July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

UK International Data Transfer Agreement and Addendum Laid Before Parliament

The UK data protection regulator, the Information Commissioner’s Office (the “ICO”) has finalised its new UK data transfer agreement and addendum to the new EU Standard Contractual Clauses (EU SCCs) following its consultation last year. From 21 March 2022, (subject to Parliamentary approval) organisations in the UK will be able to choose whether to use the ICO’s new International Data Transfer Agreement or the new EU SCCs with the Addendum. Use of the old EU Standard Contractual Clauses is permitted in the UK until 21 September 2022 and old EU SCCs entered into before that date will remain valid until 21 March 2024.

The ICO has announced that on 28 January 2022, the Department for Culture, Media and Sport laid the ICO’s new International Data Transfer Agreement (IDTA) and its addendum to the European Commission’s standard contractual clauses (Addendum) before the UK Parliament. These documents were accompanied by transitional provisions for the use of the current standard contractual clauses. This step follows the ICO’s consultation that ended on 11 October 2021.

If no objections are raised, these documents will come into force on 21 March 2022. The IDTA and Addendum replace the current EU standard contractual clauses, for use as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers from the UK. They are designed to take account of the “Schrems II” judgement by the European Court of Justice.

In its Transitional Provisions, the ICO states that:

Contracts concluded on or before 21 September 2021 on the basis of any Transitional Standard Clauses [namely the old EU standard contractual clauses issued under European Commission Decision 2001/497/EC and European Commission Decision 2010/87/EU (“Old SCCs”)] shall continue to provide appropriate safeguards for the purpose of Art 46(1) of the UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.”

On the basis of this statement, Old SCCs entered into before 21 September 2021 would have continued to constitute adequate safeguards for data transfers outside the UK until 21 March 2024, whereas Old SCCs entered into between 21 September 2021 and 21 March 2022 would (subject to Parliamentary approval of the new documents) have requried immediate replacement on 21 March 2022. Thankfully, the ICO has confirmed to us that the Transitional Provisions are intended to provide that Old SCCs entered into prior to 21 September 2022 will continue to provide adequate safeguards until 21 March 2024, giving organisations in the UK a grace period of 6 months before the new SCCs are required to be used.

New data transfer arrangements from 21 March 2022 will need to be governed by the new IDTA or the Addendum.

This will come as a welcome development for UK organisations, providing them with long-awaited certainty as to how to legitimise transfers of personal data to service providers and group companies located outside of the UK/EEA. The formal adoption of the Addendum will be particularly welcomed by those organisations with a presence in both the UK and EU, to help them to harmonise their adequacy measures, despite the effect of Brexit.

According to the ICO:

The IDTA and Addendum form part of the wider UK package to assist international transfers. This includes independently supporting the Government’s approach to adequacy assessments of third countries.”

To view copies of the documents please follow the links below:

Hannah-Mei Grisley also contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 33
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Francesca Fellowes Data Privacy & Cybersecurity Attorney Squire Patton Boggs Leeds, UK
Director

Francesca Fellowes is a director in our Data Privacy & Cybersecurity team based in our Leeds office. She has a wealth of experience in advising on a wide spectrum of data privacy issues, including managing large-scale projects involving multiple data flows and advising on commercial arrangements involving complex issues of data ownership and use.

She is particularly experienced in managing cross-jurisdictional data privacy compliance projects for multinational clients, which deal with the compliance required throughout the client’s group, relating for example, to global HR...

44 113-284-7459
Advertisement
Advertisement
Advertisement