In February 2022, the Secretary of State for Digital, Culture, Media and Sport (DCMS) laid out the proposed international data transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. agreement (IDTA) before Parliament. Alongside this, the DCMS also introduced the international data transfer addendum (the Addendum) to the EU’s Standards Contractual Clauses (SCCs), and a document setting out the transitional provisions were also put before the House. The new agreements formed as a result of a consultation by the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) in 2021. Parliament agreed on the ICO’s proposals, and these were published on the ICO’s website to act as guidance for organisations to use to transfer personal dataInformation which relates to an identified or identifiable natural person. outside of the UK.
In November 2022, the ICO finally published their guidance on how organisations can use the IDTA and the Addendum. In this blog, we provide a quick overview of this guidance and what you will need to remember when you are transferring data outside of the UK to a third countryA country that is not part of the European Economic Area (EEA)..
If you are transferring personal data outside of the UK to a third country, you will have to ensure that you are deploying some kind of transfer mechanism. Restricted transfers cover all transfers that sees the personal data leaving the UK. If your restricted transfer is covered by an adequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law. decision, then that country has been deemed ‘adequate’ at protecting people’s rights and freedoms regarding their personal data. If there is no adequacy agreement, then you will have to use one of the appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is... set out in this blog. The UK’s current list of adequate countries has been inherited from the EU, but in the future, the UK will be able to make their own adequacy agreements with third countriesCountries that are not part of the European Economic Area (EEA)..
An example of a restricted transfer is, if you are a data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. in the UK and you wish to transfer personal data to a data processorA third party processing personal data on behalf of a data controller. in India (a non-adequate country). In short, a restricted transfer is when:
Both the Addendum and the IDTA form the basis of the UK’s package to assist international transfers in a post-Brexit UK. A part of the wider plan is to “independently support the Government’s approach” to more adequacy decisions. This supports the UK’s new data protection regime, while still offering protections to UK citizens and residents.
The Addendum works as an additional piece of guidance to the new EU SCCs and extends their use for a post-Brexit UK. The main difference is that it replaces the reference to the EU, and EU supervisory authorities, with the UK and the ICO. This means that the obligations of the data exporter and importer are essentially the same as those under the EU SCCs. The Addendum is going to be extremely beneficial for organisations who also have operations in the EU and already use the new SCCs. For these organisations, the Addendum will allow for a smoother integration and transfers.
The IDTA imposes obligations on the data importer to ensure that data transferred outside of the UK has the same level of protection expected under UK GDPR (sounds familiar right? This is what the EU’s SCCs are also there do too!). The IDTA can be executed alongside an agreement which covers provisions of service (like a data processing agreement). The IDTA, like the EU’s new SCCs, aims to address the uncertainty raised in the Schrems II decision, especially the requirement to complete a transfer risk assessment for the importing country’s laws. This assessment will help you decide whether an IDTA can provide appropriate safeguards in that country and will have to consider local laws and practices of the importing country.
Which one can I use?
Well, this very much depends on your organisation and structure. If you operate within the EU and the UK and want to keep things simple, then it is likely that the Addendum is the one you will rely on. Organisations can adopt either, and like the previous SCCs, they must be adopted in their approved form without substantial modifications (you are able to fill in the information that is needed and to describe the nature of your processing).
Transfer Risk Assessments (TRAs) can help your organisation ensure that the Article 46 transfer mechanisms will, in fact, provide appropriate safeguards, along with effective and enforceable rights for your data subjects. There are two risks you should be considering as a part of your TRA:
Transfer Risk Assessments
The ICO has issued a TRA tool that will help organisations. The tool asks a number of questions to help you decide whether the transfer is appropriate. This includes for example:
The ICO has made it clear that a transfer should not go ahead if the answers suggest that the transfer mechanisms will not provide appropriate safeguards and effective and enforceable rights for the data subjects’ personal data that you are transferring.
Extra protections can be put in place to ensure the data is kept safe, but you should work through the tool again to check these. The ICO has suggested that you consult a data protection expert to get help and guidance when it comes to the TRA and international transfers.
You can find the TRA tool here, alternatively click here for more information about the ICO’s guidance.
International Data Transfer Agreement
The ICO has some excellent guidance on how to use their IDTA and the Addendum in its guidance around restricted transfers. Its guidance includes;
You can find more information and guidance here.
Any new contracts you sign, must use the new IDTA or the Addendum (as we are past the 21st September 2022 deadline). Any contracts that you have, which were signed before 21st September 2022 and uses the old SCCs, will need to be amended or replaced with the new UK transfer mechanism. You must do this by the 21st March 2024 deadline. But the sooner you can start the processA series of actions or steps taken in order to achieve a particular end., the better. It is important that any transfers you conduct, you complete a transfer risk assessment. These are essential in ensuring that your data subjects’ data is protected and that they can enforce their rights.
If you, or your organisation, needs help and support when it comes to international data transfers from the UK or the EU, complete the contact us form below, and one of our team will be in touch.
Fill in your details below and we’ll get back to you as soon as possible