This month (February 2022) the Department for Culture, Media and Sport (DCMS) laid before Parliament the new International Data Transfer Agreement (IDTA). This document, as well as its associated transfer addendum and a further document setting out transitional provisions follows a consultation undertaken by the Information commissioner’s office (ICO) in 2021.
Providing there are no objections, the IDTA will come into effect on the 21st March 2022.
Why is this happening? Who will this affect? And what do these new standard contractual clauses mean for your business?
Why is the IDTA required?
Since its inception, the EU GDPR and now the UK GDPR have both placed strict requirements upon any transfers of personal data to a non-EU/EEA or non-‘adequate’ country. These transfers are termed ‘restricted transfers’. To perform a restricted transfer (e.g. transferring personal data from a UK based company to a USA based company) you must have a legal transfer mechanism to do so. The most common way of doing this is to include Standard Contractual Clauses (SCCs) to the contractual data transfer agreement. Before Brexit, only the EU Commission were allowed to write SCC templates.
Last year, the EU Commissions SCCs were updated as a consequence of the Schrems II decision (for more information see here our earlier article). Following Brexit and the implementation of the UK GDPR, these updated EU SCCs no longer apply to UK businesses. This resulted in the ICO beginning the process of drafting its own set of SCCs under the applicable UK law (UK GDPR).
The IDTA has been designed as the UK equivalent of the EU SCCs and will govern the transfers of UK citizen personal data.
Who will this effect?
Quite simply any UK businesses that is transferring UK personal data to a non-‘adequate’ country will be required to include the IDTA. This list of ‘adequate’ territories is likely to differ from the EU/EEA’s list. Indeed, the UK government has indicated that they are likely to pursue adequacy partnerships with a variety of states that the EU/EEA has not deemed ‘adequate’ as of yet, such as India and potentially the United States.
However as of February 2022, the provisional UK ‘adequate’ list contains the same states as the EU/EEA list, as well as all EU/EEA members.
As such, the inclusion of SCCs will depend upon the type of data subjects whose data you are processing.
The following table will help identify which is required:
Data Subjects | Clauses Required |
---|---|
Only EU/EEA | EU SCCs |
Only UK | IDTA |
Both EU/EEA and UK | EU SCCs with the IDTA addendum |
What should we expect as a business?
If no objections are raised by Parliament, the IDTA will come into effect on the 21st March 2022. UK businesses may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022.
All contracts on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR, until 21 March 2024. From that date, if the restricted transfers continue, an organisation must enter into a contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR.
All businesses transferring personal data outside of the UK and to a restricted territory should look to identify which SCCs will be most applicable.