Do you transfer or receive personal data from the United Kingdom? If so, there are some important developments in the UK to factor into your data protection compliance program. In a major change of policy, some organizations that previously did not need to enter into a data transfer agreement under the UK’s guidance on “restricted transfers” will now need to enter into the UK’s new international data transfer agreement or use the current EU standard contractual clauses as modified by a new UK addendum.
New UK Data Transfer Mechanisms
The UK Information Commissioner’s Office (ICO) has just published the final form of its much-anticipated new International Data Transfer Agreement (IDTA), along with a separate addendum to the EU SCCs (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK. They have been laid before Parliament and, assuming there are no objections from MPs, will go into effect on March 21, 2022.
The UK Concept of Restricted Transfers
In addition, the UK has brought its approach to “restricted transfers” back into alignment with the EU. That means that some data importers that previously did not need to adopt the UK’s form of SCCs will now be required to do so. Under Article 3(2), companies established outside the UK that offer goods or services to people in the UK, or monitoring their behavior (primarily, automatic online tracking of website and app users) are subject to the UK GDPR. Transfers to data importers that are subject to the UK GDPR under these long-arm jurisdiction provisions will now be treated as restricted transfers that require additional protections. Previously, the UK ICO took the view (in essence) that the fact that the importer was subject to the UK GDPR meant that no additional safeguards were necessary. The UK approach is now consistent with the stricter EU approach, which was recently confirmed by the European Data Protection Board in its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR adopted on November 18, 2021.
Importantly, the IDTA expressly permits transfers to importers that are subject to the UK GDPR under its long-arm jurisdiction provisions. That puts the UK ahead of the EU for the moment in the data transfer mechanism game, since Recital 7 of the EU Commission’s implementing decision for the new SCCs states that they do not cover transfers where the importer is subject to the long-arm jurisdiction of the GDPR (Art. 3(2)). Astoundingly, the EU’s recent transition from the old to the new SCCs left an entire substantial category of data importers out in the cold, unable to rely on either the old or the new SCCs to meet their GDPR obligations (although as a practical matter, it appears that many companies in this situation have nonetheless elected to adopt the new SCCs while the Commission and the European Data Protection Board sort out a new set of SCCs to cover them).
The International Data Transfer Agreement
As we commented previously on the draft version of the IDTA, the UK has taken a fresh look at the contract terms that are needed to ensure adequate protection of transferred personal data to meet the UK GDPR’s standard (which is essentially the same as the EU GDPR at this point in time). Overall, the draft agreement is written in clear, direct, simple language. Unlike the EU SCCs, which have four modules to cover the main variants of transfers (controller to controller, controller to processor, and so on), the IDTA is an all-in-one agreement. While the IDTA is long, much of its length is due to its useful “tick if it applies” tables and helpful glossary. The IDTA also addresses some additional data flow variations that are not expressly covered in the EU SCCs.
Organizations will welcome the flexibility and pragmatism of the IDTA. The IDTA reflects the UK’s openness to recognizing that a larger – and important – contractual framework virtually always surrounds personal data transfers. The IDTA creates a defined term, “Linked Agreements,” to refer to these other contracts. The IDTA allows the parties to refer to the Linked Agreements to cover certain GDPR compliance items, such as the instructions given by a controller to a processor. The Linked Agreements can also be amended as appropriate without needing to re-execute the linked IDTA.
The UK Addendum to the EU SCCs
Following Brexit, the UK did not immediately adopt the EU’s “new” 2021 SCCs. Instead, the UK continued to permit data exporters making restricted transfers to use a lightly adapted UK form of the “old” SCCs (the EU’s 2001/2004 controller and 2010 processor SCCs). As of March 21, 2022, UK data exporters now have the option of using the new EU SCCs simply by completing the SCCs and adding the UK’s SCCs Addendum. The SCCs Addendum is a brief document that takes a minimalist approach to tailoring the EU SCCS to work for UK data transfers. This will most likely be the preferred route for data transfers that include EU-origin as well as UK-origin personal data.
If your organization has already entered into the UK’s prior form of SCCs (that is, the EU’s pre-GDPR SCCs), you can continue to use them for the covered data transfer until March 21, 2024 provided that the data processing operations remain unchanged and reliance on those SCCs ensures that the transfer of the personal data is subject to appropriate safeguards. That means, among other things, that you have done a transfer impact assessment and adopted measures to satisfy the requirements of the Schrems II decision. Because the safeguards in the pre-GDPR SCCs are substantially less comprehensive than those required by the UK GDPR, we recommend taking steps as soon as possible to replace existing UK SCCs with the new IDTA (or the UK Addendum coupled with the new EU SCCs).
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.