April.04.2022
Update: United Kingdom (UK) international data transfer agreement and UK addendum to the EU standard contractual clauses now in force.
In February, the Information Commissioner’s Office (“ICO”), the data protection authority (“DPA”) in the UK, published three new documents ("UK Documents") which update the UK's position on data transfers outside of the UK:
The UK Documents were published following a consultation on the UK's approach to international data transfers which took place between 11 August and 11 October 2021. The UK Documents have now been approved by the UK Parliament and officially came into force on 21 March 2022.
The IDTA and Addendum replace the current UK standard contractual clauses for international data transfers – i.e., the "old" set of EU standard contractual clauses, based on the former EU Data Protection Directive, as amended to refer to both UK legislation and data transfers outside of the UK (the "UK tweaks").
The IDTA is a full-form standalone agreement, like the EU SCCs. The Addendum, on the other hand, acts as an alternative to the longer form IDTA. The Addendum is nine pages long and amends the new EU SCCs so that they can be used to make international transfers of personal data from the UK.
Like the new EU SCCs, the IDTA places extensive contractual obligations on both importers and exporters of personal data, including obligations which take into account the European Court of Justice ("CJEU") decision in Schrems II (e.g., the importer providing the exporter with information regarding local laws and practices before it receives the transfer, and obligations on the importer where it receives access requests from public authorities).
The "transitional provisions" are discussed below, at Question 4.
The IDTA is shorter than the new EU SCCs, and its language is more "user friendly" than that of its European counterpart.
In contrast to the EU SCCs, the IDTA does not follow a "modular" format. As such, it does not contain a direct equivalent of "Module Two" or "Module Three" of the new EU SCCs (i.e., for controller to processor transfers, and processor to sub-processor transfers, respectively) and therefore the IDTA does not incorporate the Article 28 "processor obligations" of the UK General Data Protection Regulation (“UK GDPR”). Instead, the IDTA deals with this through the concept of a "linked agreement". The "linked agreement" will contain those terms instead. If the importer is a processor or a sub-processor, a "linked agreement" must be in place to support the IDTA. There are some additional subtle differences between the IDTA and the new EU SCCs. For example, in the IDTA, parties have the ability to resolve disputes through arbitration and in both the IDTA and the Addendum there are additional termination provisions.
Additionally, unlike the new EU SCCs, the IDTA covers transfers to organisations located in third countries that are caught by the extra-territorial scope of Article 3 of UK GDPR. There was initially some confusion on the continent, as Recital 7 of the new EU SCCs suggests that organisations caught by Article 3 of the EU GDPR didn't need to put the new EU SCCs in place, given that those organisations are required to comply with the EU GDPR. The European Data Protection Board (“EDPB”) has since clarified that organisations would need to implement standard contractual clauses or rely on other legal justifications under Chapter V of the EU GDPR with such organisations, regardless of the extra-territorial application of the EU GDPR. The European Commission ("Commission") is preparing a new set of standard contractual clauses to cover these specific transfers.
The position in the UK is slightly simpler than on the continent because the IDTA does not require additional clauses. However, because the Addendum amends the EU SCCs (which don't cover these specific transfers), it may need to be further updated by the ICO to reflect UK-specific changes to the Commission's new set of standard contractual clauses, or a different UK addendum altogether might be produced. We expect the ICO to clarify this in due course.
As the UK has left the EU, businesses that operate in both the UK and the EU need to ensure they are compliant with Chapter V (transfers of personal data to third countries) of both the EU GDPR and the UK GDPR.
We don't yet know the EU Commission's thoughts on the IDTA or the Addendum (and whether this may ultimately affect the UK's delicate positive adequacy decision). As such, there is no equivalent "EU addendum" (i.e., approving the use of the IDTA with amendments to make it work for international data transfers from the EU). As such, for organisations with global intragroup and third-party vendor data flows, it may make sense to simply use the new EU SCCs with the Addendum. This is a less labour intensive (and less costly) option than using the IDTA.
To make life easier, organisations may wish to incorporate the IDTA, or the Addendum, by reference. There is an "alternative" provision at the back end of both the IDTA and the Addendum which defines "Mandatory Clauses". The definition differs depending on whether the IDTA or the Addendum is used. The "Mandatory Clauses" enable the incorporation of the IDTA or the Addendum easily by reference. However, importantly, like the new EU SCCs the information in the IDTA or the Addendum must be included somewhere in the agreement (e.g., party details and information about the nature of the transfers taking place).
The IDTA and the Addendum came into force on 21 March 2022 and can be used by organisations transferring personal data outside of the UK.
The ICO has confirmed in the "transitional provisions" that organisations that entered into the "old" EU SCCs with the UK tweaks, on or before 21 September 2022, will be a valid means of making international data transfers until 21 March 2024. This is assuming that the processing operations remain unchanged during that time. The IDTA or the Addendum must be entered into if the processing operations change, or by 21 March 2024, whichever occurs first.
This "grace period" is similar to that which was offered by the EU Commission for organisations relying upon the "old" EU SCCs for international data transfers outside of the EU. As a reminder, organisations can no longer enter into the "old" EU SCCs (the cut off was 27 September 2021) but can rely upon the "old" EU SCCs entered into before that date (again, assuming the processing operations don't change) until 27 December 2022.
We are waiting on additional guidance from the ICO in respect of the following:
We anticipate that these will be published soon, so watch this space.
It is important to remember that whilst the UK has left the EU, the CJEU judgment in Schrems II remains good law in the UK
As such, any organisation making a transfer personal of data from the UK must be able to demonstrate that the personal data subject to the transfer is afforded "essentially equivalent" protection from which it benefits under the UK GDPR.
The ICO has not yet produced its own guidance on TRAs (in the EU, these assessments are more commonly referred to as Transfer Impact Assessments or "TIAs", but the ICO confirms that the EDPB's "recommendations" remain a "useful reference about additional measures". So, for the time being, organisations making personal data transfers from the UK still need to rely upon the EDPB "recommendations" to conduct TRAs.
International Transfers Stay in the Focus of Regulators
At a European level, international data transfers and the fallout from Schrems II remains the hot topic in privacy law. The Austrian DPA's recent Google Analytics decision is clear evidence of that. The head of the Austrian DPA, Andrea Jelinek, is also currently the chairperson of the EDPB, which strongly suggests that the decision will influence a Europe-wide approach reflecting the Austrian DPA's decision. The French DPA, CNIL, has already issued a similar decision in relation to an unknown French website manager. Recent statements from the Danish and Norwegian DPAs indicate that they will take a similar view.
There are circa 100 outstanding complaints (of the 101 complaints issued by Max Schrems' not-for-profit privacy advocate group, None of Your Business) in relation to the use of Google Analytics which are still being considered by other EU countries. Given the similarities between the UK and EU approach to data protection, an educated guess would suggest that the ICO will take a similar view that of its European counterparts
You can find out more about the Austrian DPA's decision about Google Analytics here.
On 25 March, the EU announced an "agreement in principle" with the US on a new "Trans-Atlantic Data Privacy Framework" ("Framework"). The Framework is intended to replace the Privacy Shield (which was struck down in the Schrems II decision) and, notably, provides for a redress system to investigate and resolve complaints of EU data subjects whose data has been accessed by US intelligence authorities. You can find the press release here, accompanied by a short-form fact sheet which outlines the key principles and intended benefits of the Framework. However, there are no legal documents yet. This is merely an "agreement in principle" and carries no legal weight for the time being.
As the UK is no longer part of the EU, any legal documentation resulting from the Framework will not apply under the UK GDPR. However, the UK is free to determine its own "adequacy decisions" in respect of international data transfers and we know that the US is a priority "data adequacy partnership" jurisdiction for the UK Government. In December 2021, the UK and the US issued a joint statement reiterating the UK and US' commitment to deepening the UK-US data partnership. So, we will wait to see how the Framework plays out in the UK.
Therefore, for the time being, the position in respect of transfers from the EU and the UK, to the US, remains the same, i.e.:
In short, the ICO has published pragmatic advice on the UK position in relation to international data transfers. We await further guidance on how the ICO expects the IDTA and the Addendum to be used in practice and additional clarifications from the ICO on "restricted transfers" generally. Separately, organisations should remain alert for developments in respect of the Framework, and wait to see how this plays out in the UK, given the strong regulatory focus on data transfers to the US and the UK's intention to strengthen its data partnership with the US.