New UK Data Transfer Mechanisms
The UK Information Commissioner’s Office (ICO) has just published the final form of its much-anticipated new International Data Transfer Agreement (IDTA), along with a separate addendum to the EU SCCs (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK. They have been laid before Parliament and, assuming there are no objections from MPs, will go into effect on March 21, 2022.
The UK Concept of Restricted Transfers
In addition, the UK has brought its approach to “restricted transfers” back into alignment with the EU. That means that some data importers that previously did not need to adopt the UK’s form of SCCs will now be required to do so. Under Article 3(2), companies established outside the UK that offer goods or services to people in the UK, or monitoring their behavior (primarily, automatic online tracking of website and app users) are subject to the UK GDPR. Transfers to data importers that are subject to the UK GDPR under these long-arm jurisdiction provisions will now be treated as restricted transfers that require additional protections. Previously, the UK ICO took the view (in essence) that the fact that the importer was subject to the UK GDPR meant that no additional safeguards were necessary. The UK approach is now consistent with the stricter EU approach, which was recently confirmed by the European Data Protection Board in its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR adopted on November 18, 2021.
Importantly, the IDTA expressly permits transfers to importers that are subject to the UK GDPR under its long-arm jurisdiction provisions. That puts the UK ahead of the EU for the moment in the data transfer mechanism game, since Recital 7 of the EU Commission’s implementing decision for the new SCCs states that they do not cover transfers where the importer is subject to the long-arm jurisdiction of the GDPR (Art. 3(2)). Astoundingly, the EU’s recent transition from the old to the new SCCs left an entire substantial category of data importers out in the cold, unable to rely on either the old or the new SCCs to meet their GDPR obligations (although as a practical matter, it appears that many companies in this situation have nonetheless elected to adopt the new SCCs while the Commission and the European Data Protection Board sort out a new set of SCCs to cover them).
The International Data Transfer Agreement
As we commented previously on the draft version of the IDTA, the UK has taken a fresh look at the contract terms that are needed to ensure adequate protection of transferred personal data to meet the UK GDPR’s standard (which is essentially the same as the EU GDPR at this point in time). Overall, the draft agreement is written in clear, direct, simple language. Unlike the EU SCCs, which have four modules to cover the main variants of transfers (controller to controller, controller to processor, and so on), the IDTA is an all-in-one agreement. While the IDTA is long, much of its length is due to its useful “tick if it applies” tables and helpful glossary. The IDTA also addresses some additional data flow variations that are not expressly covered in the EU SCCs.
Organizations will welcome the flexibility and pragmatism of the IDTA. The IDTA reflects the UK’s openness to recognizing that a larger – and important – contractual framework virtually always surrounds personal data transfers. The IDTA creates a defined term, “Linked Agreements,” to refer to these other contracts. The IDTA allows the parties to refer to the Linked Agreements to cover certain GDPR compliance items, such as the instructions given by a controller to a processor. The Linked Agreements can also be amended as appropriate without needing to re-execute the linked IDTA.
The UK Addendum to the EU SCCs
UK data exporters now also have the option of using the EU SCCs simply by adding the UK’s SCCs Addendum. The SCCs Addendum is a brief document that takes a minimalist approach to tailoring the EU SCCS to work for UK data transfers. This will most likely be the preferred route for data transfers that include EU-origin as well as UK-origin personal data.
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.