UK ICO's new data transfer agreements – in force today, 21 March 2022

The old standard clauses for the transfer of personal data outside of the UK, known as the ‘Standard Contractual Clauses’, have quite a history.

The Standard Contractual Clauses were originally prepared by the EC under the predecessor to the EU General Data Protection Regulation (the EU GDPR), the EU Data Protection Directive 95/46/EC (the Directive). The Standard Contractual Clauses were not updated when the EU GDPR was introduced in 2018, and the EC ruled that, as an interim measure, the Standard Contractual Clauses would been deemed to provide appropriate safeguards under the EU GDPR until a replacement was introduced.

After Brexit, UK businesses were permitted to keep using the Standard Contractual Clauses, and to amend those clauses as necessary for use in the UK. The ICO prepared a model set of Standard Contractual Clauses with amendments for use in the UK.

The EC always intended to replace the old Standard Contractual Clauses with a new version as soon as it was practicable to do so. The old Standard Contractual Clauses were not designed for use with the GDPR, and had a number of shortcomings and limitations.  

Eventually, the EC replaced them with a new set of Standard Contractual Clauses in June 2021. The new Standard Contractual Clauses were specifically prepared for the EU GDPR and had a number of advantages.

However, by that time, the UK was no longer part of the EU. As such, UK businesses had to continue to use the old Standard Contractual Clauses in conjunction with the UK GDPR, while EU businesses now used their new Standard Contractual Clauses in conjunction with the EU GDPR.

Therefore, in order to update the old Standard Contractual Clauses for the UK GDPR, and provide greater flexibility and relevance for UK businesses, the Department of Digital, Culture, Media and Sport has laid before the UK Parliament new standard clauses, which in the UK will be called the International Data Transfer Agreement and Addendum.

The IDTA is a new agreement which imposes a range of obligations on the data importer to ensure that it provides an equivalent level of protection to the UK GDPR for personal data transferred from the UK.

Like the Standard Contractual Clauses, the IDTA can be executed alongside an agreement which covers the provision of the services which include the data processing (a Linked Agreement).

Generally speaking, the IDTA is shorter and clearer than the new EC Standard Contractual Clauses. One of the reasons for this is that the IDTA does not have ‘modules’ which contain different terms depending on whether the exporter and/or the data importer are controller or processor of the personal data.

One of the consequences of this is that the IDTA does not include provisions necessary to meet the requirements of UK GDPR Article 28, which requires controllers to include certain provision in their contracts with processors. This is significant for UK controllers who use overseas processors as these businesses will need to include the provisions required by UK GDPR Article 28 in their main services agreement.

To avoid a point of uncertainty that has affected the EC Standard Contractual Clauses, the IDTA makes clear that it can be used whether the data importer is subject to the UK GDPR or not. If the data importer is subject to the UK GDPR, then a general obligation to comply with the requirements of the UK GDPR replaces several more specific obligations in the IDTA.

Like the EC Standard Contractual Clauses, the IDTA addresses the issues raised by the European Court of Justice decision in the Schrems II case, by requiring the data importer to conduct a transfer risk assessment in respect of their country’s laws. This is an assessment of whether the IDTA can provide appropriate safeguards in that country. This assessment must take into account any local laws and practices of the importing country which:

• Imposes obligations on the data importer and/or affects the data transferred in a manner that may impinge on the IDTA’s guarantee of an essentially equivalent level of protection to that afforded under the UK GDPR.
• Does not respect the essence of the fundamental rights and freedoms recognised by UK law, or exceeds what is necessary and proportionate in a democratic society to safeguard an important objective which is also recognised in UK law.

The ICO proposes to release a transfer risk assessment tool, which will assist organisations to conduct this assessment.

The Addendum is a relatively short addendum to the new EC Standard Contractual Clauses. It effectively ‘piggybacks’ off the EC Standard Contractual Clauses and essentially extends and adapts them for use in the UK. For example, it replaces references to the EU with the UK, to the EU GDPR with the UK GDPR, and to European supervisory authorities with the ICO. Aside from these changes to the jurisdiction, the obligations of the data exporter and the data importer under the Addendum are effectively identical to those under the EC Standard Contractual Clauses.

The Addendum is particularly useful for UK businesses who also have operations in the EU, and have already entered into the EC Standard Contractual Clauses with an overseas recipient. In those cases, the Addendum extends the operation of the EC Standard Contractual Clauses to cover personal data exported from the EEA or the UK, and means that the data exporter has the same compliance obligations for both territories.