International Data Transfers Under UK GDPR: International Data Transfer Agreement and Addendum Tabled in Parliament | Wilmer Hale

Companies that transfer personal data to and from the UK will soon have clear information regarding transfers from the UK to recipients outside the EU/EEA.

On February 2, 2022, the UK Secretary of State for Digital, Culture, Media and Sport tabled in the UK Parliament new mechanisms for international data transfer – a draft International Data Transfer Agreement (“IDTA”) as well as a separate International Data Transfer Addendum to the European Commission’s 2021 Model Contractual Clauses for International Data Transfers (“Addendum United Kingdom”). These documents, often referred to as the UK Standard Contractual Clauses (“UK CSC”), were accompanied by a document outlining the transitional arrangements regarding the use of pre-2021 standard contractual clauses for transfers outside the UK.

Companies transferring personal data from the UK to third countries outside the European Economic Area (“EEA”) will need to reassess and analyze their international data flows and, if necessary, update their underlying transfer mechanisms. If Parliament has no objection, the new transfer mechanisms will enter into force on March 21, 2022.

Framework for international data transfers to the UK

Under the UK’s General Data Protection Regulation (“GDPR UK”) and the UK Data Protection Act 2018 (together “UK Data Protection Laws”), in accordance with the EU General Data Protection Regulation (“EU GDPR“), companies are required to implement valid data transfer mechanisms when transferring personal data outside the UK to countries that do not provide an adequate level of data protection.

In the EU, companies transferring personal data to countries outside the European Economic Area (“EEA”) often use the EU standard contractual clauses recently updated by the European Commission on June 4, 2021 (“EU CCS”) as a valid transfer mechanism (for more information, see our previous WilmerHale Customer Alert). As the EU CSCs were published after the UK left the EU, they do not automatically apply to the UK. As a result, UK companies face legal ambiguity when it comes to setting up the appropriate transfer mechanism. The UK SCCs are drafted to address existing legal uncertainties for UK businesses and provide a toolkit for restricted transfers.

International Data Transfer Agreement

The IDTA is a standardized agreement dealing with the processing and protection of personal data by organizations importing (or receiving) personal data from the UK. Among other words, the IDTA contains mandatory data protection clauses to protect the data transferred, including the effective and enforceable rights of data subjects. The UK Information Commissioner’s Office (“ICO”) determined that these clauses constituted appropriate safeguards. Under no circumstances can companies entering into IDTAs modify the mandatory clauses. Businesses can set up the IDTA as a standalone solution accompanying the respective main contract to comply with UK GDPR data transfer restrictions.

UK Addendum to EU Standard Contractual Clauses 2021

In addition to and as an alternative to the standalone IDTA, the ICO has published a UK Addendum that companies can enter into alongside the EU SCCs. The UK addendum modifies the EU CSCs already agreed between the companies in relation to data transfers to recipients outside the UK.

Most EU companies operating internationally currently use EU SCCs for their data transfers outside of the EU and the UK. For businesses subject to both the UK GDPR and its EU equivalent, the UK Addendum allows them to secure their international data transfers outside the UK without implementing entirely separate transfer mechanism solutions. In particular, multinational companies are likely to favor the upcoming option of supplementing existing EU CSC-based agreements with additional UK-compliant clauses rather than implementing the IDTA as a separate transfer mechanism.

Practical impact on business

In view of the requirements imposed by the Schrem II decision of the Court of Justice of the EU, companies are required to continue to carry out assessments of the impact of the transfer (“TIA”) for each third country. The TIAs assess local laws and practices to determine whether they override or contradict the mandatory terms contained in the UK SCCs. This ensures that relevant safeguards and protections remain adequate in light of the protections provided by UK data protection laws. The ICO has published comprehensive TIA guidelines that provide companies with helpful explanations on implementation. Companies are advised to carefully document their TIAs.

For US-based companies, the introduction of potentially separate new UK SCCs can further complicate contract and process management. Companies operating as data importers should ensure that their internal procedures reflect the EU SCC, IDTA and UK Addendum, including any potential differences (depending on data transfer module(s) that apply). This may, in some cases, require a systematic reorganization of processes related to the initiation and management of contractual relationships requiring restricted transfers.

Chronology

UK businesses must complete implementation of UK SCCs by 21 March 2024 to protect their transfers of personal data to organizations located elsewhere in third countries that do not provide an adequate level of protection.

Contracts concluded on or before September 21, 2022 based on the EU SCCs adopted by the European Commission in 2004/2010 continue to provide appropriate safeguards until March 21, 2024 under the UK GDPR. This only applies provided that the processing operations and the respective subject matter of the contract remain unaffected and provided that there are appropriate safeguards. In sum:

  • For existing contracts, companies currently have three options to protect their international data transfers: (i) maintain the old EU SCCs, (ii) implement a new IDTA, or (iii) implement the new UK Addendum alongside to EU CCS. They will have until March 21, 2024 to update existing contracts using the new UK SCCs.
  • For new contracts concluded between 21 March 2022 and 21 September 2022, companies can use (i) the old EU SCCs, (ii) the IDTA or (iii) the UK Addendum alongside the EU SCCs.
  • For new contracts concluded on or after September 21, 2022, companies are restricted to using the new UK SCCs, that is to say (i) the IDTA, or (ii) the UK Addendum with EU SCCs.

Open questions

The introduction of UK SCCs creates greater legal certainty for UK businesses and for data importers in third countries. At the same time, however, the wide range of options introduces an additional decision-making step and increased complexity for both UK businesses and data importers in third countries such as the US.

The ICO aims to publish additional guidance on international data transfers from the UK soon. This will in particular include (i) article-by-article advice on the IDTA and the UK Addendum, (ii) advice on how to use the IDTA, (iii) advice on carrying out TIAs and (iv) additional clarification on the ICO. international transfer guidelines.

WilmerHale Senior Associate Valentino Halim also contributed to this blog post.