The U.K. Information Commissioner’s Office (UK ICO) recently confirmed the options and clarified the timing of new data transfer agreements for transfers of personal data out of the U.K. The situation has been somewhat confusing, even to those relatively familiar with international data transfers. Organizations can now review their data transfer arrangements with greater certainty and this will be a key priority for 2022.
On June 4, 2021, (see our previous alert) the European Commission adopted a new set of Standard Contractual Clauses in relation to transfers of personal data out of the EU (New EU SCCs). The New SCCs have an implementation period of 18 months, ending on December 27, 2022, during which to transition from the previous versions of the Standard Contractual Clauses (Old EU SCCs), which needed to be updated following the Schrems II decision and to bring them into line with the EU General Data Protection Regulation (GDPR). Organizations are currently reviewing and updating their EU data transfer agreements ahead of the deadline of December 27, 2022. Many are finding that the practicalities of confirming and updating the data flows, the nature of the data transfers and carrying out Data Transfer Risk Assessments are far more time-consuming than anticipated and that 2022 will be a busy year.
Organizations carrying out transfers from both the EU and U.K. face additional complications. As part of the post-Brexit transitional period, the U.K. recognized the EU data transfer mechanisms that were in place on January 31, 2020, when Brexit took effect. From that point on, EU law ceased to apply in the U.K., and subsequently adopted EU measures, such as the New EU SCCs, never came into effect in the U.K. However, the U.K. ICO took the position that transfers of personal data out of the U.K. could still rely on the Old EU SCCs. As a result, many organizations have been adopting the New EU SCCs for transfers from the EU while continuing to rely on the Old EU SCCs for transfers from the U.K. This has often resulted in somewhat cumbersome agreements (although the Old EU SCCs were often incorporated by reference rather than appending them in full on top of the New EU SCCs).
New UK International Data Transfer Agreement
In August 2021, the UK ICO launched a consultation process (summarized in our previous alert) which proposed (i) an International Data Transfer Agreement — the U.K.’s own version of the standard contractual clauses, which at least in structure and design looks very different to the EU SCCs (old and new) (IDTA), and (ii) a short U.K.-specific addendum (Addendum), which the UK ICO proposed to use in conjunction with the New EU SCCs (and which is likely to be used by many organizations which transfer personal data from both the EU and UK). However, the timing of the introduction of the IDTA and Addendum was unclear, leaving organizations without much choice other than to implement a mix of Old EU SCCs and New EU SCCs.
The UK ICO has now confirmed that the Old EU SCCs will soon be history. The new IDTA and Addendum will come into force on March 21, 2022 (assuming that no objections are raised by the U.K. Parliament), and organizations transferring personal data out of the U.K. may only continue incorporating the Old EU SCCs into new international data transfer agreements until September 21, 2022.
Any new international data transfer agreements entered into after September 21, 2022, will have to rely on either the IDTA or the Addendum. There will a grace period until March 21, 2024, during which personal data transfers from the U.K. carried out on the basis of the Old EU SCCs will continue to be valid, provided that the underlying data processing operations remain the same and that appropriate safeguards are implemented (transfer risk assessments and additional measures, where appropriate). This will give some comfort to organizations which have already revised their data transfer agreements using both the New EU SCCs and the Old EU SCCs (for transfers from the U.K.) that there will not be an immediate need to re-paper yet again. However, after March 12, 2024, all legacy contracts relying on the Old SCCs, irrespective on when they were entered into, will have to be renegotiated and replaced by either a IDTA or by the combination of the Addendum and New EU SCCs.
The UK ICO is expected to publish guidance in the coming weeks on data transfers, including clause-by-clause guidance on the IDTA and Addendum and guidance on conducting data transfer risk assessments. We will provide further updates and practical guidance on moving to the new arrangements shortly.