On February 2, 2022, the Information Commissioner's Office (ICO) introduced changes regarding restricted international personal data transfers under the UK General Data Protection Regulation (UK GDPR). These changes involve the introduction of the International Data Transfer Agreement (IDTA) and the UK Addendum to the European Commission's standard contractual clauses (SCCs), in accordance with GDPR principles.
The IDTA and the UK Addendum to SCCs are designed to provide organizations with transfer tools that comply with the UK GDPR when conducting restricted transfers of personal data, adhering to GDPR principles. These tools establish a legal framework and safeguards for the transfer of personal data from the UK to countries outside the UK and the European Economic Area (EEA).
The IDTA is an agreement that organizations can use as a transfer mechanism for restricted transfers of personal data to countries that have not received an adequacy decision from the UK government. It includes contractual clauses and commitments that aim to protect personal data during the transfer process, aligning with GDPR principles.
The UK Addendum to SCCs is an additional document that can be appended to the existing European Commission's SCCs, incorporating GDPR principles. It addresses specific requirements under the UK GDPR and supplements the SCCs to ensure compliance with UK data protection laws.
These transfer tools provide organizations with a legal basis for transferring personal data internationally while meeting the requirements of the UK GDPR and upholding GDPR principles. They offer a structured approach to data transfers and help ensure the protection of individuals' rights and freedoms regarding their personal data.
It's important for organizations to familiarize themselves with these transfer tools, assess their data transfer practices, and implement appropriate mechanisms to comply with the UK GDPR's requirements for restricted international transfers of personal data, in line with GDPR principles.
Top of Form
Background
That is correct. Following the UK's departure from the European Union on January 31, 2020, the EU General Data Protection Regulation (EU GDPR) was incorporated into UK law through the Data Protection Act 2018, known as the "UK GDPR." During the transition period that lasted until December 31, 2020, the Information Commissioner's Office (ICO) allowed transfers of personal data outside the UK to rely on the EU provisions for restricted transfers, specifically the EU Standard Contractual Clauses (SCCs).
However, the EU has since updated the SCCs, and these updated clauses have not been directly incorporated into the UK GDPR. Instead, the ICO is developing its own framework for personal data transfers outside the UK. This framework includes the ICO's own scheme for assessing whether a recipient country (data importer) offers an "adequate" level of protection for individuals' rights regarding the processing of their personal data in that country.
The ICO's framework aims to provide clarity and guidance to organizations regarding international data transfers post-Brexit. It will outline the criteria for determining whether a particular country ensures an adequate level of data protection. This approach aligns with the UK's sovereignty over data protection matters and allows the ICO to establish its own adequacy decisions for data transfers outside the UK.
Organizations operating in the UK will need to stay informed about the ICO's framework for international data transfers and ensure compliance with any requirements set forth by the ICO. This will involve assessing the adequacy of data protection in third countries and implementing appropriate safeguards, such as the ICO's approved transfer mechanisms, to ensure the protection of personal data during international transfers.
Why is this Needed?
You are correct. The Schrems II judgment by the Court of Justice of the European Union (CJEU) in July 2020 had significant implications for data transfers, not only to the United States but to any country that does not have an "adequacy" decision from the European Commission.
Following the Schrems II ruling, the Privacy Shield framework, which was designed to facilitate data transfers between the EU and the US, was deemed inadequate and invalidated. Additionally, the previous version of the EU Standard Contractual Clauses (SCCs) was also questioned for its effectiveness in ensuring adequate protection for personal data transferred to third countries.
In response, the EU updated the SCCs to align with the requirements set forth in the Schrems II judgment. These updated SCCs provide more robust safeguards and address the concerns raised by the CJEU regarding the protection of personal data during international transfers. Many organizations have adopted these updated SCCs as a transfer mechanism to ensure compliance with EU data protection requirements.
However, it's important to note that the UK GDPR, which incorporated the EU GDPR into UK law, did not automatically include the updated SCCs. The Information Commissioner's Office (ICO) in the UK is developing its own framework for personal data transfers to third countries. This framework will include the ICO's own assessment of whether a recipient country offers an "adequate" level of data protection.
Until the ICO's framework is finalized, organizations in the UK and EU must carefully consider their data transfer arrangements, not only to the US but to any non-adequate countries. They need to assess the legal mechanisms available for ensuring an adequate level of protection, such as the updated SCCs, and implement appropriate safeguards to protect personal data during international transfers. Compliance with data protection requirements and maintaining data privacy remains a crucial consideration for organizations engaged in cross-border data transfers.
What’s Changing?
As of 21 September 2022, organizations processing UK personal data must use the International Data Transfer Agreement (IDTA) or the UK Addendum for new transfer arrangements subject to the UK GDPR. This means that any new transfers of UK personal data to third countries must rely on the IDTA or include the UK Addendum to comply with data protection regulations.
For existing arrangements based on the old EU Standard Contractual Clauses (SCCs) for UK transfers, organizations have until 21 March 2024 to replace them with the IDTA or the UK Addendum.
On the other hand, EU organizations that need to transition their data transfer arrangements for EU data to the new EU SCCs have a shorter timeline. They must complete the transition and adopt the new EU SCCs by 27 December 2022.
It's important to highlight that the IDTA and UK Addendum are specifically designed to legitimize restricted international data transfers under the UK GDPR. They do not encompass the controller-to-processor clauses defined in the UK GDPR and EU GDPR Article 28. These clauses governing the processing of personal data by a processor are expected to be included in a separate commercial agreement or contract that governs the processing activities or referenced within the IDTA.
Organizations should ensure they are aware of these timelines and requirements to comply with the appropriate data transfer mechanisms and maintain lawful international data transfers while protecting the rights and privacy of individuals' personal data.
Implications and Next Steps
To ensure compliance with the new requirements for international data transfers, organizations should consider the following actions:
Review and update intracompany agreements: If there are transfer agreements within your organization, such as transfers from UK entities to US entities, these agreements need to be reviewed and updated. They should be modified to utilize either the International Data Transfer Agreement (IDTA) or the "new" EU Standard Contractual Clauses (SCCs) along with the UK Addendum. Seeking data protection consulting can provide valuable guidance in this process.
Conduct or review personal data transfer risk assessments: It is important to perform transfer risk assessments (TRAs) for existing and potential new restricted transfers. These assessments help identify the risks associated with transferring personal data and enable organizations to implement appropriate safeguards. Refer to URM's previous blog or guidance to understand when and why TRAs should be carried out. Data protection consulting services can assist in conducting comprehensive risk assessments.
Review data sharing agreements with suppliers: Organizations should review their agreements with suppliers to determine if SCCs are already included or should be included within the data sharing agreements. If SCCs are already part of the agreements, they should be updated to incorporate either the IDTA or the "new" EU SCCs along with the UK Addendum, depending on the applicable regulations. Data protection consulting experts can provide guidance on drafting and updating data sharing agreements.
Implement a law enforcement request policy: If your organization has entities in jurisdictions where law enforcement can issue subpoenas or warrants for the disclosure of personal data, it is advisable to develop a policy outlining how these requests will be handled. This policy should define the procedures and considerations for responding to such requests while ensuring compliance with applicable data protection laws. Data protection consulting professionals can assist in creating effective law enforcement request policies.
By taking these actions and consulting with data protection experts, organizations can ensure that their international data transfers are in line with the latest regulatory requirements and protect individuals' personal data during the transfer process. It is important to seek legal advice or consult relevant regulatory authorities to ensure compliance with specific obligations and requirements.