International Data Transfers: New UK Standard Contractual Clauses

On 21 March 2022, the UK formally adopted a new UK General Data Protection Regulation (UK GDPR) Standard Contractual Clauses (SCCs) regime.  After the UK’s exit from the European Union (Brexit), this represents a necessary divergence from the EU approach, because the UK became a “third country.” The UK has now declared data protection adequacy for most of the countries that shared data protection adequacy before Brexit. However, as a third country, with GDPR imbedded into its laws, it needed to put in place appropriate safeguards for personal data transfers to the rest of the world. This is the main purpose of the UK’s new data protection SCCs.

Countries that have UK Data Protection Adequacy

The UK Government has granted data protection adequacy status to the twenty-seven (27) member states of the European Union (EU) and member countries of the European Economic Area (EEA), plus Gibraltar. The EU’s and EEA’s institutions, bodies, offices and agencies also have UK adequacy. The UK has also approved the countries the EU has declared adequate. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate data protection.

The UK has published plans to actively pursue data protection adequacy agreements with key foreign countries. These high priority countries are Australia, Brazil, Colombia, the Dubai International Financial Centre Free Zone in the United Arab Emirates, India, Indonesia, Kenya, the Republic of Korea (South Korea); Singapore and the United States of America.

All the countries that have been declared adequate by the UK, escape the complexities of putting in place wide-ranging appropriate safeguards, including the UK’s new SCCs, to facilitate international personal data transfers. The UK GDPR SCCs will govern international personal data transfers to non-EU, non-EEA and non-adequate countries, in the rest of the world.

Understanding the new UK Standard Contractual Clauses Documents

Important Dates: The clauses become effective on 21 March 2022. By 21 September 2022, companies and organisations must start to use the new IDTA or UK Addendum for all new international personal data transfer arrangements governed by UK GDPR.  Contracts signed before this date using the old EU SCCs will continue to be valid until 21 March 2024, if the data transfers remain unchanged during this period.  By 21 March 2024, all data transfers under UK GDPR must use the new clauses. All historical UK GDPR international personal data transfers based on the old EU SCCs must be updated by that date.

The International Data Transfer Agreement (IDTA) is the UK’s new standaloneSCC document. The main users will be UK-only based companies and organisations seeking to sign a stand-alone document to facilitate the data transfer. The IDTA could also be added as a self-contained schedule to another contract. It cannot be used by organisations that are seeking to cover personal data leaving both the EU and the UK. The IDTA is an alternative to the UK Addendum. The IDTA reflects the EU’s new SCCs, but not the modular approach seen in it. A wider range of parties such as Data Controllers, Data Processors and Sub-Processors can use the agreement and can list any supplementary measures that apply to the data transfer.

The UK Addendum is the UK Addendum to the EU’s SCCs for international personal data transfers. It is an alternative to the IDTA.  The main users will be companies and organisations that carry out EU to non-EU/EEA international personal data transfers and who also seek to add similar provisions for UK personal data that will be transferred outside the UK, EEA and the list of countries declared adequate both by the EU and the UK.

Transfer Risk Assessments (TRAs) must be completed when the IDTA or the UK Addendum are used, in order to assess the transfer risks and levels of compliance for the international personal data transfer. TRAs must be reviewed regularly. If the TRA indicates that the destination of the personal data transfer is not adequate, the company or organisation sending the personal data must put in place supplementary measures. It is likely that the UK Information Commissioner’s Office (ICO) will published a UK GDPR TRA template or model for companies and organisations to use.

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com