New UK International Data Transfer rules now effective

Is your organisation exposed to international data transfer outside of the UK? If so, Monday 21 March 2022 marked the day when the international data transfer landscape changed in the United Kingdom and for any organisation with such exposure signified the need to act accordingly in line with the new requirements.

Following on from Brexit and the removal of the UK from the European Union, the use of the newly drafted EU standard contractual clauses as an international data transfer safeguard was never a viable option for UK organisations. As a result, in February this year a number of changes were laid before UK parliament:

• The new International Data Transfer Agreement (IDTA)
• The new International Data Transfer UK Addendum to the EU’s new standard contractual clauses (UK Addendum); and
• The relevant transitional provisions.

Going forward, any UK based organisation that has exposure to international data transfers and rely on contractual safeguards, it is important that arrangements are put in place to ensure that either an IDTA or UK Addendum documentation is signed. For any legacy international data transfer exposures and corresponding contracts, UK based organisations must ensure changes are made within the transitional provisions provided for in the guidance (see below for further information).

Background

For any international data transfer made by a UK based organisation to a jurisdiction not viewed as having an adequate level of data protection by the UK, it is a requirement of the UK Data Protection Act 2018 (UK GDPR) that the transfer must by supported by an appropriate safeguard, in order for that transfer to be made.

In advance of any safeguard being applied, it is also an additional requirement of the UK GDPR that a Transfer Risk Assessment (TIA) is undertaken with the objective of identifying any risks with the proposed transfer, but also to ensure that data subjects affected by the proposed transfer continue to have a level of protection expected under UK Data Protection laws. For any concerns, it is imperative that additional measures are implemented to ensure that any risks identified are mitigated before the proposed transfer can be made.

The most commonly used data transfer safeguard mechanism is the Standard Contractual Clauses (SCC’s) – a set of standard data protection clauses that cover the obligations of both the sender and recipient of any personal data being transferred and the rights of the data subjects whose information is the subject of the transfer.

The impact of Brexit

Before the UK’s departure from the European Union, UK organisations would have needed to be in compliance with EU GDPR requirements and would have relied on the old EU version of the SCC’s. Subsequent to the departure and the end of the Brexit transitional period on 31 December 2020, the EU GDPR no longer applied and the UK implemented the UK GDPR into UK law.

Shortly after the departure from the EU, the old EU version of the SCC’s were updated by the European Commission in June 2021 to reflect the outcome of the recent Schrems II judgement, however UK organisations were unable to use these updated clauses – in fact for any UK organisation with an exposure to international data transfer, the guidance was to continue using the old EU version of the SCC’s.

Given the recent developments surrounding international data transfers as a result of the Schrems II judgement and the fact that the old EU version of the SCC’s were considered no longer fit for purpose and outdated, the UK had no option but to act accordingly, which resulted in the development of the UK Transfer documents which have become fully effective today.

Effective Changes

As noted in the introductory paragraphs, from 21 March 2022, any UK organisation relying on contractual safeguards to transfer personal information outside of the UK, must ensure they sign the IDTA or the new UK Addendum linked to the EU version of the SCC’s. These documents supersede all other contractual safeguards the UK were previously reliant on i.e., the old EU version of the SCC’s.

International Data Transfer Agreement (IDTA) – The IDTA is recognised as a standalone agreement that compliments the main agreement in place between the sender and recipient of any information being transferred between the two parties. The IDTA can only be used when any international data transfers are subject to UK Data Protection Laws.

The New UK Addendum – The New UK Addendum is used with the new EU SCC’s and when a UK based organisation is looking to transfer personal data where both UK and EU Data Protection Laws are applicable. It removes the need for a separate agreement to be drawn up for the UK data transfer element i.e. an IDTA.

Important dates you need to know

In line with the transitional provisions that have been published, there are a number of key dates that UK based organisations need to be aware of:

• 21 March 2022 – The UK International Transfer documents i.e. the IDTA and UK Addendum are effective and can be used by UK based organisations.
   
• 22 September 2022 – The date that UK based organisations are no longer able to rely on the old EU SCC’s for international data transfers. From 22 September 2022, UK organisations must ensure that the new UK International Transfer documents are in place for all new international data transfers entered into.
   
• 21 March 2024 – The date that UK based organisations are no longer able to rely on the use of the old EU SCC’s for any pre-existing or legacy exposures to international data transfers. For any existing data transfer arrangements entered into (prior to 22 September 2022) that rely on the old EU SCC’s as the appropriate safeguard, the organisation must have entered into a new contract on the basis of the new UK International Transfer documents (unless an additional safeguard can be relied upon outside of the contractual option).