On 2 February 2022, the Secretary of State laid before the UK Parliament the international data transfer agreement (IDTA), the international data transfer Addendum to the standard contractual clauses for international data transfers and a document that sets out transitional provisions. This is the final step after the much anticipated Information Commissioner’s Office (ICO) consultation took place in 2021, finalising the new UK data transfer agreement and addendum to the new EU Standard Contractual Clauses. This means that if there will be no objections, the documents will come into force on 21 March 2022 and all international data transfers will be able to use the IDTA or the Addendum to comply with Article 46 of the UK GDPR that addresses restricted transfers.
What does it mean in practice?
Companies need to be aware that the new tools will replace the current standard contractual clauses for international transfers. The Addendum and the IDTA follow the Schrems II decision, and these documents will be available to use immediately after Parliamentary approval. Organisations will be able to use the new tools when transferring people’s data outside of the UK to countries not covered by adequacy decisions. The UK organisations will be able to use the old EU Standard Contractual Clauses until 21 September 2022, and old EU Standard Contractual Clauses entered into before that date will remain valid until 21 March 2024. Organisations will be able to use the Addendum as an alternative to the IDTA, to apply the European Commission’s Implementing Decision on standard contractual clauses (EC SCCs) for the UK data transfers.
With the new developments, organisations will need to assess transfer arrangements and data flows to be prepared to incorporate the IDTA or Addendum for new transfers – this will need to be done by 21 September 2022.
What is the effect on UK organisations?
This development will be welcomed by UK organisations, providing them with long-awaited certainty and clarity on how to legitimise personal data transfers to service providers and companies located outside of the UK/EEA. Until now, businesses which were transferring personal data outside of the UK were reliant on outdated EU SCCs, and the new tools now align with the UK GDPR and Data Protection Act 2018 as well as the Schrems II decision. The implementation of the Addendum will be specifically beneficial to those organisations that have a presence in both the UK and EU, helping them to harmonise the adequacy measures, despite the uncertainties of Brexit. This is because the Addendum enables you to use only one set of SCCs to cover both transfers (for organisations transferring personal data from the UK and EU) without the need to use both the EU Standard Contractual Clauses and the IDTA.