New data transfer developments in the UK

11/02/'2021 - On 2 February 2022, the United Kingdom (UK) Secretary of State laid before UK Parliament the ‘International Data Transfer Agreement’ (IDTA) and the ‘International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers’ (UK Addendum). After the lapse of the Brexit transition period, the UK essentially retained the EU GDPR within their national laws, most notably through the amended Data Protection Act 2018, also known as the ‘UK GDPR’. Since Brexit, the UK is now free to introduce new UK specific requirements in the field of privacy and data protection. This new data transfer development in the UK is a clear reflection thereof. Nonetheless, there is still a close resemblance and link with data transfer requirements under the EU GDPR. Curious to understand how these developments may impact your organization? In this blog I will set out how these new agreements may affect your organization when transferring personal data covered by the UK GDPR.

Many will be wondering how yet another development in the field of data transfers is possible. As we have seen over the past number of years, data transfers under privacy and data protection legislation have become an important compliance aspect for almost every organization handling personal data. With recent developments from supervisory authorities related to transfers in light of the use of Google Analytics, the activity around the use of Standard Contractual Clauses (SCCs) and performing Data Transfer Impact Assessments, I do not expect the topic of data transfers to become any less important in the near future. In fact, outside of the EU we are also seeing new data transfer requirements being introduced, such as under the new Chinese PIPL. For this blog, however, we will focus on recent developments in the UK.

The laying before UK Parliament of the new UK IDTA and the UK Addendum is the final step following the consultation the UK Information Commissioner’s Office (ICO) ran in light of these documents back in 2021. Provided no objections are raised before the 21 March 2022, the documents will enter into force on that date, thereafter definitively allowing UK data exporters to use the UK IDTA or the UK Addendum as a transfer tool under Article 46 UK GDPR.

How does this affect the current data transfer regime under the UK GDPR?

Very much similar to the data transfer requirements under Chapter V EU GDPR, the UK GDPR requires that transfers of personal data (within scope of the UK GDPR) to third countries outside of the UK are adequately safeguarded. Data transfers to third countries that have been awarded an adequacy decision by the UK, including the whole of the EU, are exempt from additional data transfer requirements.

For those third countries not granted an adequacy decision, the most used data transfer instrument remains the use of contractual clauses. Today, Paragraph 7 of Part 3 in Schedule 21 of the UK GDPR sets out transitional provisions allowing for the continued use by UK data exporters of the old EU SCCs, issued under the EU Data Protection Directive 95/46/EC, as an appropriate safeguard under Article 46(1) of the UK GDPR. In this respect, it is important to note here that the new EU SCCs introduced by the European Commission on 4 June 2021 were not recognized under the UK GDPR and as such cannot be used in the UK to safeguard data transfers. The introduction of the new UK International Data Transfer Agreement (IDTA), which in essence should be regarded as the new UK variant of the new EU SCCs, will replace these transitional provisions and disapply the use of the old EU SCCs in the UK.

In part to account for the large number of organizations already using the new EU SCCs to safeguard their data transfers out of the EU, the UK has also introduced the UK Addendum. With the UK Addendum, UK data exporters will be offered the option of solely relying on the new EU SCCs provided they complete, sign and attach the UK Addendum, thereby in effect applying the EU SCCs also to personal data covered by the UK GDPR. Essentially, EU SCCs with the UK Addendum attached will safeguard EU and UK data transfers under both Article 46 EU GDPR and Article 46 UK GDPR. For those (global) organizations, active in both the EU and the UK, that rely on the new EU SCCs today, the UK Addendum will be a welcome addition and most likely the preferred instrument to use.

Note that, in addition to the agreements referred to above, organizations are still required to assess whether or not an adequate level of protection is awarded in practice in the third country that the data are transferred to, in line with the European Court of Justice ruling in Schrems II. Currently, this obligations applies both under the EU GDPR and the UK GDPR.

What should you be doing today?

If you are processing personal data covered by the EU GDPR and/or the UK GDPR, it is likely that you will also be transferring (parts of) such personal data to third countries. It is key to identify those data transfers and to ensure that you comply with the applicable data transfer requirements. It goes without saying that this is something that organizations need to adhere to already today.

Yet, in light of the developments described above, we advise organizations to also implement the new UK data transfer requirements which, according to the ICO, can already be used today but formally are expected to enter into force on 21 March 2022.