After much anticipation and angst from organisations trying to navigate the knotty world of cross border transfers of personal data, on 28 January 2022, the Secretary of State for Department of Culture, Media and Sport laid before parliament the UK’s new transfer tools that can be used to comply with the requirements of the UK GDPR when transferring personal data outside of the UK.
The UK GDPR requires that when personal data is transferred outside of the UK, steps are taken to ensure it is appropriately protected. This is not a new concept and prior to Brexit similar rules applied to transfers of personal data outside of the EU. One of the mechanisms available were three sets of EU Standard Contractual clauses adopted in 2001 and 2010 (the Old EU SCCs).
Following the UK’s departure from the EU, organisations have been permitted to continue to use the Old EU SCCs. The announcement on 28 January marks the beginning of the end for the use of the Old EU SCCs to comply with the UK GDPR. This follows the announcement by the European Commission in June 2021 of the new standard contractual clauses it has approved to replace the Old EU SCCs for the purposes of the EU GDPR (the New EU SCCs).
So what’s the replacement?
The ICO has published two transfer tools:
- The international data transfer agreement (IDTA) and
- The addendum to the new EU SCCs (the Addendum).
The IDTA addresses the UK GDPR’s cross border transfer requirements and can be used regardless of the roles of the parties (e.g. whether personal data is being transferred outside of the UK by a controller or a processor). However, it does not include the other contractual provisions that may be needed under the UK GDPR (such as the provisions that must be put in place between a controller and processor under Article 28).
The Addendum effectively amends the New EU SCCs so that they can be used to comply with the UK GDPR. The Addendum also includes the contractual provisions required by the UK GDPR (in contrast to the IDTA).
The Addendum is the document that addresses the challenge being grappled with by many organisations: How do we comply with the cross border transfer requirements under the UK GDPR and EU GDPR where they both apply to a transfer but require the use of different standard form documents? The Addendum attempts to reduce this complexity by enabling the use of broadly consistent terms to satisfy each of the UK GDPR and the EU GDPR.
What does this all mean for us?
First and foremost, it means you won’t be able to continue to rely on the Old EU SCCs indefinitely. You will need to amend your existing arrangements which rely on the Old EU SCCs. The good news is, there is a transitional period; so you have time to get your house in order.
You can use either the Addendum or IDTA from 21 March 2022 (subject to Parliamentary approval). You can also continue to use the Old EU SCCs up to 21 September 2022. Any contracts entered into relying on the Old EU SCCs on or before 21 September 2022 must be amended to include either the Addendum or IDTA by 21 March 2024 (unless you change the way you are using personal data before this date, in which case you will need to amend the contract at that point).
Past experience tells us that transitional periods like this pass in the blink of an eye. So it would not be wise to wait to start planning to address this change.
For multinational organisations with lots of suppliers, this could affect a high number of contracts and making these changes is not a small job given it will also be necessary to undertake a transfer risk assessment (see below) as part of this process. However, don’t be fooled into thinking this is only a problem for multinational organisations, most companies will have contracts that will be affected (the likely culprits include technology contracts or contracts for cloud based solutions).
Transfer impact assessments
It is important to also remember that documenting a cross border transfer using the Addendum or the IDTA is only part of the story. It is also necessary to undertake a transfer impact assessment.
A transfer impact assessment is a process to evaluate the adequacy of the legal framework and practical application of the law in the country of destination (including a review of the laws which permit public authority access to the data). This risk assessment is likely to be complex in many data transfers and may result in additional protective measures being required (and documented) before the transfer can take place.
What should we be doing now?
The single most important thing to start doing now is to identify all of the contracts you have in place that involve the transfer of personal data outside of the UK and which rely on the Old EU SCCs. Once you have done this, you can start to assess the scale of the project and which of the Addendum or IDTA is the best document for you to use as a replacement.
The ICO has promised further guidance on the transfer tools so watch this space for further developments and detail on how the IDTA and Addendum should be used.
We know there’s a lot to take in and we will be publishing further updates in due course. We have a strong privacy team with years of experience advising on cross border transfer compliance. If you have any queries on the above or would like further advice/support, please get in touch.