New International Data Transfer Agreement – what you need to know and do

What you need to know

Making restricted transfers

Since Brexit, there has been little divergence in data protection law between the UK and EU, in particular when it comes to core data protection principles, rights and obligations.  However, there are a number of roles undertaken by the European Commission and European Data Protection Board (EDPB) in the EU, that are now undertaken by the UK government and the Information Commissioner’s Office (ICO) in the UK.

A key feature in both UK and EU law is the restriction on transfers of personal data to other countries or international organisations (‘restricted transfers’). The UK restricts transfers outside of the UK whereas the EU restricts transfers outside of the European Economic Area (EEA). However, the role of publishing and approving appropriate safeguards for use in restricted transfers – such as standard contractual clauses – is now undertaken by separate UK and EU institutions leading to a divergence in approach.

Adequacy decisions and exceptions

The UK and European Commission have recognised the EEA and UK, respectively, as having ‘adequacy’ meaning that they have essentially equivalent levels of data protection, such that personal data can be freely transferred between the two. They both also recognise adequacy for a number of other countries.

The UK and EU law also include a number of specific exceptions to restricted transfers, such as for an occasional transfer for a number of limited purposes or where the data subject has given explicit, informed consent to the transfer.

Standard contractual clauses

Where neither adequacy nor an exception applies – which is the case for most routine transfers outside of the UK and EEA – it is necessary to put in place ‘appropriate safeguards’ and ensure enforceable rights and effective legal remedies are available for data subjects. In most cases the appropriate safeguards will be through standard contractual clauses between the exporter and importer of personal data. 

In 2020, the Court of Justice of the European Union issued its decision in the Schrems II case, which established that standard contractual clauses were not necessarily enough in themselves to ensure adequate protection for data subjects. As a result, it is now necessary to undertake a transfer risk assessment focused on the law and practices of the country of export and, where appropriate, put in place supplementary measures to address any risks identified.

It is here where some divergence has emerged between the UK and EU, because:

– Prior to both Brexit and Schrems II, the European Commission published standard contractual clauses in 2001 and 2010 (old SCCs) and approved them for use in the EU which, at the time, included the UK.

– After the Brexit transition period ended on 31 December 2020, the UK could publish its own standard contractual clauses but in the mean time the old SCCs continued in use in the UK.

– In June 2021, the European Commission published new standard contractual clauses (new SCCs). These addressed some deficiencies in the old SCCs, including but not limited to those identified in Schrems II. However, while the new SCCs could be used in the EU, they were not approved for use in the UK where it has been necessary to continue to use the old SCCs.

The International Data Transfer Agreement (IDTA)

Between August and October 2021, the ICO consulted on a draft International Data Transfer Agreement (IDTA) which, despite its new name, is the UK’s own post-Brexit version of standard contractual clauses to replace the old SCCs.

Following the consultation, on 2 February 2022 the secretary of state for culture, media and sport laid the IDTA before parliament. Unless parliament objects to the IDTA, which is very unlikely, the IDTA will be approved for use in the UK from 21 March 2022. 

The ICO has promised additional guidance and tools including clause by clause guidance which are eagerly awaited. We therefore do not comment on the detailed clauses of the IDTA itself at this stage but set out the key steps for data controllers and processors to begin to take now.

What you need to do

All scenarios

If not already, ensure you are in the right starting point by:

– Undertaking a stocktake of all data processing activities to identify which involve restricted transfers by you or by any processors or sub-processors involved in the processing under your control and what transfer mechanisms and safeguards are in place. Your records of processing activities should contain this information.

– Where a transfer is to a country without adequacy, undertaking and documenting a transfer risk assessment and implementing any supplementary measures required.

– Starting discussions and making plans internally and with other organisations involved in your restricted transfers to migrate to the IDTA.

New or existing processing wholly within the UK

No action is required.

New or existing transfers to countries with adequacy

No action is required.

New or existing transfers to countries without adequacy but in reliance on an exemption

No action is required.

Existing transfers to countries without adequacy or an exemption

If you are relying on the old SCCs at present, you may continue to do so until 21 March 2024. You must migrate from the old SCCs to the IDTA by 21 March 2024 if your restricted transfers are to continue beyond that date. This is on the condition that the processing activities remain unchanged and that the old SCCs continue to provide appropriate safeguards.

You should consider when the best opportunity to make this move will be. The IDTA is more robust than the old SCCs and addresses the implications of Schrems II so ideally, this should be done as soon as possible. However, the transitional period through to 21 March 2024 allows you to take more time if needed. 

Key considerations to inform your approach are:

– Will the restricted transfer continue beyond 21 March 2024?

– When are related agreements (such as commercial agreements, data processing agreements or data sharing agreements) up for review or extension?

– Do related agreements include an obligation to enter into new standard contractual clauses when they become available?

– Do you need to introduce supplementary measures to protect personal data in light of Schrems II?

New (or modified) transfers to countries without adequacy or an exemption

If you make significant changes to a data processing activity involving restricted transfers, you should treat it as a new transfer to ensure legal requirements are met.

You may continue to enter into the old SCCs, even for new transfers, until 21 September 2022 and then continue to rely upon them until 21 March 2024 subject to the conditions set out above.

From 21 March 2022 you may, and from 22 September 2022 you must, use the IDTA. The old SCCs will no longer be approved for use.

The IDTA is a 36-page agreement between the exporter and importer and is similar to the new SCCs introduced in the EU in 2021. You should bear in mind that the IDTA, like the new SCCs, requires more specific information about security arrangements and supplementary measures to keep data safe than under the old SCCs. There will be more work required in drafting, negotiating, and agreeing these details, however, much of this involves documenting work that would already be necessary when undertaking data protection impact assessments, transfer impact assessments, negotiating data sharing or processing agreements, and making records of processing activities.

The IDTA can also be adapted so long as certain mandatory clauses and requirements are maintained. Most organisations will prefer to implement the IDTA ‘as is’ but others may seek to implement the IDTA in other ways.

There is also the option of an addendum document (published alongside the IDTA), which supplements the new SCCs (required for export of data from the EEA) to bring them into line with the IDTA (required for export of data from the UK). This approach will appeal to organisations involved with the export of data from both the UK and EEA, or for organisations looking to standardise their contractual arrangements across the UK and EEA. The IDTA, accompanying documentation and a list of countries with adequacy are available on the ICO website.

Authors:

Emma Stockwell, Head of Health Governance, Regulatory and Public Law, Hill Dickinson

Richard Parker, Legal Director, Hill Dickinson

Eleanor, Tunnicliffe, Legal Director, Hill Dickinson

Following consultation by the Information Commissioner’s Office (ICO) last year, the UK International Data Transfer Agreement (IDTA) has been laid before parliament and, unless objected to by parliament, will be approved for use from 21 March 2022. Any organisations that transfer people’s personal data from the UK to other countries not covered by adequacy decisions need to familiarise themselves with, and take steps towards using, the IDTA to ensure necessary legal protections are in place.

What you need to know

Making restricted transfers

Since Brexit, there has been little divergence in data protection law between the UK and EU, in particular when it comes to core data protection principles, rights and obligations.  However, there are a number of roles undertaken by the European Commission and European Data Protection Board (EDPB) in the EU, that are now undertaken by the UK government and the Information Commissioner’s Office (ICO) in the UK.

A key feature in both UK and EU law is the restriction on transfers of personal data to other countries or international organisations (‘restricted transfers’). The UK restricts transfers outside of the UK whereas the EU restricts transfers outside of the European Economic Area (EEA). However, the role of publishing and approving appropriate safeguards for use in restricted transfers – such as standard contractual clauses – is now undertaken by separate UK and EU institutions leading to a divergence in approach.

Adequacy decisions and exceptions

The UK and European Commission have recognised the EEA and UK, respectively, as having ‘adequacy’ meaning that they have essentially equivalent levels of data protection, such that personal data can be freely transferred between the two. They both also recognise adequacy for a number of other countries.

The UK and EU law also include a number of specific exceptions to restricted transfers, such as for an occasional transfer for a number of limited purposes or where the data subject has given explicit, informed consent to the transfer.

Standard contractual clauses

Where neither adequacy nor an exception applies – which is the case for most routine transfers outside of the UK and EEA – it is necessary to put in place ‘appropriate safeguards’ and ensure enforceable rights and effective legal remedies are available for data subjects. In most cases the appropriate safeguards will be through standard contractual clauses between the exporter and importer of personal data. 

In 2020, the Court of Justice of the European Union issued its decision in the Schrems II case, which established that standard contractual clauses were not necessarily enough in themselves to ensure adequate protection for data subjects. As a result, it is now necessary to undertake a transfer risk assessment focused on the law and practices of the country of export and, where appropriate, put in place supplementary measures to address any risks identified.

It is here where some divergence has emerged between the UK and EU, because:

– Prior to both Brexit and Schrems II, the European Commission published standard contractual clauses in 2001 and 2010 (old SCCs) and approved them for use in the EU which, at the time, included the UK.

– After the Brexit transition period ended on 31 December 2020, the UK could publish its own standard contractual clauses but in the mean time the old SCCs continued in use in the UK.

– In June 2021, the European Commission published new standard contractual clauses (new SCCs). These addressed some deficiencies in the old SCCs, including but not limited to those identified in Schrems II. However, while the new SCCs could be used in the EU, they were not approved for use in the UK where it has been necessary to continue to use the old SCCs.

The International Data Transfer Agreement (IDTA)

Between August and October 2021, the ICO consulted on a draft International Data Transfer Agreement (IDTA) which, despite its new name, is the UK’s own post-Brexit version of standard contractual clauses to replace the old SCCs.

Following the consultation, on 2 February 2022 the secretary of state for culture, media and sport laid the IDTA before parliament. Unless parliament objects to the IDTA, which is very unlikely, the IDTA will be approved for use in the UK from 21 March 2022. 

The ICO has promised additional guidance and tools including clause by clause guidance which are eagerly awaited. We therefore do not comment on the detailed clauses of the IDTA itself at this stage but set out the key steps for data controllers and processors to begin to take now.

What you need to do

All scenarios

If not already, ensure you are in the right starting point by:

– Undertaking a stocktake of all data processing activities to identify which involve restricted transfers by you or by any processors or sub-processors involved in the processing under your control and what transfer mechanisms and safeguards are in place. Your records of processing activities should contain this information.

– Where a transfer is to a country without adequacy, undertaking and documenting a transfer risk assessment and implementing any supplementary measures required.

– Starting discussions and making plans internally and with other organisations involved in your restricted transfers to migrate to the IDTA.

New or existing processing wholly within the UK

No action is required.

New or existing transfers to countries with adequacy

No action is required.

New or existing transfers to countries without adequacy but in reliance on an exemption

No action is required.

Existing transfers to countries without adequacy or an exemption

If you are relying on the old SCCs at present, you may continue to do so until 21 March 2024. You must migrate from the old SCCs to the IDTA by 21 March 2024 if your restricted transfers are to continue beyond that date. This is on the condition that the processing activities remain unchanged and that the old SCCs continue to provide appropriate safeguards.

You should consider when the best opportunity to make this move will be. The IDTA is more robust than the old SCCs and addresses the implications of Schrems II so ideally, this should be done as soon as possible. However, the transitional period through to 21 March 2024 allows you to take more time if needed. 

Key considerations to inform your approach are:

– Will the restricted transfer continue beyond 21 March 2024?

– When are related agreements (such as commercial agreements, data processing agreements or data sharing agreements) up for review or extension?

– Do related agreements include an obligation to enter into new standard contractual clauses when they become available?

– Do you need to introduce supplementary measures to protect personal data in light of Schrems II?

New (or modified) transfers to countries without adequacy or an exemption

If you make significant changes to a data processing activity involving restricted transfers, you should treat it as a new transfer to ensure legal requirements are met.

You may continue to enter into the old SCCs, even for new transfers, until 21 September 2022 and then continue to rely upon them until 21 March 2024 subject to the conditions set out above.

From 21 March 2022 you may, and from 22 September 2022 you must, use the IDTA. The old SCCs will no longer be approved for use.

The IDTA is a 36-page agreement between the exporter and importer and is similar to the new SCCs introduced in the EU in 2021. You should bear in mind that the IDTA, like the new SCCs, requires more specific information about security arrangements and supplementary measures to keep data safe than under the old SCCs. There will be more work required in drafting, negotiating, and agreeing these details, however, much of this involves documenting work that would already be necessary when undertaking data protection impact assessments, transfer impact assessments, negotiating data sharing or processing agreements, and making records of processing activities.

The IDTA can also be adapted so long as certain mandatory clauses and requirements are maintained. Most organisations will prefer to implement the IDTA ‘as is’ but others may seek to implement the IDTA in other ways.

There is also the option of an addendum document (published alongside the IDTA), which supplements the new SCCs (required for export of data from the EEA) to bring them into line with the IDTA (required for export of data from the UK). This approach will appeal to organisations involved with the export of data from both the UK and EEA, or for organisations looking to standardise their contractual arrangements across the UK and EEA. The IDTA, accompanying documentation and a list of countries with adequacy are available on the ICO website.

Authors:

Emma Stockwell, Head of Health Governance, Regulatory and Public Law, Hill Dickinson

Richard Parker, Legal Director, Hill Dickinson

Eleanor, Tunnicliffe, Legal Director, Hill Dickinson