ICO’s International Data Transfer Agreement: A Post-Brexit Refresh
Towards the end of last year, the Information Commissioner’s Office (“ICO”) sought public consultation into how organisations can continue to protect people’s personal data when it’s transferred outside of the UK.
Following that consultation, on 28 January 2022, the government put to Parliament:
- the international data transfer agreement (the “IDTA”);
- the international data transfers addendum to the European Commission’s standard contractual clauses for international data transfers (the “Addendum”); and
- a document setting out transitional provisions.
This seeks to provide a much needed refresh to the UK’s standard position on international data transfers which, since Brexit, was a now, outdated version of the EU standard contractual clauses for use in international data transfers (the “SCCs”).
The IDTA and Addendum received no objections from when they were first presented to Parliament in January, and came in to force on 21 March 2022.
Key dates for compliance
The UK GDPR allows international transfers of personal data where the controller or processor has provided appropriate safeguards and on the condition that enforceable rights and effective legal remedies are available for data subjects.
The Data Protection Act 2018 sets out transitional provisions allowing the use of SCCs to act as the ‘appropriate safeguard’. Please note, the European Commission released a new version of the SCCs on 4 June 2021 and so, if relying on the SCCs, these should be used.
The document issued by the ICO dealing with transition provisions sets a 6-month grace period, until 21 September 2022, for contracts to be concluded using the SCCs which would satisfy the requirements under the UK GDPR.
There is however a longstop date of 21 March 2024, at which point the SCCs are no longer applicable for use under the UK GDPR.
The practicalities of using the IDTA and the Addendum
The IDTA appears, on the face of it, a much shorter and straightforward document than the new version of the SCCs.
However, the current adequacy decision from the EU allowing the free flow of personal data from the EU to the UK was heavily caveated with warnings about what will happen if the UK seeks to diverge from the EU position. If the European Commission, the European Data Protection Board or a Member State representative expresses concerns about the IDTA’s effectiveness, this could trigger a debate about that flow of data into the UK and raise question marks around the adequacy decision.
Given that, it is likely that businesses with large international data flows will look to the new SCCs using the Addendum which would allow them to adopt those SCCs to work in the context of UK transfers.
- The new IDTA and Addendum are in force (from 21 March 2022).
- You may use the old SCCs in contracts concluded up to 21 September 2022, however they will be deemed ineffective from 21 March 2024.
- You can use the new SCCs using the Addendum.
- The IDTA could face scrutiny from the EU in light of the nature of the current adequacy decision.
Should you require any advice on international data transfers or, your data protection obligations in general, please contact the Commercial Team, who would be happy to assist.