Following a consultation exercise last year, the new UK International Data Transfer Agreement and EU SCC Addendum have been laid before Parliament for approval. Once approved the IDTA will replace the old EU Standard Contractual Clauses for transfers of personal data outside the UK. In this update we summarise what you need to know about the IDTA and what you need to do to prepare.
What is the IDTA?
The IDTA is a new UK transfer tool under Article 46 of UK GDPR for transfers of personal data to countries outside the UK that are not subject to a finding of adequacy.
The IDTA will replace the current EU (old) Standard Contractual Clauses, which have been in force for many years. As with the new EU Standard Contractual Clauses (SCCs), the IDTA introduces updates to reflect the changes to data protection law under GDPR.
The IDTA also addresses, in part, some of the consequences of the European Court of Justice's decision in Schrems II. For a summary of the Schrems II decision, its impact on exporters and the need to undertake transfer risk assessments on data transfers, read our summary.
The format of the IDTA is quite different to the SCCs, with a series of tables or options to be populated together with a set of standard clauses. These are much more detailed than the old EU SCCs, and enable the exporter to include detailed controls over things like onward transfers and review dates. Where the IDTA supplements a commercial contract (a "Linked Agreement"), that contract can be used to document some of the information and manage changes.
Reflecting the different legal systems within the UK, the parties can select which UK governing law applies and which courts have jurisdiction. However, the optional arbitration process must be conducted under the LCIA rules, with the seat of the arbitration being London (and therefore English law applying the arbitration process). It is unclear why the IDTA is prescriptive on this point, given that the LCIA rules provide parties with flexibility to choose the seat of the arbitration.
As with the new EU SCCs, there is a single document for all transfer relationships, rather than separate tools for controller to controller, controller to processor and processor to sub-processor transfers.
The ICO is aware that many organisations will enter into transfers that involve both EU/EEA and UK entities. To avoid the need for multiple transfer tools, the ICO has also approved for the purposes of Article 46 a UK addendum to the EU SCCs. This bolts on some UK specific provisions, simplifying the contractual process.
When do the IDTA and EU SCC Addendum come into force?
Assuming there are no objections during the parliamentary process, the IDTA and EU SCC Addendum come into force on 21 March 2022. However, the ICO says that the new transfer tools are "immediately of use", indicating that organisations can start using them now.
Are there transitional arrangements for existing contracts?
There is a transitional period until 21 March 2024 for contracts entered into prior to 21 September 2022. However this applies only where there is no change to the processing operations and that existing contract ensures "adequate safeguards" (ie it satisfies the requirements of Schrems II).
[Update (1/2/21): the transitional arrangements as published refer to contracts entered into prior to 21 September 2021, which would mean that contracts entered into after that date but prior to the new transfer tools coming into force would not have been subject to the transitional arrangements. We are told by the ICO that this is an error and is being corrected.]
When will the ICO's Transfer Risk Assessment guidance be finalised?
The ICO has said that it is finalising its guidance following last year's consultation process and that this will be published soon.
What should we be doing to prepare?
Organisations should think about their approach to data transfers for new processing arrangements. This includes not just updating styles and templates to use the IDTA or EU SCC Addendum, but also their approach to transfer risk assessments.
While we will need to wait until the ICO's guidance is finalised, organisations should already be carrying out transfer risk assessments following the Schrems II decision. Template questionnaires and whitelists can be used to simplify the process, which can then be used to help organisations assess the risk of the proposed transfer.
If your organisation transfers data from both the UK and the EU/EEA, then consider how you can simplify the process of complying with both the ICO's guidance and that of the European Data Protection Board.
For legacy contracts, organisations will need to identify:
- What contracts are in place, what personal data is transferred, the exporting country (UK and/or EU/EEA) and the destination
- What transfer tool is currently used (eg the old EU SCCs or the new EU SCCs)
- Whether the contract was entered into prior to 21 September 2021 (in which case the transitional period applies) or after that date
- If the contract is potentially in scope for the transitional period, whether adequate safeguards are in place
Once this information has been gathered, organisations can then develop a strategy for carrying out TRAs and putting in place the necessary transfer tools and any supplementary measures.
Organisations that use Brodies' BOrganised contract management platform can use BOrganised to quickly find their contracts that involve data transfers.
In addition to considering supply chain processing by suppliers and service providers, corporate groups will also need to review their intragroup IT and data sharing arrangements.
While many large vendors will likely be on the front foot in rolling out the new IDTA or the EU SCC Addendum to simplify the contracting process, organisations should be wary of simply signing these documents without ensuring that they have undertaken and documented their transfer risk assessment and reviewing the content of the tables in relation to things like permitted processing and onward transfers.
If you are an organisation outside the UK that receives personal data from the UK then you will need to become familiar with the IDTA and the ICO's guidance on transfer risk assessments so that you can respond to requests from exporters in the UK.
More information
You can view the new IDTA and EU SCC Addendum on the ICO website.
If you would like to see what has changed between the version of the IDTA issued for consultation and the version that has been laid before Parliament, you can download this comparison.
We will be running a webinar on the finalised IDTA, EU SCC Addendum and ICO guidance once the ICO has published its guidance. In the meantime, if you would like to discuss the new transfer tools or your organisation's data transfer strategy, please get in touch with Martin Sloan or Grant Campbell.
Contributors
Partner
Partner
