25 February 2022

Changes to UK contractual instruments for international data transfers

Following the public consultation launched by the Information Commissioner’s Office ('ICO') in 2021 on its draft International Data Transfer Agreement ('IDTA') and guidance, earlier this month the Department for Digital, Culture, Media and Sport ('DCMS') laid before Parliament its proposed form of IDTA and International Data Transfer Addendum (the 'Addendum') to the European Commission’s standard contractual clauses ('EU SCCs') for data transfers along with a document setting out the transitional provisions in regards to the current use of the EU SCCs in the UK ('Transitional Provisions'). The IDTA and Addendum will likely come into force on 21 March 2022.

If Parliament raises no objections, the IDTA, Addendum and Transitional Provisions issued under Section 199A of the Data Protection Act 2018 ('DPA') will come into force on 21 March 2022. Once approved, UK-based data exporters can use either the IDTA or Addendum as a transfer tool to comply with Article 46(1) of the UK GDPR, when making restricted international transfers of personal data.

The DPA (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) allows the continued use by data exporters of the EU SCCs, and deems them an appropriate safeguard for international transfers of personal data. The DPA also provides the ICO with the authority to withdraw the ability for data exporters to rely on EU SCCs. In the Transitional Provisions, the ICO confirmed that it will use its authority to withdraw the ability for UK data exporters to rely on the historic EU SCCs, as follows:

  1. Contracts concluded on or before 21 September 2022 on the basis of the EU SCCs, shall continue to provide appropriate safeguards for the purpose UK GDPR until 21 March 2024, provided that (a) the processing operations that are the subject matter of the contract remain unchanged; and (b) reliance on those clauses ensure that the transfer of personal data is subject to appropriate safeguards; and
  2. From 22 September 2022, UK-based data exporters are prohibited from relying on the EU SCCs, and therefore must use either the IDTA or Addendum as the tool to transfer personal data from the UK.

The ICO has indicated that it is currently developing additional tools to provide support and guidance to businesses, including guidance on the IDTA and Addendum.

Why is this happening?

Brexit and the decision by the European Court of Justice in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), are the key reasons for the ICO’s preparation of these documents.

The IDTA and Addendum take into account the Schrems II judgement, which, as well as invalidating the EU-US Privacy Shield as a legitimate means for transferring personal data from the EU and UK to the US, also requires that controllers and processors relying on the EU SCCs must assess whether the law or practice of the third country to which data is being exported diminishes or undermines the protections afforded in the EU SCCs. If so, the parties to any data export must put in place additional measures to ensure protection of the transferred personal data.

What does this mean for businesses operating in the UK?

Pending the imminent announcement by UK Parliament of its decision to reject or approve the new IDTA, Addendum and Transitional Provisions, businesses should plan for the imminent change and, undertake a review and audit of the scope of all of international data and the contractual terms that relate to such transfers.

UK-based data exporters should take note of the following key dates:

  • 22 September 2022, since all contracts concluded on or after this date must either use the IDTA or Addendum in respect of international data transfers from the UK; and
  • 21 March 2024, because all contracts concluded on or before 21 September 2022 using the EU SCCs will need to change over to using either the IDTA or Addendum by this date.

Therefore, subject to parliamentary approval, UK businesses should also, prior to 22 September 2022, plan for all future contracts involving data export to be concluded under the IDTA and Addendum as the appropriate legal safeguard to transfer personal data from the UK to a third country.

You can find the ICO’s statement and links to the IDTA, Addendum and Transitional Provisions here.

This article written by Matthew Loader and David Varney.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more