UK Adopts International Data Transfer Agreement and Addendum
On 21 March, the UK adopted a new International Data Transfer Agreement (IDTA) and an international data transfer addendum (Addendum) to the European Commission’s standard contractual clauses to be used in connection with transfers of personal data from the UK to jurisdictions for which no adequacy decision exists. This follows an ICO consultation launched in August 2021. The new UK data transfer solutions should be welcomed by UK businesses that export personal data to third countries, that will no longer be tied to the outdated ‘old’ EU model clauses. However, with the UK taking a different approach to the EU, data protection professionals in multinational businesses will be presented with an extra layer of complexity.
The GDPR prohibits the transfer of personal data to third countries that do not ensure an adequate level of protection absent some other transfer mechanism. The UK GDPR, which took effect on 31 December 2020, follows suit. Both regulations permit the transfer of personal data to third countries where appropriate safeguards have been implemented to ensure the protection of personal data.
One such appropriate safeguard is the Standard Contractual Clauses (SCCs). The European Commission adopted new SCCs in June 2021, replacing the preceding SCCs that had been adopted under the Data Protection Directive 95/46/EC. The ‘new‘ SCCs were drafted to address a number of deficiencies identified in the preceding versions. For instance, the ‘old’ SCCs did not permit processor-processor transfers, which frequently proved to be problematic when documenting data processing arrangements. In standard form, they also did not readily lend themselves to arrangements involving data transfers between multiple parties, such as intra-group data transfers among international affiliates.
The UK left the EU prior the European Commission adopting the ‘new’ SCCs. As a result, the ‘new’ SCCs are not recognised as an appropriate safeguard for the transfer of personal data from the UK to third countries. This has meant that UK data exporters have had to use the ‘old’ EU SCCs, often having to resort to work-arounds to address their inherent shortcomings.
The Information Commissioner’s Office (ICO), launched a consultation on data transfers in August 2021, which included the draft IDTA and Addendum, as well as a proposal and plans for updates to guidance on international transfers and a draft international transfer risk assessment and tool. The IDTA and Addendum were laid before Parliament by the UK Secretary of State on 2 February 2022, and came into force on 21 March 2022.
The IDTA and the Addendum
The IDTA takes a different approach to the EU SCCs adopted by the European Commission in June 2021. It consists of four parts. Part one is made up of four tables, which the parties are required to complete and which set out: the parties and signatures to the IDTA; details of the transfer; a description of the transferred data; and the applicable security measures. Part two provides for optional extra protection clauses and Part three for optional commercial clauses. Part four sets out the mandatory clauses, which form the operative part of the IDTA, and also includes explanatory notes and a legal glossary.
The Addendum is intended to be appended to the EU SCCs, in order to create a multiparty data transfer agreement, that caters to data exporters who are processing data of individuals in both the UK and the EU. For example, the Addendum could be appended to the EU SCCs in the context of an intra-group data transfer agreement. In effect, it incorporates the clauses of the EU SCCs and tailors them to the requirements of the UK GDPR.
UK data exporters may continue to enter into new data transfer arrangements using the ‘old’ SCCs until 21 September 2022, after which time they must use the IDTA or Addendum. The ‘old’ SCCs will no longer provide ‘appropriate safeguards’ for data transfers after 21 March 2024. After this date, UK data exporters will need to use the IDTA or the Addendum.
Transfer Risk Assessment
ICO guidance provides that data exporters in the UK must carry out a risk assessment of the third country to which they intend to transfer personal data. This assessment must take into account the protection provided by the appropriate safeguard (such as the SCCs) and the legal framework in the country of the data importer. The assessment of the legal framework should consider applicable local laws that govern public authorities’ access to personal data in the destination country. If the assessment concludes that the appropriate safeguard does not provide adequate protection of personal data, the parties may include additional measures. The ICO guidance acknowledges that this may be a complex exercise.
The European Data Protection Board (EDPB) published recommendations1 on how to carry out a transfer risk assessment, which include examples of supplementary measures that could be put in place to ensure an adequate level of protection. However, ICO guidance provides that the EDPB recommendations apply to the EU GDPR transfer regime, so from a UK perspective they may only be considered as a useful reference. The ICO published its own transfer risk assessment and tool as part of its consultation on data transfers, however this has not been formally adopted.
The flexibility of the IDTA and Addendum should be welcomed, notwithstanding that they add an additional compliance step for multinational businesses with a presence in the EU, the UK and third countries. However, pending the ICO finalising its guidance on transfer risk assessments, UK businesses that wish to transfer personal data to third countries may be left in an uncertain position. However, companies using the IDTA and Addendum should likely follow the currently existing ICO guidance on transfer risk assessments, as well as the EDPB recommendations on transfer impact assessments, particularly when using the Addendum to the EU SCCs.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.