International Data Transfers: new versions of UK’s Standard Contractual Clauses come into force

On 21 March 2022, new versions of the UK’s Standard Contractual Clauses (“SCCs”) came into force in order to comply with requirements for transferring data outside the UK. 

Background

The UK GDPR has strict rules around transferring data to countries outside the UK (known as “third countries”). Data transfers to third countries that do not provide an adequate level of protection are restricted. One way to ensure compliance with data protection rules is to use one of the appropriate safeguard mechanisms listed in the UK GDPR, such as SCCs. Following the Schrems II ruling, a risk based assessment may also be required to consider any supplementary measures needed.

What's new?

Following the UK’s withdrawal from the EU, the ICO was required to issue their own set of SCCs. These have now come into force and are contained in the International Data Transfer Agreement (“IDTA”). From Monday 21 March 2022, the IDTA replaced its EU counterpart. This bespoke UK safeguard mechanism governs the handling and safeguarding of personal data by data importers receiving personal data from the UK. It will also simultaneously give data exporters confidence that the transfer is in line with the UK GDPR.

Along with the new UK specific safeguard, a UK Addendum to the EU’s new SCCs has also been implemented.  The Addendum sits alongside the EU’s new SCCs to ensure compliance with both the UK GDPR and EU GDPR.

IDTA or Addendum: when to use them?

The IDTA is to be used when transferring personal data from the UK to any third country that does not have adequate data protection safeguards (recognised through an adequacy decision) or other suitable protection mechanisms in place (such as binding corporate rules). The IDTA allows the relevant parties to include and refer to a "linked agreement" which contains key details about the data transfer and commercial provisions.

The UK Addendum is designed to amend existing EU SCCs. It enables organisations subject to both the EU and UK data protection regimes to use one data transfer arrangement to comply with both sets of requirements. For UK companies, it is their choice which safeguard mechanisms they use. The UK Addendum applies to the updated version of the EU SCCs only.

The EU and UK both require data exporters to undertake data transfer impact assessments when utilising either version of the SCCs. The ICO is expected to shortly release guidance on the use of IDTAs, the UK Addendum and how to carry out a UK transfer risk assessment.

Timelines to implement

• Up until 21 March 2024: contracts entered into on or before 21 September 2022 may use the existing EU SCCs as an appropriate safeguard to transfer data overseas  
• After 21 September 2022: data exporters must use the UK Addendum if they want to enter into new arrangements for transfers subject to the UK GDPR
• No later than 21 March 2024: any existing arrangements for UK transfers based on the old EU SCCs must be replaced

Next steps

Organisations should review their transfer methods now. If entering into new contractual arrangements, the IDTA and/or UK Addendum should be considered. After 21 September 2022, the old version SCCs should not be used.

Organisations should also note the March 2024 deadline for updating contractual arrangements for transferring data.

Please get in touch with our data privacy team if you have any questions on lawfully transferring data overseas.