27/04/2022

Background

In February, the Department for Digital, Culture, Media and Sport (‘DCMS’) placed before Parliament a proposed final text for the UK’s International Data Transfer Agreement (the ‘IDTA’), a related addendum and transitional clauses. The package came into force on the 21 March 2022, and is set to simplify the data protection requirements for transferring personal data outside the UK.

Purpose

The IDTA is a new addition to the mechanisms which can be used to transfer data lawfully from the UK to ‘third countries’ - countries for which the UK has not issued adequacy decisions, such as the USA. Such transfers are known as ‘restricted’ transfers. Transfers between the UK and EU are not currently restricted, as both jurisdictions have issued adequacy decisions relating to the other.

Until recently, the most common mechanism for restricted transfers were Standard Contractual Clauses (or ‘SCCs’) – a set of prewritten clauses that could be inserted into the contract covering the data transfer (such as a hosting agreement). However, at the time of the UK’s withdrawal from the EU, the current SCCs were struggling to remain relevant due to their age (with the latest revisions having been made in 2010).

Updates

The IDTA itself shows promise as an updated, modern solution to enabling and governing restricted transfers. It covers all possible permutations of transfer between data controller and processor, and even accounts for transfers to processors handling the data on behalf of a third party – previously, the SCCs were only designed for controller-controller or controller-processor transfers. In a further push for clarity, the ICO also plans to release clause-by-clause guidance on the IDTA.

Two separate systems, and a unified answer

The IDTA represents a breath of fresh air and clarity for UK regulation. However, many organisations will need to consider both EU and UK GDPR variants when transferring data to third parties

Last year the EU introduced a revamped set of SCCs as its own update (about which our team has written previously here). This new clause set features many of the same use cases and updates as the IDTA, but is not applicable under the UK regime as it was introduced following the UK’s withdrawal from the EU.

For restricted transfers covered by both the EU and UK GDPR, organisations will instead want to consider the IDTA’s addendum clauses and new SCCs; the addendum is designed to sit on top of the SCCs, creating an agreement compliant with both GDPR versions.

Key dates

Under UK law, organisations have until the 21 September 2022 to enter into agreements using the prior edition of the SCCs, and until the 21 March 2024 to stop using that edition entirely.

Under EU law, organisations had until the 27 September 2021 to enter into agreements using the prior edition of the SCCs, and until 27 December 2022 to stop using that edition entirely.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.