Businesses that transfer personal data to and from the United Kingdom will soon have clarity regarding transfers from the UK to recipients outside the EU/EEA.
On February 2, 2022, the United Kingdom Secretary of State for Digital, Culture, Media and Sport laid before the UK Parliament new mechanisms for international data transfers – a draft international data transfer agreement (“IDTA”) along with a separate international data transfer addendum to the European Commission’s 2021 standard contractual clauses for international data transfers (“UK Addendum”). These documents, often referred to as UK standard contractual clauses (“UK SCCs”), were accompanied by a document outlining transitional provisions concerning use of the pre-2021 standard contractual clauses for transfers out of the UK.
Businesses transferring personal data out of the UK to third countries outside the European Economic Area (“EEA”) will have to reassess and analyze their international data flows and, if necessary, update their underlying transfer mechanisms. If Parliament has no objections, the new transfer mechanisms will come into force on March 21, 2022.
Framework for International Data Transfers in the UK
Under the United Kingdom General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (together “UK Data Protection Laws”), as under the EU General Data Protection Regulation (“EU GDPR”), companies are required to implement valid data transfer mechanisms when transferring personal data outside the UK to countries not providing an adequate level of data protection.
In the EU, companies transferring personal data to countries outside the European Economic Area (“EEA”) often use the EU standard contractual clauses recently updated by the European Commission on June 4, 2021 (“EU SCCs”) as a valid transfer mechanism (for more information, see our prior WilmerHale client alert). Since the EU SCCs were published following the UK’s exit from the EU, these do not apply automatically for the UK. As a result, UK companies have been facing legal ambiguity when it comes to putting the proper transfer mechanism in place. The UK SCCs are drafted to address existing legal uncertainties for UK companies and provide a toolkit for restricted transfers.
International Data Transfer Agreement
The IDTA is a standardized agreement addressing the handling and safeguarding of personal data by organizations importing (or receiving) personal data from the UK. Among other terms, the IDTA contains mandatory clauses on data protection to safeguard the data being transferred, including effective and enforceable data subject rights. The UK`s Information Commissioner`s Office (“ICO”) has determined that these clauses constitute appropriate safeguards. Companies entering into IDTAs may not amend the mandatory clauses in any way. Companies may put the IDTA in place as a standalone solution accompanying the respective main contract to comply with the UK GDPR’s data transfer restrictions.
UK Addendum to the 2021 EU Standard Contractual Clauses
In addition to, and as an alternative to the standalone IDTA, the ICO has published a UK Addendum that businesses may enter into alongside the EU SCCs. The UK Addendum amends EU SCCs already agreed to between companies with respect to data transfers to recipients outside the UK.
Most EU companies operating internationally currently use EU SCCs for their data transfers outside the EU and the UK. For companies subject to both the UK GDPR and its EU equivalent, the UK Addendum allows them to secure their international data transfers outside the UK without implementing fully separate transfer mechanism solutions. In particular, multinational companies are likely to favor the upcoming option of supplementing existing arrangements based on the EU SCCs with additional UK-compliant clauses rather than implementing the IDTA as a separate transfer mechanism.
Practical Impact on Businesses
In light of the requirements imposed by the Schrems II decision of the Court of Justice of the EU, companies are required to continue carrying out transfer impact assessments (“TIAs”) for each third country. TIAs assess local laws and practices to determine whether they override or contradict the mandatory clauses that the UK SCCs contain. This ensures that the relevant safeguards and protections remain adequate in light of the protections under UK Data Protection Laws. The ICO has issued comprehensive guidance on TIAs that provides companies with helpful explanations on implementation. Companies are advised to carefully document their TIAs.
For U.S.-based companies, the introduction of new and potentially separate UK SCCs may add more complexity to contract and process management. Companies operating as data importers need to ensure that their internal procedures reflect EU SCCs, the IDTA and UK Addendum including any potential differences (depending on which of the module(s) for data transfers apply). This may, in some cases, require a systematic reorganization of processes related to initiating and managing contractual relationships that require restricted transfers.
UK companies must complete the implementation of the UK SCCs no later than March 21, 2024 to safeguard their personal data transfers to organizations elsewhere in third countries that do not provide an adequate level of protection.
Contracts entered into on or before September 21, 2022 on the basis of the EU SCCs adopted by the European Commission in 2004/2010 continue to provide appropriate safeguards until March 21, 2024 under the UK GDPR. This only applies provided that the processing operations and the subject matter of the respective contract remain unchanged and provided there are appropriate safeguards. In sum:
- For existing contracts, companies currently have three options available to safeguard their international data transfers: (i) maintaining the old EU SCCs, (ii) implementing a new IDTA, or (iii) implementing the new UK Addendum alongside the EU SCCs. They will have until March 21, 2024 to update existing contracts by using the new UK SCCs.
- For new contracts concluded between March 21, 2022 and September 21, 2022, companies may use (i) the old EU SCCs, (ii) the IDTA, or (iii) the UK Addendum alongside the EU SCCs.
- For new contracts concluded on or after September 21, 2022, companies are restricted to using the new UK SCCs, i.e. (i) the IDTA, or (ii) the UK Addendum together with the EU SCCs.
The introduction of the UK SCCs creates more legal certainty for UK companies and for data importers in third countries. At the same time, however, the wide range of options introduces an additional decision-making step and increased complexity both for UK companies and data importers in third countries such as the U.S.
The ICO aims to issue additional guidance on international data transfers from the UK shortly. This will include in particular (i) clause-by-clause guidance to the IDTA and UK Addendum, (ii) guidance on how to use the IDTA, (iii) guidance on carrying out TIAs, and (iv) further clarification on the ICO’s international transfers guidance.