Last week, the UK’s International Data Transfer Agreement (IDTA) was laid before Parliament, along with an addendum (the EU Addendum) to the EU standard contractual clauses (EU SCCs) (that we discussed here). The ICO also announced changes to the definition of a ‘restricted transfer’ in its international transfers guidance.
Two options for UK businesses: IDTA and EU Addendum
The IDTA retains the same structure as the consultation draft and provides UK organisations with a complete package of standard clauses to use across all controller/processor scenarios (including P2P and P2C transfers). Like the EU SCCs, the IDTA reflects the GDPR and the impact of the Schrems II judgement. However, unlike the EU SCCs, the IDTA does not take a modular format but includes tables to be completed with details of the transaction. While still lengthy, the final IDTA is less than half the length of the consultation version as much of the accompanying guidance has been removed.
The EU Addendum provides organisations with an alternative to the IDTA by amending the EU SCCs for data transfers from the UK. The EU Addendum is helpful recognition by the ICO that many businesses operating across the UK and EU will likely want to use the EU SCCs as their default transfer mechanism, supplemented with the EU Addendum for UK transfers.
What are the key dates?
The IDTA and EU Addendum will come into force on 21 March 2022 (subject to no objections being made in Parliament). However, the ICO has noted that even before then, the ‘documents are immediately of use to organisations’. This suggests that in the absence of other clauses that work for certain UK transfers (e.g. P2P), organisations can and should start looking to the new clauses straight away.
The existing SCCs for outward transfers from the UK (Interim Clauses) can be used for new contracts concluded on or before 21 September 2022.The initial version of the ICO’s transitional provisions document erroneously referred to 21 September 2021, but this has since been rectified.
The Interim Clauses continue to be a valid transfer mechanism until 21 March 2024 (but not from that date onwards) for data flows under existing contracts and those signed on or before 21 September as long as the subject matter of the contract remains unchanged and, importantly, the clauses ensure the transfer is subject to appropriate safeguards. In other words, the ICO expects organisations relying on the Interim Clauses to have carried out a transfer risk assessment and put in place additional measures as necessary to protect the data.
What changes have been made to the ICO’s international transfers guidance?
The ICO has amended its guidance to focus on geographical transfers rather than the coverage of the UK GDPR (often referred to as the ‘GDPR bubble’), aligning its position with that of the EDPB in their latest guidance (Guidelines 05/2021). The latest version of the ICO guidance specifies that there is a restricted transfer if: (i) the UK GDPR applies to the processing of personal data; (ii) personal data is sent or made accessible to a receiver in a country outside the UK; and (iii) the receiver is legally distinct (e.g. a separate company/organisation or individual). As such, transfers from an employee to their company or from one branch of an organisation to another remain outside the scope of a restricted transfer.
Transfer risk assessments?
The ICO has not yet published its guidance on transfer risks assessments, which formed a central part of its international transfers consultation. However, it has promised that this guidance will be published soon, along with further guidance on the IDTA and EU Addendum and further clarifications on its international transfers guidance.