iOn 2 February 2022, the UK Information Commissioner’s Office (ICO) published the final form of its much-anticipated new International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.
The IDTA, EU Addendum, and transitional provisions will now lay before Parliament and (unless objectives are raised, which is unlikely) become effective on 21 March 2022. Once effective, the IDTA and EU Addendum will replace the previous EU Standard Contractual Clauses (EU SCCs) and constitute the United Kingdom’s version of the EU SCCs.
Key takeaway points for employers include the following:
-
Provided that no objections are raised by Parliament, the IDTA and EU Addendum will become effective on 21 March 2022.
-
Any contracts entered into on or before 21 September 2021 on the basis of the “old” SCCs will continue to provide appropriate safeguards for the purposes of the UK General Data Protection Regulation (GDPR) until 21 March 2024.
-
From 21 March 2024, if an employer’s restricted transfers continue, the employer may make a restricted transfer under the UK GDPR by:
-
entering into a contract on the basis of the IDTA;
-
the EU Addendum (where EU SCCs are already in place, the EU Addendum may be annexed to the EU SCCs in order to satisfy the requirements of the UK GDPR);
-
if the receiver is located in a third country or territory or is an international organisation, its coverage by UK “adequacy regulations” (see list of covered countries and territories).
-
Conducting a transfer risk assessment (TRA) continues to be a requirement in the United Kingdom, as it is in the European Union. A TRA is required to make sure that the actual protection provided by the IDTA or EU Addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws.
