On 21 March 2022, the new UK agreements for so-called restricted transfers entered into force and can now be used by UK companies. In this article, we explain what options UK companies have, and in which circumstances further action is required.
What is a Restricted Transfer?
Following Brexit, data protection in the UK is governed by the UK General Data Protection Regulation (UK GDPR), which sets forth three conditions for a restricted transfer:
- the UK GDPR applies to the data that is to be transferred (usually due to the fact that the company processing the data is located in the UK),
- the company is sending personal data, or making it available, to a recipient to which the UK GDPR does not apply, e.g. as it is not located in the UK, and
- the recipient obtaining the data is a separate organisation.
In case of a restricted transfer (which in continental Europe would be called a third country transfer), the exporting company has to ensure there is an appropriate safeguard for the transfer in place. These safeguards aim at ensuring that after the transfer, personal data is afforded a level of protection essentially equivalent to that guaranteed in the UK.
For some countries, such as all EU Member States, Switzerland and Japan, UK companies can rely on adequacy regulations issued or approved by the UK data protection regulator, the Information Commissioner’s Office (ICO). In such cases, companies do not have to undertake any additional steps to ensure compliance of the transfer with data protection laws. However, for the vast majority of third countries other safeguards are necessary. In particular, companies can ensure an appropriate level of data protection by executing a legally binding agreement with the data recipient.
Why were New Transfer Mechanisms Adopted in the UK?
The ICO had not yet adopted any mechanisms for restricted transfers under the UK GDPR. Rather, UK companies were still using the old EU Standard Contractual Clauses (legacy SCCs), which were adopted by the European Commission in the 1990s and were valid at the time of Brexit.
In 2021, the ICO already announced it would publish its own set of agreements for restricted transfers. After public consultation, these documents have now entered into force. UK companies can now choose between the following two agreements for restricted transfers:
- International Data Transfer Agreement (the IDTA) and
- International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (the Addendum).
Both documents take into account the judgment of the Court of Justice of the European Union in Schrems II, which remains valid in the UK as part of the retained EU law.
International Data Transfer Agreement
Like the SCCs under the GDPR, the IDTA is a standalone agreement that ensures appropriate protection of personal data in a third country. It covers all processing situations (transfers from a controller or a processor to a controller or a processor) and is content-wise relatively similar to the new EU SCCs. However, unlike the new EU SCCs, the IDTA does not incorporate a data processing agreement, meaning that for transfers to a processor, companies will still have to conclude a separate data processing agreement.
The IDTA is comprised of four parts:
- In Part 1, the parties to the IDTA have to complete the tables with details of the transfer. Among other information, they have to provide information on the companies involved, transfer details and security requirements (technical and organisational measures). Notably, parties also have to indicate how often they will review the security requirements.
- In Part 2, the parties can establish so-called extra protection clauses, which can be of technical, organisational or contractual nature. Given that before a transfer the exporter has to conduct a transfer risk assessment assessing the risks to the data following a restricted transfer, these clauses could provide for additional protection (supplemental measures) in case risks are identified during the transfer risk assessment.
- In Part 3, the parties may stipulate commercial clauses pertaining to the restricted transfer.
- Part 4 (mandatory clauses) is by far the longest one. It provides for rules on various topics ranging from the interpretation of the clauses to the required actions in case of a data breach. Part 4 may not be modified by the parties.
To reduce the administrative burden to the benefit of UK companies, Part 4 of the IDTA sets forth that should the ICO adopt an updated version of the IDTA, the IDTA executed between the parties will automatically be amended accordingly, without the parties having to take action.
Unlike the IDTA, the Addendum is not a standalone agreement but rather a complement to the new EU SCCs. In particular, it benefits companies transferring data from both the EU and the UK, as it eliminates the need to conclude two full separate agreements (the EU SCCs and the IDTA). Rather, by concluding the Addendum, data transfers from the UK will be governed by the EU SCCs referenced therein.
In such cases, the additional burden for the companies will be very limited: Besides detailing the information on the parties to the Addendum, the companies merely need to indicate which modules and clauses of the EU SCCs will apply and where the Annexes to the SCCs may be found.
The transition from the legacy SCCs to the new agreements (the IDTA and the Addendum) will be as follows:
- From 21 March 2022 on companies may now use the IDTA and the Addendum for restricted transfers.
- Companies may still enter into the legacy SCCs until 21 September 2022.
- After 21 September 2022, companies will be allowed to rely on already executed legacy SCCs until 21 March 2024, provided that the relevant processing activities remain unchanged and that the legacy SCCs provide for appropriate safeguards to the transferred data. From 21 March 2024 onwards UK companies may only rely on the IDTA and the Addendum.
Conclusion: Good News for UK Companies
The published agreements for restricted transfers give UK companies, and other companies that fall under the applicability of the UK GDPR, substantially more flexibility in executing restricted transfers. The legacy SCCs that they had to rely on until now neither reflect the rapid developments and increased complexity in data processing operations over the last 20 years, nor provide for suitable mechanisms for some constellations, such as transfers from processors to controllers.
It is particularly to be welcomed that the UK decided to adopt the Addendum. It gives companies transferring data from both the EU and the UK more flexibility in governing their data transfers, and considerably reduces the administrative burden on them.
UK Companies are well advised to analyse the new agreements as soon as possible in order to be in a position to use them from 21 September 2022, at the latest. In the transition period, companies should conduct data mapping to identify their data transfers. Only by having up-to-date and complete information on third country data recipients, and the countries they are located in, will companies be able to successfully replace their legacy SCCs. Lastly, if they have not done so already, companies should conduct transfer risk assessments for all data transfers to countries not covered by an adequacy regulation.
Make data protection your competitive advantage
Our UK data protection support will help you!