Parliament Minds the Gap, Approves UK Data Transfer Agreement and Addendum to Standard Contractual Clauses

As of March 21, 2022, the UK Parliament approved the UK International Data Transfer Agreement (“IDTA”) and an addendum to the European Commission’s new Standard Contractual Clauses. As a result, organizations subject to the General Data Protection Regulation, as adopted by the UK (the “UK GDPR”), will be able to use the IDTA or the addendum as a transfer mechanism to comply with the UK GDPR for transfers of personal data from the UK to third countries, such as the United States, that do not provide an adequate level of data protection in accordance with the UK GDPR. Previously, organizations had been able to rely on the new Standard Contractual Clauses for data transfers from elsewhere in Europe, but not for data transfers from the UK, because the gap in timing between Brexit and the European Commission’s adoption of the new Standard Contractual Clauses had left the UK without having formally adopted the new Standard Contractual Clauses.

Background

In June 2021, the European Commission adopted the new Standard Contractual Clauses for international transfers of personal data subject to the EU General Data Protection Regulation (“EU GDPR”) (as described in our prior alert here). These new Standard Contractual Clauses updated older clauses dating back over a decade and addressed data protection concerns arising from the Schrems II case issued by the European Union’s Court of Justice in June 2020. However, because the adoption of the new Standard Contractual Clauses occurred about 6 months after the UK completed Brexit on December 31, 2020, there was a gap—organizations could not rely on the new Standard Contractual Clauses for data transfers from the UK until the UK adopted them, or another data transfer mechanism, for itself.

Although the new Standard Contractual Clauses were out of play, UK data transfers could still utilize the older Standard Contractual Clauses because the UK had adopted them pre-Brexit. However, the rest of Europe was required to use the new Standard Contractual Clauses for contracts entered into after September 27, 2021. As a result, contracts involving data transfers from both the UK and the EU would need to comply with multiple data transfer mechanisms after September 27, 2021. This created a compliance burden for organizations. The UK’s approval of the IDTA and addendum to the new Standard Contractual Clauses fixes this issue.

UK Data Transfer Mechanisms

The UK Information Commissioner’s Office (“ICO”) first issued drafts of the IDTA and its addendum to the new Standard Contractual Clauses through a public consultation from August 2021 through October 2021. The final documents vary somewhat from the originally issued drafts. However, like the EU’s new Standard Contractual Clauses, the UK’s IDTA and addendum to the new Standard Contractual Clauses replace the old Standard Contractual Clauses for and take into account the data protection concerns raised by the Schrems II case. These EU and UK data transfer mechanisms all also require data exporters to carry out a transfer risk assessment.

The IDTA and the addendum are two separate data transfer mechanisms that organizations can use. The IDTA operates on a standalone basis, and is substantially similar to the new Standard Contractual Clauses. On the other hand, the addendum operates in conjunction with the new Standard Contractual Clauses by amending them to allow for their use for transfers from the UK. Organizations are free to decide whether they will use the IDTA or the addendum, and if they prefer, organizations can use the IDTA for some contracts, while using the addendum for others.

Transition Period

Like when the European Commission adopted the new Standard Contractual Clauses, there is a grace period for implementing the UK’s IDTA and addendum. Contracts currently in place that use the old Standard Contractual Clauses as a means of complying with the UK GDPR for data transfers can be used until March 21, 2024. Additionally, until September 21, 2022, to facilitate transfers of personal data from the UK to countries that do not provide an adequate level of data protection, parties can continue to put new contracts in place utilizing the old Standard Contractual Clauses. However, for some organizations, it may be more practical to immediately integrate the IDTA or the addendum to the new Standard Contractual Clauses into any new contracts with UK data transfers.

Then, after September 21, 2022, all new contracts governing transfers of personal data from the UK to countries that do not provide an adequate level of data protection must use either the IDTA or the addendum to the new Standard Contractual Clauses. Finally, by March 21, 2024, all contracts governing transfers of personal data from the UK to countries that do not provide an adequate level of data protection (including those previously governed by the old Standard Contractual Clauses) will need to be updated to use either the IDTA or the addendum to the new Standard Contractual Clauses. Organizations subject to the UK GDPR should take note of this timeline and inventory current contracts as part of their plan for compliance.

Other Guidance

The ICO is developing additional guidance for organizations on data transfers, which it plans to publish soon. This guidance will include clause-by-clause guidance for the IDTA and addendum, guidance on how to use the IDTA, guidance on transfer risk assessments, and further clarifications on the ICO’s international transfer guidance.

The most common method of complying with the data transfer requirements under the UK GDPR and the EU GDPR is the use of Standard Contractual Clauses, so this marks a key development for organizations in countries that do not provide an adequate level of data protection, such as the United States. If you need assistance complying with these data transfer mechanisms or have any questions regarding these developments, please contact one of the authors or another one of our Cybersecurity & Data Privacy attorneys.