data transfers from the UK by the UK Information Commissioner. Accordingly, the position was that whilst UK organisations could still rely on the old EU SCC’s (and could enter into new contracts incorporating those old EU SCC’s) they could not rely on the new EU SCC’s for data transfers from the UK.
Whilst the old EU SCCs continued to be valid for data transfers under the UK Data Protection Laws they were generally not considered fit for purpose as they were developed before the introduction of the EU GDPR in May 2018, and there were no processor to sub-processor clauses.
NEW DOCUMENTS
The UK has introduced 2 new documents (“New Documents”) to replace the old EU SCCs comprising of an ‘International Data Transfer Agreement’ and an “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses”
INTERNATIONAL DATA TRANSFER AGREEMENT
The International Data Transfer Agreement (“IDTA”) is the UK’s answer to the new EU SCC’s. It can be executed as a standalone agreement to accompany the main commercial agreement between the data exporter and the data importer and is designed to ensure compliance with the UK Data Protection Laws. This means the IDTA can only be used in the context of data transfers subject to the UK Data Protection Laws (i.e. not the EU GDPR – which requires the parties of the agreement to use the new EU SCCs). The IDTA expressly covers controller to controller, controller to processor and processor to sub-processor transfers and is more straightforward than its European equivalent.
Where you are sending personal data outside the UK to a country which is not subject to a finding of adequacy (known in the UK as an adequacy regulation) the IDTA’s provide a useful mechanism.
INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EUROPEAN COMMISSION’S NEW SCCS
The Addendum to the new EU SCCs (which were introduced on 4 June 2021) allows organisations subject to both the UK Data Protection Laws and the EU GDPR to conduct international data transfers without needing to execute a new, separate agreement in respect of the UK. The Addendum was required because the new SCCs alone do not provide appropriate safeguards for transfers out of the UK.
In summary, organisations can now transfer personal data outside of the UK by signing either the IDTA or the Addendum with the new EU SCCs. There is a transition period for legacy contracts and data transfers so the key dates to keep in mind are below.
KEY DATES
- From 21 March 2022, organisations can rely on the New Documents for international data transfers subject to the UK Data Protection Laws.
- Organisations enter into agreements which rely on the old EU SCCs for international data transfers subject to the UK Data Protection Laws until 21 September 2022.
- On and from 22 September 2022, organisations must use the New Documents for any new arrangements for international data transfers subject to the UK Data Protection Laws
- Any existing agreements that use the old EU SCCs will be valid until 20 March 2024.
- On and from 21 March 2024, any existing agreements (including those which use the old EU SCCs) will need to enter a contract on the basis of the New Documents.
WHAT DO WE NEED TO DO?
Organisations are encouraged to review their data flows and any current agreements which relate to the transfer of personal data between jurisdictions.
If it is identified that data transfers are taking place without any consideration having been given the lawful basis for those transfers, we would encourage you to think carefully about the lawful basis for the transfer and to ensure adequate safeguards are put in place. In a large number of cases this will mean entering into IDTAs.
Where you already have agreements in place which govern the transfer of personal data you should review these now so as to determine whether EU SCCs are relied upon and whether it is appropriate to amend the agreements at this stage so as to now adopt the IDTAs
We appreciate this is a complex area but have a team of highly skilled experts who are very happy to help you work through the various lawful basis so as to ensure you have in place a lawful basis which works for your business and your data transfers.
For more information, please contact a member of the Intellectual Property team at Howes Percival.
