After Brexit took effect last year, the United Kingdom was no longer subject to the European Union’s General Data Protection Regulation (GDPR). While the UK already followed a data privacy regime that is substantially similar to the GDPR, the approach to data protection in the UK and the EU does differ in a number of ways that affect businesses.
Standard Contractual Clauses
As discussed in our prior alert, the European Commission (Commission) issued revised Standard Contractual Clauses (SCCs) on June 4, 2021 for the transfer of EU personal data from the EU to jurisdictions deemed to have inadequate privacy regimes, such as the United States. These new EU SCCs went into effect after Brexit, and, accordingly, the UK Information Commissioner’s Office (UK ICO) did not initially consider them to be valid transfer mechanisms under the UK GDPR. The UK ICO instead advised companies to use the old EU SCCs as a temporary measure. For businesses operating in both the European Economic Area and the UK, this created the burden of becoming familiar with the new EU SCCs while at the same time contending with an uncertain framework for UK data transfers.
The UK’s Model Clauses for Restricted Transfers
In light of these changes and the continuing need for the UK to formulate its own data transfer mechanisms, the UK ICO has issued new model clauses for “restricted transfers” of data to jurisdictions that are not covered by an adequacy decision. These clauses — the International Data Transfer Agreement (IDTA) and a separate IDTA Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (IDTA Addendum) — will eventually phase out use of the outdated SCCs. The documents are the result of a consultation process launched by the UK ICO in the fall of 2021.
As part of its proposals, the IDTA offers: a straightforward checklist format for parties to use when filling out information about themselves and their data transfer details; a one-size-fits-all design that applies regardless of whether the parties are acting as controllers or processors (as opposed to the new EU SCCs’ modular format); and the ability to reference the terms of underlying “Linked Agreements” such as an MSA or DPA.
Additionally, the UK ICO issued an IDTA Addendum, a relatively simple and intuitive document that replaces EU-specific terms in the new EU SCCs with UK-specific language. By executing the IDTA Addendum, companies will be able to use the new EU SCCs in connection with UK data transfers. The possibility of incorporating a simple addendum may be very helpful to businesses that have already shifted toward the new EU SCCs for their data transfers.
Regardless of whether companies employ the IDTA or the IDTA Addendum, the UK ICO has advised that, when making data transfers to jurisdictions not covered by an adequacy decision such as the United States, companies must undergo a risk assessment that takes into account “the legal framework of the destination country (including laws governing public authority access to the data).” This echoes the EU requirement that SCCs must be accompanied by “supplemental measures” where local laws create risks to the fundamental rights and freedoms of data subjects. This is in line with the European Court of Justice’s Schrems II decision.
Both the IDTA and IDTA Addendum were submitted to the UK Parliament on January 28, 2022. If approved by Parliament, these documents will become effective on March 21, 2022. Businesses may continue to use the old EU SCCs with any new data transfer agreements until September 21, 2022. After that date they must transition to the IDTA or IDTA Addendum. For existing contracts that incorporate the old EU SCCs, businesses have until March 21, 2024 to switch over to the new UK documents.
The Bottom Line
- As a result of Brexit, the UK has introduced its own new documents to govern certain cross-border transfers of personal data.
- Businesses need to be aware of the similarities and differences between the EU and UK approaches.