In February, the Department for Digital, Culture, Media and Sport (‘DCMS’) placed before Parliament a proposed final text for the UK’s International Data Transfer Agreement (the ‘IDTA’), a related addendum and transitional clauses. The package came into force on the 21 March 2022, and is set to simplify the data protection requirements for transferring personal data outside the UK.
The IDTA is a new addition to the mechanisms which can be used to transfer data lawfully from the UK to ‘third countries’ - countries for which the UK has not issued adequacy decisions, such as the USA. Such transfers are known as ‘restricted’ transfers. Transfers between the UK and EU are not currently restricted, as both jurisdictions have issued adequacy decisions relating to the other.
Until recently, the most common mechanism for restricted transfers were Standard Contractual Clauses (or ‘SCCs’) – a set of prewritten clauses that could be inserted into the contract covering the data transfer (such as a hosting agreement). However, at the time of the UK’s withdrawal from the EU, the current SCCs were struggling to remain relevant due to their age (with the latest revisions having been made in 2010).
The IDTA itself shows promise as an updated, modern solution to enabling and governing restricted transfers. It covers all possible permutations of transfer between data controller and processor, and even accounts for transfers to processors handling the data on behalf of a third party – previously, the SCCs were only designed for controller-controller or controller-processor transfers. In a further push for clarity, the ICO also plans to release clause-by-clause guidance on the IDTA.
Two separate systems, and a unified answer
The IDTA represents a breath of fresh air and clarity for UK regulation. However, many organisations will need to consider both EU and UK GDPR variants when transferring data to third parties
Last year the EU introduced a revamped set of SCCs as its own update (about which our team has written previously here). This new clause set features many of the same use cases and updates as the IDTA, but is not applicable under the UK regime as it was introduced following the UK’s withdrawal from the EU.
For restricted transfers covered by both the EU and UK GDPR, organisations will instead want to consider the IDTA’s addendum clauses and new SCCs; the addendum is designed to sit on top of the SCCs, creating an agreement compliant with both GDPR versions.
Under UK law, organisations have until the 21 September 2022 to enter into agreements using the prior edition of the SCCs, and until the 21 March 2024 to stop using that edition entirely.
Under EU law, organisations had until the 27 September 2021 to enter into agreements using the prior edition of the SCCs, and until 27 December 2022 to stop using that edition entirely.
If you have any queries about the matters raised in this article, or would like to discuss your organisation’s data protection policies and agreements, you can contact James Cassidy at James.Cassidy@bevanbrittan.com or Alastair Turnbull at Alastair.Turnbull@bevanbrittan.com