In February 2022, the United Kingdom (UK) Information Commissioner’s Office (“ICO”), the data protection authority (“DPA”) in the UK, published three new documents ("UK Documents") which update the UK's position on data transfers outside of the UK, including:
The UK Documents were published following a consultation on the UK's approach to international data transfers which took place between 11 August and 11 October 2021.
The IDTA and Addendum replaces the current UK standard contractual clauses for international data transfers – i.e., the "old" set of EU standard contractual clauses, based on the former EU Data Protection Directive, as amended to refer to both UK legislation and data transfers outside of the UK (the "UK tweaks").
The IDTA is a full-form standalone agreement, whereas the Addendum is a nine-page document which amends certain clauses of the new EU SCCs so that exporters of personal data can simply use the new EU SCCs for international data transfers from the UK.
Like the new EU SCCs, the IDTA places extensive contractual obligations on both importers and exporters of personal data, including obligations which take into account the European Court of Justice ("CJEU") decision in Schrems II.
The "transitional provisions" are discussed below, at Question 4.
The IDTA is shorter than the new EU SCCs, and its language is more "user friendly" than that of its European counterpart.
Notably, the IDTA does not follow a "modular" format. As such, it does not contain a direct equivalent of "Module Two" or "Module Three" of the new EU SCCs (i.e., for controller to processor transfers, and processor to sub-processor transfers, respectively, and therefore the IDTA does not incorporate Article 28 "processor obligations" of the UK General Data Protection Regulation (“UK GDPR”)). Instead, the IDTA deals with this through the concept of a "linked agreement". The "linked agreement" will contain those terms instead. If the importer is a processor or a sub-processor, a "linked agreement" must be in place to support the IDTA. There are some additional subtle differences between the IDTA and the new EU SCCs. For example, in the IDTA, parties have the ability to resolve disputes through arbitration.
The Addendum, on the other hand, acts as an alternative to the longer form IDTA. The Addendum amends the new EU SCCs so they can be used to make international transfers of personal data from the UK.
Interestingly, unlike the new EU SCCs, the IDTA and the Addendum cover transfers to organisations located in third countries that are caught by the extra-territorial scope of Article 3 of UK GDPR. The position in the UK is therefore much simpler than on the continent. Recital 7 of the new EU SCCs suggests that organisations caught by Article 3 of the "EU" GDPR don't need to put the new EU SCCs in place, given that those organisations are required to comply with the "EU" GDPR.
However, the European Data Protection Board (“EDPB”) has since clarified that organisations should continue to implement the new EU SCCs with such organisations, regardless of the extra-territorial application of the "EU" GDPR. The European Commission is now considering introducing yet another set of standard contractual clauses to cover these specific transfers. However, this won't be the case in the UK.
As the UK has left the EU, businesses that operate in both the UK and the EU need to ensure they are compliant with Chapter V (transfers of personal data to third countries) of both the "EU" GDPR and the UK GDPR.
We don't yet know the EU Commission's thoughts on the IDTA or the Addendum (and whether this may ultimately affect the UK's delicate positive adequacy decision). As such, there is no equivalent "EU Addendum" (i.e., approving the use of the IDTA with amendments to make it work for international data transfers from the EU). As such, for organisations with global intragroup and third-party vendor data flows, it may make sense to simply use the new EU SCCs with the Addendum. This is a less labour intensive (and less costly) option than using the IDTA.
To make life easier, organisations may wish to incorporate the IDTA, or the Addendum, by reference. There is an "alternative" provision at the back end of both the IDTA and the Addendum which defines "Mandatory Clauses". The definition differs depending on whether the IDTA or the Addendum is used. The "Mandatory Clauses" facilitate the incorporation of the IDTA or the Addendum easily by reference. However, importantly, like the new EU SCCs, the information in the IDTA or the Addendum must be included somewhere in the agreement (e.g., party details and information about the nature of the transfers taking place).
The ICO has confirmed that the UK Documents "are immediately of use to organisations transferring personal data outside of the UK". However, technically, the UK Documents are awaiting approval from the UK Parliament. Assuming there are no objections, they will come into effect on 21 March 2022.
The ICO has confirmed in the "transitional provisions" that organisations that entered into the "old" EU SCCs with the UK tweaks, on or before 21 September 2022, will be a valid means of making international data transfers until 21 March 2024. This is assuming that the processing operations remain unchanged during that time. The IDTA or the Addendum must be entered into if the processing operations change, or by 21 March 2024, whichever occurs first.
This "grace period" is similar to that which was offered by the EU Commission for organisations relying upon the "old" EU SCCs for international data transfers outside of the EU. As a reminder, organisations can no longer enter into the "old" EU SCCs (the cut off was 27 September 2021) but can rely upon the "old" EU SCCs entered into before that date (again, assuming the processing operations don't change) until 27 December 2022.
We are waiting on additional guidance from the ICO for:
We anticipate that these will be published soon, so watch this space.
It is important to remember that whilst the UK has left the EU, the CJEU judgment in Schrems II remains good law in the UK.
As such, any organisation making a personal data transfer from the UK must be able to demonstrate that the personal data subject to the transfer is afforded "essentially equivalent" protection from which it benefits under the UK GDPR.
The ICO has not yet produced its own guidance on TIAs, but the ICO confirms that the EDPB's "recommendations" remain a "useful reference about additional measures". So, for the time being, organisations making personal data transfers from the UK still need to rely upon the EDPB "recommendations" to conduct TIAs.
At a European level, international data transfers and the fallout from Schrems II remains the hot topic in privacy law. The Austrian DPA's recent Google Analytics decision is clear evidence of that. The head of the Austrian DPA, Andrea Jelinek, is also currently the chairperson of the EDPB, which strongly suggests that the decision will influence a European-wide approach reflecting the Austrian DPA's decision. The French DPA, CNIL, has already issued a similar decision in relation to an unknown French website manager. Recent statements from the Danish and Norwegian DPAs indicate that they will take a similar view.
There are circa 100 outstanding complaints (of the 101 complaints issued by Max Schrems' not-for-profit privacy advocate group, None Of Your Business) in relation to the use of Google Analytics which are still being considered by other EU countries. Given the substantive similarities between the UK and EU approach to data protection, an educated guess would suggest that the ICO will take a similar view of its European counterparts.
You can find out more about the Austrian DPA's decision about Google Analytics here.
What's on the Horizon
In short, the ICO has published pragmatic advice on the UK’s position in relation to international data transfers. We await further guidance on how the ICO expects the IDTA and the Addendum to be used in practice and additional clarifications from the ICO on "restricted transfers" generally. Separately, there is chatter in the U.S. that a new Privacy Shield may be on the horizon – companies should remain alert for developments in this regard given the regulatory focus on data transfers to the U.S.