December 3, 2022

Volume XII, Number 337


December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

Deadline to Update New EU Standard Contractual Clauses Is Approaching

Businesses should update their existing contractual agreements to the new SCCs by 27 December 2022. It would be sensible to have a data privacy lawyer review any cross-border personal data transfers.

The New Standard Contractual Clauses

As you may recall from our previous advisory, "The European Commission Implements New Standard Contractual Clauses" (which you can read here), existing data sharing contracts that include the old standard contractual clauses ("SCCs") will only remain valid until 27 December 2022. By this date, these contracts must be updated to incorporate the new SCCs that were adopted on 4 June 2021 by the European Commission.

The SCCs can be used as an appropriate safeguard when transferring personal data of UK or EU data subjects to third countries, if a Data Transfer Impact Assessment ("DTIA") has been carried out. A DTIA involves conducting an analysis to determine whether the privacy protections afforded by the proposed third country to which the personal data is being transferred meets EU/UK standards. The DTIA must be carried out before the transfer of personal data occurs.

New UK Requirements for International Data Transfer Requirements: IDTA and the Addendum

Following Brexit, the new EU SCCs are not valid as a transfer mechanism under the UK General Data Protection Regulation ("GDPR").

On 2 February 2022, the UK Information Commissioner's Office adopted: (i) the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers (the "UK Addendum"), which is to be appended to the new EU SCCs to satisfy legal requirements for making personal data transfers from the UK to third countries; and (ii) the International Data Transfer Agreement ("IDTA"), which is a stand-alone agreement that can be used when transfers of personal data are occurring from the UK to third countries and the SCCs are not being used.

From 21 September 2022, all new agreements that govern the transfer of personal data subject to an appropriate safeguard must use either the UK Addendum alongside the SCCs, or the IDTA. All existing agreements relating to UK personal data transfers will remain valid until 21 March 2024, at which point the existing agreements including the old EU SCCs must be replaced with the IDTA or the Addendum.

Please also note, the requirement to carry out a DTIA is also applicable under UK law.

Action Points

  1. Deadline – 21 September 2022 – Ensure all new data transfer agreements append the UK Addendum or IDTA.

  2. Deadline – 27 December 2022 – Update all contracts appending old SCCs.

  3. Deadline  21 March 2024 – Ensure all existing agreements append the UK Addendum or IDTA.

  4. Deadlines as above – Ensure all actions above are accompanied by an up-to-date DTIA.

Nicole Akinyemi also contributed to this article.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume XII, Number 251

About this Author

Christopher Hitchins, Katten Muchin London UK, investment documentation attorney, labor disputes management lawyer

Christopher Hitchins focuses his practice on the full range of employment law issues, acting for employers or senior individuals in a wide range of sectors, with a particular focus on the financial services, technology, hotel, retail and media industries.

Chris advises on all contentious and non-contentious UK employment law matters. He has significant experience advising on senior executive employment, partnership and investment documentation, managing disputes and exits as well as team moves, advising businesses on restructurings involving the...

44 (0) 20 7776 7663
Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...

Sarah Simpson, Katten Law Firm, London, Intellectual Property Attorney

Sarah Simpson is an associate at Katten Muchin Rosenman UK LLP. Sarah practices commercial and intellectual property law, with a particular focus on EU and UK trademarks, brand protection, copyright, design rights, data protection, commercial contracts, regulatory and general commercial matters. She has experience of advising clients in the fashion, fashion-technology, luxury brands, retail, consumer goods, financial technology and education sectors. Sarah advises both local and international clients.

Tegan Miller-McCormack Intellectual Property Lawyer Katten

Tegan Miller-McCormack helps both UK and international clients in matters of intellectual property, general commercial and data protection law. She has previous experience working for a globally renowned luxury fashion brand and is able to channel the knowledge and experience gained into delivering commercially focused counsel for her clients.

A wide range of intellectual property experience

Tegan's clients work in the fashion and luxury brands, social media, retail, hospitality, financial services and telecoms industries. She also contributes to the firm's fashion...

+44 (0) 20 7770 5247
Jose L. Basabe New York City Cybersecurity Attorney Katten

Jose Basabe is an Associate at Katten's New York City office. He advises clients across all industries, including financial services, retail, manufacturing, new and emerging technology and cryptocurrencies. Jose counsels clients on the intersectionality of the law with privacy and cybersecurity practices. Jose also advises clients on operating in accordance with current and anticipated privacy and data security laws, including but not limited to, the California Consumer Privacy Act (CCPA), the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the...