The UK’s new international data transfer mechanisms: the International Data Transfer Agreement and Addendum to the EU Standard Contractual Clauses (“UK Addendum”) came into effect on 21 March 2022.

The change is a significant one for any organisations transferring personal data out of the UK to a country that has not been deemed ‘adequate’ by the UK Government (a list of ‘adequate’ countries is available): those organisations will need to use either the International Data Transfer Agreement or the EU Standard Contractual Clauses plus the UK Addendum to effect their international data transfers and consider how and when to amend any existing agreements.

What’s changed?

 Position prior to 21 MarchPosition from 21 March
Transfers out of the EUOrganisations required to rely on the new EU Standard Contractual Clauses (“EU SCCs”), which were adopted in June 2021, for all new contracts, see our take on the 2021 changes. Organisations still required to rely on the new EU SCCs for all new contracts.
Transfers out of the UKOrganisations required to rely on the old EU Standard Contractual Clauses. The new EU SCCs came into effect after the Brexit Transition Period (31st December 2020), and so did not apply automatically in the UK.  Organisations can now rely on either the International Data Transfer Agreement or the new EU SCCs and UK Addendum. Until 21 September 2022, organisations can continue to enter into the old EU Standard Contractual Clauses for new contracts. For any contracts entered into after 21 September 2022 (or for existing contracts where data processing activities change after that date) organisations must use either the International Data Transfer Agreement or the EU SCCs and UK Addendum. NB if organisations already have the old EU Standard Contractual Clauses in place (or enter into them before 21 September 2022), they can continue to rely on that mechanism until 21 March 2024, at which point contracts will need to be transitioned to incorporate either the International Data Transfer Agreement or EU SCCs and UK Addendum.

Which UK transfer mechanism should I use?

The transfer mechanism that will be most useful will depend largely on the personal data you are transferring:

  • International Data Transfer Agreement – the International Data Transfer Agreement is essentially the UK’s equivalent to the EU SCCs. If your organisation is only subject to the UK GDPR (because it is only established in the UK and doesn’t provide any goods or services in the EU) and is transferring the personal data out of the UK, the International Data Transfer Agreement is likely to be the most appropriate transfer mechanism for you to use;
  • UK Addendum – the UK Addendum is a short document that attaches to the EU SCCs, and essentially applies the EU SCCs to a transfer of personal data from the UK (with some minor, UK-specific amends). As such, it will be most useful if, for example:
  • your organisation is an EU-facing UK organisation that offers goods and services to individuals in the EU, in which case it is likely to be subject to both the EU GDPR and the UK GDPR. You must use the EU SCCs in order to comply with the EU GDPR when you transfer data to a third country.  You can then use the UK Addendum to cover the transfers subject to the UK GDPR; or
  • you are part of a group that transfers personal data from the EU (for example by an EU entity in your group) and from the UK. Using the EU SCCs for EU transfers and including the UK Addendum for any UK transfers may help to ensure that you are using consistent agreements across your group.

Key dates to remember

For data transfers out of the UK:  

  • 21 March 2022 – International Data Transfer Agreement and UK Addendum are effective and can now be used.
  • 21 September 2022 – Contracts involving data transfers out of the UK made on or before this date can use the old EU Standard Contractual Clauses. Any contracts entered into after this date (or existing contracts where the processing activities change after this date) must use International Data Transfer Agreement or new EU SCCs and UK Addendum.
  • 21 March 2024 – All use of old EU Standard Contractual Clauses must stop by this date (existing agreements will need to be amended to include International Data Transfer Agreement or new EU SCCs and UK Addendum).

For data transfers out of the EU:

  • 27 December 2022 – All use of old EU Standard Contractual Clauses must stop by this date (existing agreements will need to be amended to include new EU SCCs).

Don’t forget Schrems II!

It is important to remember that the landmark European Court of Justice (“ECJ”) Schrems II case continues to apply in the UK. The ECJ made clear in Schrems II that the EU SCCs (or equivalent) are not enough to enable organisations to transfer personal data internationally. Rather, organisations must also conduct a transfer risk assessment of the country to which they are transferring the personal data (in particular to assess the law in that country and the access of public authorities to personal data). If the transfer risk assessment reveals any gaps in the recipient country’s data protection laws, the parties must implement supplementary measures to ensure that the personal data that is being transferred is subject to an essentially equivalent level of protection as that in the EU (or UK, as appropriate). You can read our thoughts on the Schrems II decision, including steps that organisations must take.

Given that Schrems II still applies in the UK, organisations will need to carry out a transfer risk assessment and (if necessary) implement supplementary measures when transferring personal data out of the UK, whether they rely on the International Data Transfer Agreement or the EU SCCs and UK Addendum. The ICO has issued a Transfer Risk Assessment Tool, which may be a useful starting point for carrying out your transfer risk assessments, and we are expecting further ICO guidance on how transfer risk assessments should be completed in due course.

What do we do now?

Now is the perfect time to take stock of your international data transfers and consider what actions are required to ensure compliance with recent developments. In particular:   

  • Consider your data flows – to what extent are you transferring personal data internationally?
  • Review contracts involving international transfers – what contracts do you have in place for international data transfers?
  • For your existing contracts – do any of these need to be updated to incorporate the International Data Transfer Agreement or EU SCCs and UK Addendum (are any agreements coming up for renewal, for example)?
  • For any new contracts – incorporate the International Data Transfer Agreement or EU SCCs and UK Addendum.
  • When engaging data importers (including service providers such as website host providers, survey/newsletter providers) with standard terms, consider whether these terms incorporate UK-specific transfer mechanisms, and – if not – inform the data importer as required.
  • For each international data transfer, conduct a transfer risk assessment and consider whether any supplementary measures are required.

More to expect?

We await further guidance from the ICO on international data transfers in the coming days, including on in relation to transfer risk assessments.

More broadly, and there is a growing sense that the UK is starting to take steps to diverge from the approach of the EU and EU GDPR. In particular, we await the UK Government’s response to the “Data: A New Direction” consultation due in Spring 2022, as well as potentially more wide-ranging changes that may emerge in the wake of the planned Brexit Freedoms Bill. You can read our article on potential changes to UK data protection law, and we will continue to provide updates on those changes as and when further details emerge.

You can watch our webinar on UK International Data Transfers, recorded on 21 March 2022.