International Personal Data Transfers: An Eventful Week
On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.
An updated document for transfers initiated under the UK General Data Protection Regulation (GDPR) was needed following the Schrems II decision, which occurred while the United Kingdom was still an EU member state and which the European Union fixed by adopting new versions of the SCC in June 2021 (see our alert here), but only after the United Kingdom had finalized Brexit.
The United Kingdom’s draft International Data Transfer Agreement (IDTA) and Addendum were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC, but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR.
The Addendum consists of a form effectively selecting the relevant options of the SCC and amending EU terminology and legal references to UK-specific ones. It is likely to be more widely used than the IDTA, particularly as data exporters with operations in both the United Kingdom and the European Union will look to reduce the number of contracts they need to enter into. Overall, the IDTA and the Addendum represent a narrowing in the divergence that had appeared recently in the differing safeguards required by the United Kingdom and the European Union for data exporters engaged in personal data transfers from their respective jurisdictions.
As a reminder:
Transfers between the European Union and the United Kingdom do not need any specific measures as per the adequacy decision currently in place (see our alert here)
All data transfer agreements under the EU GDPR based on the previous versions of the SCC will need to be migrated to the new SCC on or before 27 December 2022
All data transfer agreements under the UK GDPR executed on or before 21 September 2022 on the basis of any Transitional Standard Clauses (based on the previous versions of the SCC) will need to be migrated to an IDTA or Addendum on or before 21 March 2024
TRANSFER FROM THE EUROPEAN UNION TO THE UNITED STATES: EN ROUTE FOR SCHREMS III?
On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced an “agreement in principle” on a new EU-U.S. data sharing system, expected to replace the Privacy Shield framework invalidated under the Court of Justice of the European Union’s (CJEU) Schrems II decision in 2020 (see our alert here).
As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies’ available to individuals protected under GDPR will need to be addressed. Data activist Maximilian Schrems and his organization, noyb, already announced that they would closely monitor the development of this new framework and challenge any decision which would not abide by the CJEU’s 2020 Schrems II decision.
While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.
Such transfer mechanisms notably include:
A transfer impact assessment, analyzing the regulatory framework applicable to the destination country and any supplemental technical and organizational measures to be implemented to safeguard the transferred personal data from undue access
Implementation of a transfer mechanism, such as the SCC (see above) or adhesion to binding corporate rules, or to a code of conduct (see our alert here)