The UK Government has put forward for approval by Parliament a new safeguard mechanism for international transfers, known as the International Data Transfer Agreement (IDTA), that will impact organisations transferring personal data out of the UK. If approved, the IDTA will apply from 21 March 2022, and we would encourage affected organisations to review their data transfer processes now.
International transfers of personal data post-Brexit
There are a number of legal bases for carrying out international data transfers - most notably adequacy arrangements, such as the one in place between the UK and EEA Member States - but the Standard Contractual Clauses (SCCs) are a commonly used tool for transferring to other jurisdictions. The European Commission updated its version of the SCCs last year, and any existing agreements relating to international transfers out of the EEA to other countries must be replaced by the new EU SCCs by December 2022.
Now that the UK is no longer part of the EU, the UK is in a different position. Immediately post-Brexit, the UK continued to use the old EU SCCs while the UK Information Commissioner's Office (ICO) developed its own version - the IDTA. This is the agreement that has now been laid before Parliament for formal approval along with an additional agreement (the Addendum) which allows the new EU SCCs to apply to UK transfers if they are part of a larger set of transfers where EU laws also apply. Assuming there are no objections then the IDTA and the Addendum will come into effect as of 21 March 2022.
Although the two documents will come into force in March, the ICO has allowed for a transitional period. The ICO states that organisations "may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR, until 21 March 2024. From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR."
What must affected organisations do now?
Organisations that transfer personal data out of the UK need to be considering how to document such transfers from March onwards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.