What is the UK International Data Transfer Agreement and What Are the Implications?

The Information Commissioner's Office (ICO) presented alterations regarding limited international transfers of personal data to Parliament on 2 February 2022, in accordance with GDPR principles. The international data transfer agreement (IDTA) and the UK Addendum to the existing standard contractual clauses (SCCs) issued by the European Commission are the subsequent measures taken to establish a transfer mechanism that ensures compliance with the UK GDPR, adhering to GDPR principles, when engaging in restricted transfers of personal data.

Background

Following the Brexit referendum, the General Data Protection Regulation (GDPR) was incorporated into UK law through the Data Protection Act (2018), with the parts pertaining to individuals in the UK referred to as the 'UK GDPR.' The UK officially exited the European Union on 31 January 2020 and entered into a transition period that lasted until 31 December 2020.

During the transition period, the Information Commissioner's Office (ICO) adopted the stance that transfers of personal data outside the UK could temporarily rely on the European Union's provisions for restricted transfers, specifically the EU standard contractual clauses (SCCs). In June 2021, the EU introduced updated SCCs, which many organizations have since adopted.

However, these updated SCCs were not directly included in the UK GDPR, as the ICO devised its own framework specifically for personal data transfers in the UK. This framework incorporates the ICO's own scheme for assessing whether the recipient country (referred to as the 'data importer') offers an 'adequate' level of protection for individuals' rights regarding the processing of their personal data in a third country, which encompasses countries outside both the UK and EU member states.

Why is this Needed?

The Court of Justice of the European Union (CJEU) issued a significant ruling, commonly referred to as Schrems II, on 16 July 2020, regarding the adequacy of existing safeguards such as the EU-US Privacy Shield and previous EU standard contractual clauses (SCCs) used for safeguarding transfers of personal data to the United States and other non-EU countries. As a result of this ruling, the Privacy Shield scheme was deemed illegal, and the EU SCCs were promptly revised with the addition of supplementary arrangements. This judgment compelled organizations throughout the UK and EU to carefully assess their mechanisms for conducting restricted data transfers, not only to the United States but also to any third country lacking an 'adequacy' decision.

The ICO defines a transfer as being restricted if:

The personal data being transferred falls under the purview of the UK GDPR. The data exporter is transmitting or providing access to the data to a data receiver/importer that is not subject to the jurisdiction of the UK GDPR. The importer is an independent entity or individual, which may include another organization within the same corporate group.

What’s Changing?

From 21 September 2022 onwards, organizations that process personal data in the UK must utilize the international data transfer agreement (IDTA) or the UK Addendum when establishing new arrangements for transfers that fall under the scope of the UK GDPR. Moreover, any existing transfer agreements based on the previous EU standard contractual clauses (SCCs) for transfers out of the UK must be replaced by 21 March 2024.

EU-based organizations, on the other hand, have a much tighter timeframe and must transition their data transfer arrangements to the new EU SCCs by 27 December 2022.

It is important to highlight that the IDTA and UK Addendum solely serve to validate restricted international transfers and do not encompass the controller to processor clauses outlined in the UK GDPR and Article 28 of the EU GDPR. These clauses must be included in a separate commercial agreement or contract governing the processing and referenced within the IDTA.

Implications and Next Steps

Here are some recommendations for addressing the mentioned requirements, ensuring GDPR compliance:

1. Review and update intracompany agreements: Assess and update any existing transfer agreements within your organization, such as those between UK and US entities, to align with either the IDTA or the 'new' (2021) EU SCCs along with the UK Addendum, in accordance with GDPR compliance.

2. Conduct or review personal data transfer risk assessments: Perform transfer risk assessments (TRAs) for both existing and potential new restricted transfers, following GDPR compliance. Evaluate the risks associated with the transfers and identify appropriate safeguards or measures to ensure data protection, as per GDPR compliance requirements.

3. Review data sharing agreements with suppliers: Examine agreements with suppliers to determine if SCCs are already included or if they should be incorporated into the data sharing agreements, adhering to GDPR compliance. Update the agreements to include either the IDTA or the 'new' EU SCCs and UK Addendum, as applicable, in line with GDPR compliance.

4. Implement a law enforcement request policy: Develop a policy that outlines how your organization, and its suppliers if relevant, will respond to law enforcement requests for the disclosure of personal data, ensuring GDPR compliance. This policy should provide guidelines on the appropriate handling of such requests while ensuring compliance with applicable laws and regulations, in accordance with GDPR compliance requirements.

By following these recommendations, your organization can proactively address the requirements related to intracompany agreements, transfer risk assessments, data sharing agreements with suppliers, and law enforcement request policies, while maintaining GDPR compliance.