UK ICO's new data transfer agreements – in force today, 21 March 2022

The UK Information Commissioner’s Office (ICO) recently released two new agreements for the transfer of personal data outside the UK. These agreements came into force today, 21 March 2022. Here, our experts consider what these changes mean for UK data exporters.

Background

Under the General Data Protection Regulation (the UK GDPR), as adopted by the Data Protection Act 2018, organisations are prohibited from transferring personal data to an overseas recipient in a country which is not covered by a European Commission (EC) adequacy decision, unless an exception applies.

The exception most commonly used is found in Article 46(2)(d) of the UK GDPR: for the data exporter and data importer to enter into a set of standard clauses approved by the ICO. These standard clauses essentially require the data importer to provide “adequate safeguards” that provide an equivalent level of data protection to the UK GDPR.  

The old Standard Contractual Clauses

The new International Data Transfer Agreement and Addendum

The old Standard Contractual Clauses are being replaced by two different sets of standard clauses:

  • An international data transfer agreement (IDTA).
  • A data transfer addendum to the new EC Standard Contractual Clauses (the Addendum).
Organisations can adopt either the IDTA or the Addendum. Like the old Standard Contractual Clauses, the IDTA or Addendum must be adopted in their approved form, without modifications, other than to complete the details of the parties and the nature of the processing.

 

The IDTA is a new agreement which imposes a range of obligations on the data importer to ensure that it provides an equivalent level of protection to the UK GDPR for personal data transferred from the UK.

Like the Standard Contractual Clauses, the IDTA can be executed alongside an agreement which covers the provision of the services which include the data processing (a Linked Agreement).

Generally speaking, the IDTA is shorter and clearer than the new EC Standard Contractual Clauses. One of the reasons for this is that the IDTA does not have ‘modules’ which contain different terms depending on whether the exporter and/or the data importer are controller or processor of the personal data.

One of the consequences of this is that the IDTA does not include provisions necessary to meet the requirements of UK GDPR Article 28, which requires controllers to include certain provision in their contracts with processors. This is significant for UK controllers who use overseas processors as these businesses will need to include the provisions required by UK GDPR Article 28 in their main services agreement.

To avoid a point of uncertainty that has affected the EC Standard Contractual Clauses, the IDTA makes clear that it can be used whether the data importer is subject to the UK GDPR or not. If the data importer is subject to the UK GDPR, then a general obligation to comply with the requirements of the UK GDPR replaces several more specific obligations in the IDTA.

Like the EC Standard Contractual Clauses, the IDTA addresses the issues raised by the European Court of Justice decision in the Schrems II case, by requiring the data importer to conduct a transfer risk assessment in respect of their country’s laws. This is an assessment of whether the IDTA can provide appropriate safeguards in that country. This assessment must take into account any local laws and practices of the importing country which:

  • Imposes obligations on the data importer and/or affects the data transferred in a manner that may impinge on the IDTA’s guarantee of an essentially equivalent level of protection to that afforded under the UK GDPR.
  • Does not respect the essence of the fundamental rights and freedoms recognised by UK law, or exceeds what is necessary and proportionate in a democratic society to safeguard an important objective which is also recognised in UK law.

The ICO proposes to release a transfer risk assessment tool, which will assist organisations to conduct this assessment.

The Addendum is a relatively short addendum to the new EC Standard Contractual Clauses. It effectively ‘piggybacks’ off the EC Standard Contractual Clauses and essentially extends and adapts them for use in the UK. For example, it replaces references to the EU with the UK, to the EU GDPR with the UK GDPR, and to European supervisory authorities with the ICO. Aside from these changes to the jurisdiction, the obligations of the data exporter and the data importer under the Addendum are effectively identical to those under the EC Standard Contractual Clauses.

The Addendum is particularly useful for UK businesses who also have operations in the EU, and have already entered into the EC Standard Contractual Clauses with an overseas recipient. In those cases, the Addendum extends the operation of the EC Standard Contractual Clauses to cover personal data exported from the EEA or the UK, and means that the data exporter has the same compliance obligations for both territories.

Transition arrangements and key dates

Following consultation in 2021 (to which Kennedys responded, welcoming the proposals which were largely in line with existing legal practices, and yet still allowing an agile approach which supports innovation) the ICO presented the new IDTA and Addendum to Parliament, where they passed without objection and entered into force today, 21 March 2022.

The ICO expects to publish additional detailed guidance on the operation of the IDTA and the Addendum in the near future.

The ICO has put in place the following transitional arrangements for the new IDTA and Addendum:

  • Contracts signed on or before 21 September 2022 can continue to use the old Standard Contractual Clauses until 21 March 2024. Those clauses will still be deemed to provide “appropriate safeguards” for the purposes of the UK GDPR until that date. From 22 March 2024, the old Standard Contractual Clauses will no longer be deemed to provide “appropriate safeguards” for the purposes of the UK GDPR, and as such all contracts that use them will need to be amended or replaced to use the IDTA or the Addendum.
  • Contracts signed after 21 September 2022 will need to use the IDTA or the Addendum in order to be effective.

We recommend that any new contracts adopt the IDTA or the Addendum, even if signed on or before 21 September 2022. This will avoid the need for amendments in 2024.

Comment

The IDTA and Addendum are a much-anticipated development that should simplify the compliance around the UK GDPR. UK businesses should be aware of two key dates under the transition arrangements:

  • Contracts signed after 21 September 2022 will need to use the IDTA or the Addendum.
  • All contracts signed on or before 21 September 2022 which use the old Standard Contractual Clauses will need to be amended or replaced to use the IDTA or the Addendum by 21 March 2024.
Related items: