Analysis: Introduction of new UK standard contractual clauses for personal data transfer

Analysis: Introduction of new UK standard contractual clauses for personal data transfer

Rosemary Lundy and Richard Armstrong

Arthur Cox partners Rosemary Lundy and Richard Armstrong set out the key dates and next steps for the UK’s new standard contractual clauses for personal data transfer.

Data protection rules in the EU and United Kingdom generally restrict transfers of personal data to third countries which have a legal framework assessed as providing inadequate protection for individuals’ rights and freedoms in respect of their personal data.

A data transfer will however be permitted to such third countries where (in accordance with GDPR and UK GDPR, as applicable) appropriate safeguards are put in place to protect the personal data being transferred. An example of an “appropriate safeguard” is the use of the Standard Contractual Clauses, which are designed to impose certain obligations on the data exporter and data importer while preserving the rights of individuals whose personal data is transferred.

In connection with Brexit; the UK approved the continued use of the EU Standard Contractual Clauses applicable at that time for personal data transfers from the UK to third countries.

However, the European Commission went on to adopt new EU Standard Contractual Clauses (taking into account, in particular, the landmark Schrems II decision) which did not apply to the UK as they were put in place post-Brexit.

This disconnect between the EU and the UK, and the fact that the Pre-Brexit EU SCCs may have been vulnerable given their lack of acknowledgement of the Schrems II decision, led the ICO to consult on the adoption of new Standard Contractual Clauses for the UK.

On 2 February 2022, the UK’s international data transfer agreement (IDTA), along with the new international data transfer addendum to the New EU SCCs were laid before UK Parliament by the Department for Digital, Culture, Media and Sport. As there were no objections raised by Parliament, the IDTA and the UK Addendum came into force on 21 March 2022.

IDTA

Whilst parties are free to decide which of the IDTA and the UK Addendum they use, the IDTA is likely to be used by organisations that are UK-based and are subject only to the UK GDPR.

The terms of the IDTA are admittedly largely similar to the New EU SCCs however it is worth noting certain differences which have the potential to make the IDTA more flexible as regards its use and relevance, for example:

  • It can factor in any “linked” commercial agreements entered into between the parties and account for any key terms of those “linked” agreements (subject to the rights granted under the IDTA being preserved). This is not always the case with the New EU SCCs;

  • It does not adopt the modular structure of the New EU SCCs, which can make it easier for parties to complete the various tables in the IDTA and sign; and

  • It allows for any additional safeguards/supplementary measures required by Schrems II to be separately listed in the agreement.

With that said, it is important to highlight that the IDTA (unlike the New EU SCCs) does not contain all mandatory provisions needed in a controller to processor data processing arrangement and a separate data processing agreement will be required in those circumstances.

UK Addendum

The UK Addendum is a shorter form “add-on” intended to be used in conjunction with and alongside the New EU SCCs and it effectively makes the changes necessary to ensure the New EU SCCs meet UK data protection law requirements in a more succinct way.

The UK Addendum is perhaps best suited for use by multinational organisations with a presence in the EU and UK, as (generally speaking) they will be able to use one data transfer agreement (including the UK Addendum) to comply with their requirements across both jurisdictions.

We would note that the UK Addendum does have some limitations, particularly where the UK GDPR has extra-territorial effect in the jurisdiction of the recipient party and this should be considered carefully before the UK Addendum is the chosen approach.

Key dates and next steps

  • The IDTA and the UK Addendum came into force on 21 March 2022.

  • After 21 September 2022, parties must use the IDTA or the UK Addendum when entering into new arrangements for personal data transfers subject to UK GDPR. As such, parties should use the time period from March 2022 to September 2022 to ensure all template documentation is updated to incorporate/refer to the IDTA or UK Addendum.

  • Data transfer arrangements adopting the Pre-Brexit EU SCCs prior to 21 September 2022 will remain valid until 21 March 2024, at which point the Pre-Brexit EU SCCs must be replaced with the IDTA or UK Addendum.

Share icon
Share this article: