New requirements for international transfers of personal data outside the UK.

Monday 7th March, 2022

Background

Under the UK General Data Protection Regulation (UK GDPR), any business carrying out international transfers of “UK personal data” to countries outside the UK, which have not been granted an “adequacy decision” by the UK government, must put in place a data transfer mechanism, or rely on an exemption, to ensure the transfer is lawful.

The countries that currently have adequacy decisions from the UK government are:

  • the countries in the European Economic Area (EEA); and
  • Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

There are also partial adequacy decisions in place for Canada and Japan.

By far the most common transfer mechanism used by businesses to date has been the European Commission’s standard contractual clauses (SCCs) which were incorporated into UK law following Brexit. However, the SCCs were always going to be an interim solution until the UK government created its own “post Brexit” data transfer mechanism.

In August 2021, the UK Information Commissioner’s Office (ICO) published a draft International Data Transfer Agreement (IDTA) and an International Transfer Risk Assessment and Tool to replace the SCCs for transfers of “UK personal data” outside the UK, opening a consultation seeking feedback from organisations affected by international transfers.

On 2 February 2022, the Secretary of State laid the finalised IDTA and international data transfer addendum (the Addendum) before Parliament. Provided no objections are raised, they come into force on 22 March 2022.

The IDTA replaces the SCCs for transfers of “UK personal data” outside the UK. However, the SCCs continue to apply to transfers of “EEA personal data” outside the EEA which would have caused challenges for businesses handling both UK and EEA personal data as they would be required to enter into both the IDTA and the SCCs. Thankfully the Addendum provides a neat solution and can be signed as a bolt on to the SCCs allowing the SCCs to be used for both UK and EEA personal data transfers.

Next steps

Businesses should review and map their international data transfers as soon as possible and prepare to update their existing contracts from the SCCs to the IDTA and the Addendum as appropriate.

Whilst there are transitional provisions allowing UK businesses to use the SCCs until 21 September 2022, and an extended period to 21 March 2024 to transition existing contracts to the IDTA and the Addendum, we recommend businesses start taking steps toward the new regime now.

In addition, businesses should note that following the decision of the European Court in Schrems II in July 2020, there is also an obligation on them to risk assess their international transfers of personal data and satisfy themselves that the laws and practices of the data recipient’s country, as they apply to the data transferred, are compatible with the UK GDPR.

This can be a challenging task and we are currently waiting for the ICO to publish the final version of its International Transfer Risk Assessment and Tool which will support businesses in carrying out these risk assessments.


Articles by Chris Mooney