New rules for personal data transfers to countries outside the United Kingdom enter into force on March 21, 2022. Businesses transferring personal data from the U.K. to countries outside the European Economic Area (EEA) need to analyze their international data flows and potentially update their transfer mechanisms to reflect these new provisions.
Under the U.K. General Data Protection Regulation (GDPR) and the U.K. Data Protection Act 2018 (collectively the “U.K. Data Protection Laws”), companies are required to, among other things, implement valid data transfer mechanisms when transferring personal data outside the U.K. to countries without an adequate level of data protection. Standard contractual clauses (SCCs) are a commonly used mechanism to validate these transfers. Once the Brexit transition period ended on December 31, 2020, the EU-GDPR no longer applied to the U.K. but rather the UK-GDPR. Therefore, when the European Union published revised SCCs in June 2021, they did not automatically apply in the U.K., and U.K. companies continued to rely on the old EU-SCCs to validate data transfers.
To sort out this complexity, the U.K.’s Information Commissioner’s Office (ICO) recently issued a new toolkit of standardized clauses in the form of two documents. The first is the International Data Transfer Agreement (IDTA). The IDTA may be executed as a standalone agreement to accompany a main contract to ensure compliance with U.K. Data Protection Laws. The second is an addendum to the EU’s 2021 standard contractual clauses (UK Addendum). As noted above, many companies operating internationally already have the EU SCCs in place. The U.K. Addendum to the EU SCCs allows companies subject to both the U.K. Data Protection Laws and the EU-GDPR to secure international data transfers without the need to execute a completely new, separate mechanism such as the IDTA.
For some U.S.-based companies, the new U.K. SCCs could create more complexity in contract negotiations and data transfer activities generally. Companies importing data will need to ensure their internal processes align with both the EU SCCs and U.K. SCCs, including which contract modules apply to each unique relationship. This added complexity may require companies to reassess and potentially revise their methods for executing contracts requiring cross border data transfers.
If the U.K. Parliament makes no further changes, the U.K. SCCs will be effective March 21, 2022. U.K. companies must fully implement the U.K. SCCs by March 21, 2024 and have up to this deadline to update existing contracts with these new clauses. In the meantime, for existing contracts, companies have three options: (1) continue using the older EU SCCs (2) implement the new IDTA, or (3) implement the new U.K. Addendum along with the EU SCCs. These same options exist for contracts executed between March 21, 2022 and September 21, 2022. For contracts entered into on or after September 21, 2022, companies must use the new U.K. SCCs. This means (1) executing the IDTA in full, or (2) executing the U.K. Addendum with the EU SCCs.
While these new clauses create more legal certainty in the area of data transfers out of the U.K., the numerous contracting options available create additional complexity for U.K. companies and data importers in countries deemed inadequate, such as the U.S. We expect the ICO to issue further guidance on specific IDTA and U.K. Addendum clauses in the coming months.
Featuring a high concentration of CIPP-certified privacy professionals, Varnum attorneys guide businesses through all aspects of data privacy and cybersecurity, from compliance and policy issues to breach preparedness and response.