New International Data Transfer Agreement (IDTA), Addendum, and Transitional Provisions in Force as of March 21, 2022
With the UK now having its own set of standard data protection clauses for international data transfers, businesses should get the ball rolling on a plan for addressing these new mechanisms.
Quick Background
The UK General Data Protection Regulation (the "UK GDPR"), as implemented by the Data Protection Act 2018, permits transfers of personal data to a third country or an international organization when there are adequate regulations in place. In the absence of adequate regulations, a controller or processor must implement appropriate safeguards. Under Article 46 of the UK GDPR, such appropriate safeguards may be provided for through standard data protection clauses specified in a document issued by the Information Commissioner.
Following the UK's departure from the EU and the CJEU judgment in the Schrems II case, the UK Information Commissioner's Office (ICO) sought public consultation on August 11, 2021, regarding international data transfers outside the UK. After this consultation period, the Secretary of State on February 2, 2022, laid before Parliament (1) Version A1.0 of the International Data Transfer Agreement (the "IDTA"), (2) Version B1.0 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "Addendum"), and (3) the International Data Transfer Agreement Transitional Provisions.
With no objections from Parliament, they came into force yesterday, March 21, 2022.
The IDTA and the Addendum
The IDTA is a legally binding contract providing for appropriate safeguards for restricted transfers and is intended to be a standalone agreement.
The Addendum consists of modifications to the new June 2021 EU standard contractual clauses (the "new EU SCCs").
Businesses can choose to either use (1) the new IDTA or (2) the new EU SCCs with the Addendum.
Timeline
Transfer agreements concluded on or before September 21, 2022, may continue to use the old EU SCCs until March 21, 2024, provided that the processing operations detailed in such agreements remain unchanged, and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Any new transfer agreements concluded after September 21, 2022, must use either the new IDTA or the new EU SCCs with the Addendum.
Businesses must transition any existing transfer agreements still using the old EU SCCs to either the new IDTA or the new EU SCCs with the Addendum before March 22, 2024.
Next Steps
Octillo recommends that clients take immediate steps to evaluate all existing agreements in light of this new timeline. We have a team of highly skilled attorneys who can help your company work towards compliance and data protection in both Europe and the UK.
*Attorney Advertising: Prior results do not guarantee future outcomes.