What is changing?
Earlier this year, the Information Commissioner’s Office (ICO) published new data protection clauses for restricted transfers of personal data, which are designed to replace the old EU Standard Contractual Clauses in the UK.
The new data protection clauses take the form of:
- A new International Data Transfer Agreement (IDTA); and
- A new International Data Transfer Addendum to the new European Commission SCCs (Addendum).
While the IDTA and Addendum came into force in March of this year, the ICO has provided a phased period for their adoption. The effect of this is that contracts which have already been entered into on the basis of the old EU SCCs will continue to provide appropriate safeguards in respect of restricted transfers of personal data until 21 March 2024.
However, in respect of new contracts, the deadline is more immediate. This is because the ICO has stated that business may only enter into new contracts on the basis of the old EU SCCs until 21 September 2022.
After this date, the EU SCCs should not be used in new contracts and either the IDTA or Addendum should be used instead.
What is the background?
As many readers will likely already be aware, under the UK GDPR personal data may only be transferred from the UK to a country, territory or international organisation outside the UK, if certain conditions are met.
Briefly, those transfers can only take place if:
- the transfer is made to a recipient located in a country or territory covered by UK “adequacy regulations” (i.e. a country which has been deemed as providing ‘adequate’ protection for personal data by the Secretary of State for the DCMS);
- the controller has provided appropriate safeguards in respect of the transfer and has ensured that enforceable data subject rights and effective legal remedies for data subjects are available; or
- the transfer is covered by one of the ‘exceptions’ set out in the UK GDPR.
Where the recipient is not covered by UK adequacy regulations, it is often the case that ‘standard data protection clauses’ will be used by data controllers (alongside a transfer impact assessment) to provide appropriate safeguards for international transfers of personal data.
Historically, the EU’s Standard Contractual Clauses would most commonly be used for this purpose. However, post Brexit, the ICO has now adopted new data protection clauses for use under the UK GDPR in place of the EU SCCs, in the form of the IDTA and Addendum.
While the new IDTA and Addendum came into force on 21 March, a transition period is in place to permit use of the old EU SCCs under the UK GDPR until 21 March 2024, provided they are entered into before 21 September 2022.
What do I need to do?
It will no longer be possible to use the old EU SCCs to provide appropriate safeguards for international transfers in new contracts, as of 21 September 2022.
Businesses should therefore review the new contracts that they enter into as of 21 September 2022 to determine:
- whether they need to address (and provide appropriate safeguards for) international transfers of personal data; and
- if they do, whether the contract has been updated to adopt either the IDTA or Addendum.
Going forward, it would also be wise for businesses to begin to prepare for the 21 March 2024 deadline, after which it will no longer be possible to use EU SCCs in existing contracts to provide appropriate safeguards for restricted transfers, either.
Please don’t hesitate to contact us if we can be of any assistance on this issue.
Content from the Deloitte Legal blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here.