International Data Transfer Agreements
Earlier this year, the UK Information Commissioner’s Office (“ICO”) published new standard documents to allow for transfers of personal data to destinations outside the UK and the European Economic Area (“Third Countries”). This followed the EU updating its own corresponding framework last year (which cannot be used in the UK post-Brexit).
Historically, the most common way to legally justify transfers of personal data from the UK to Third Countries has arguably been for the sharing party (“data exporter”) to enter into a written agreement with the recipient (“data importer”) based on the European Commission’s Standard Contractual Clauses (“SCCs”). These were standard form documents that allowed for international transfers of personal data by legally requiring that the data importer had in place appropriate data security measures and guaranteed the rights and remedies of affected individuals. Following Brexit, data exporters in the UK could continue to rely on the old SCCs for international transfers of data on a short term basis pending the ICO’s confirmation of the new UK-specific alternative.
On 4 June 2021 the European Commission updated its SCCs and, as the UK had already left the EU by that point, those updated SCCs cannot be used by UK data exporters. The UK (after a consultation last year) has since published its own documents to allow for international personal data transfers from the UK. The ICO provides for two new alternative methods that can be used to document such data transfers.
Data exporters in the UK who may have previously relied upon the old EU SCCs, can now enter into with the data importer either an International Data Transfer Agreement or an International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers. Both documents are available in standard format from the ICO’s website and can be completed to fit the relationship between the data exporter and importer depending on whether the parties are acting as a data controller or data processor. Both documents are set out principally in a table format, with the information to be completed within the tables at the beginning of the relevant document.
International Data Transfer Agreement (“IDTA”)
The IDTA is a new and separate document from the EU SCCs. The tables ask certain questions such as the duration of the agreement, whether any special category personal data is to be transferred and what security measures the data importer is required to have in place. They also include fields for recording other related clauses.
The IDTA does not however include space for recording specific instructions for data processing (which are required under UK GDPR for data processing agreements). Therefore if the data importer is a processor or sub-processor of the data exporter the parties must also put in place a ‘linked agreement’ which (as a minimum) covers any compliance requirements of UK GDPR which are ‘missing’ from the IDTA. This means that relying on the IDTA alone is not possible for data processing agreements (which potentially makes it a less attractive option for such agreements).
International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (“the Addendum”)
The Addendum is the alternative to the IDTA, and it effectively takes the text of the new EU SCCs and adapts the EU SCCs to work under UK data protection law.
The Addendum has (like the EU SCCs) certain optional clauses for the parties to either retain or delete and specific Annexes to be completed that allow the parties to set out the scope of their data sharing activities (including data processing instructions). As with the IDTA, the ICO has created one form of Addendum for all types of data sharing arrangements and requires the parties to choose a specific ‘module’ which in practice confirms the how the EU SCC clauses are to be applied to the arrangement (e.g. controller-to-processor transfers are ‘module two’).
Should data exporters use the IDTA or the Addendum?
Whether a data exporter uses the IDTA or Addendum in any given case will to a significant degree come down to the preferences of the parties. However, some practical factors for data exporters to consider are (i) whether a separate data processing agreement in compliance with UK GDPR would otherwise be required (in which case the Addendum may be the more convenient option) and (ii) whether the importer has any other activities involving the EU that means it may already have experience of (and therefore prefer the familiarity of) the EU SCCs, potentially making it quicker in practice for them to agree the Addendum (rather than the IDTA).
Timescales for implementation by UK data exporters
With effect from 22 September 2022, any data exporter seeking to justify the transfer of personal data from the UK to a Third Country in reliance on a set of approved model clauses, must do so using the IDTA or the Addendum. Therefore any new such agreements must incorporate either the IDTA or the Addendum.
Any such agreements that were already in place as at 21 September 2021 and are based on the old EU SCCs, can continue to rely on the SCCs for a further limited period. However, any such agreements which continue beyond 21 March 2024, must by that point be amended so as to replace the old EU SCCs with either the IDTA or the Addendum.
Please do not hesitate to contact the data protection team at Rollits if you are looking to legally document any international transfers of personal data to a destination outside the UK and EEA, or if you require any assistance in updating any existing such arrangements to incorporate one of the new approved UK alternatives.