The UK Information Commissioner’s Office Publishes Its Standard International Data Transfer Agreement
2 February 2022
Technology & eCommerce Regulation in the Spotlight
The UK Information Commissioner Officer (“ICO“) has published the UK’s International Data Transfer Agreement (“IDTA”). Together with the IDTA, it also published an addendum (“Addendum”) to the European Union’s Standard Contractual Clauses (“New SCCs”) which came into force in September 2021, for transferring of personal data outside the UK. The new IDTA and Addendum will bring the UK contractual data transfer mechanisms in line with the EU adopted New SCCs (see our previous report) in the aftermath of Schrems II.
Although the UK has left the EU, the ICO has aligned its approach towards restricted transfers of personal data under the UK General Data Protection Regulations (“UK GDPR“) with the European Data Protection Board’s Guidelines on the interplay between the territorial scope and international transfer under the EU GDPR (see our report). According to the ICO, transfers of personal data outside the UK will be considered as restricted transfers, regardless of whether the recipient of the data is subject to the UK GDPR or not.
The IDTA is meant to replace the old standard contractual clauses adopted under Directive 95/46 that are still in force under the UK GDPR (“Old SCC“). Unlike the New SCCs, which are comprised of four different modules according to the respective roles of the data importer and exporter (controllers or processors), the IDTA is a unified agreement that should apply regardless of the respective roles, with the exception of specific clauses. Additionally, and contrary to the New SCCs that do not account for transfers of data to data importers that are subject to the EU GDPR under Article 3(2), the IDTA covers all transfers of personal data outside the UK, including to data importers that are subject to the UK GDPR.
The Addendum, on the other hand, allows data exporters who operate both in the EU and the UK to continue relying on the New SCCs, instead of signing the IDTA, simply by entering into the Addendum, which adds on top of the New SCCs and tailors the New SCCs to cover data transfers under the UK GDPR.
Similarly to the requirements under the EU GDPR and its New SCCs, data exporters which are subject to the UK GDPR will be required to carry out a Transfer Risk Assessment (“TIA”) prior to transferring personal data outside the UK. The ICO is intended to publish a TIA tool that will assist data exporters in assessing and documenting the risks associated with the transfers of data. In addition, the ICO plans on publishing guidance on the use of the IDTA and Addendum and further clarification for international transfers.
The IDTA and the Addendum have been laid before the UK parliament, together with a document setting the transitional provisions, and are expected to come into force on 21 March 2022 unless the UK parliament raises objections. However, the ICO noted that those are for immediate use by organization transferring personal data outside the UK, signaling that the ICO does not expect material changes by the parliament.
Agreements concluded on or before 21 September 2022 on the basis of Old SCCs will continue to provide appropriate safeguards, without migrating to the IDTA or the Addendum, until 21 March 2024 for the purposes of the UK GDPR, provided that the processing operations and the subject matter of the agreements remain unchanged and reliance on them ensures that the transfer o is subject to appropriate safeguards.
Please feel free to contact us if you have any questions regarding the implications of these transfer mechanisms on your practices.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation