Following the ICO’s public consultation, launched in August last year, the final version of the international data transfer agreement (IDTA), as well as the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum), has been laid before Parliament.
The IDTA aims to address the UK’s regulatory position, following exit from the EU, in relation to the Schrems II decision of the CJEU and the need to refresh the (legacy) European Commission Standard Contractual Clauses (legacy SCCs) for the transfer of personal data from the UK to third countries.
Alongside the IDTA, organisations will also be able to use the Addendum as an alternative to the IDTA, to essentially apply the European Commission’s Implementing Decision on standard contractual clauses (“EC SCCs”) in the context of UK data transfers. This is good news for organisations transferring personal data from both the UK and EU – as the Addendum allows you to use just one set of SCCs (the EC SCCs along with the Addendum) to cover both transfers, avoiding the need to use both the EC SCCs and the IDTA.
- If there are no objections by Parliament, the IDTA will come into force on 21 March 2022.
- For contracts concluded on or before 21 September 2022, the legacy SCCs can continue to be used, but only where there is no change to the processing operations and that existing contract ensures adequate safeguards in compliance with Schrems II.
- Use of the legacy SCCs must stop from 21 March 2024.
- Organisations processing data will need to assess data flows and transfer arrangements and be ready to incorporate the IDTA or Addendum in respect of all new transfers from the UK to a third country. This will need to be done before 21 September 2022.
- For existing arrangements, where the legacy SCCs are relied upon, organisations have until 21 March 2024 to migrate to the IDTA or Addendum for UK transfers, provided that there is no change to the processing operations and that the existing contract ensures adequate safeguards in compliance with Schrems II. Organisations will also need to undertake a remediation project to analyse which data transfers may be impacted (i.e. will continue beyond that extended transition period) and take measures to update with the IDTA or Addendum.
- In addition to implementing the IDTA or Addendum, organisations will also need to carry out a risk-based assessment of the law in the relevant third country and consider whether any additional safeguards are required to protect personal data in the third country, in accordance with the Schrems II judgement.
The ICO has stated that it will soon publish additional tools to provide support and guidance to organisations, including the following:
- clause by clause guidance to the IDTA and Addendum.
- Guidance on how to use the IDTA.
- Guidance on transfer risk assessments.
- Further clarifications on the ICO’s international transfers guidance.
Please get in touch with any member of the UK data protection team if you have any questions or visit our global data transfer webpage.