The laws surrounding international transfers of personal data from the UK are due to change in March 2022, in a move that will affect businesses and other organisations who transfer personal data to certain other countries, by imposing continuing obligations on them.
UK GDPR Article 46(1) prohibits data transfers to countries or organisations that do not uphold and maintain appropriate safeguards. In order to ensure compliance with data protection regulations, the ICO is changing the way that data is transferred to places that do not have appropriate measures in place.
The IDTA and the UK Addendum to the European Commission’s standard contractual clauses (SCCs) will come into force on 21 March 2022. These two new documents aim to be more user friendly and will facilitate data transfers to countries and territories that are not approved as being able to provide adequate protection (Unapproved Territories). However, they impose a continuing obligation on organisations exporting data to Unapproved Territories to keep up to date, and report on, the state of data protection laws and processes of the Unapproved Territory.
Currently, if a business wishes to transfer data to Unapproved Territories, the current SCCs must be incorporated into any data transfer or data sharing agreement. The current SCCs govern and regulate such data transfers in order for GDPR and ICO compliance.
The IDTA being introduced will act as a new mechanism to facilitate such transfers from the UK only to Unapproved Territories, replacing the original SCCs, whilst the Addendum will act as an addition and variation to the original SCCs for transfers from the UK and EEA to Unapproved Territories.
Adequacy Regulation Exemption
International data of transfers to some countries and territories are restricted by the UK GDPR in order to protect individuals from losing the rights afforded by UK and EU data protection laws. However, if you are transferring data to countries or territories covered by UK ‘adequacy regulations’ (Approved Territory) you may make what would otherwise be a restricted transfer. At the time of writing this article, such Approved Territories are:
- EEA
- Gibraltar
- Territories which, in the eyes of the European Commission, provide adequate data protection laws and procedures (i.e., covered by the EC’s adequacy decisions as at 31 December 2020) which are:
- Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
- Japan, however, this is limited to data transfers to private sector organisations.
- Canada, however, this is limited to data that is subject to Canada’s Personal Information Protection and Electronic Documents Act.
Any transfer to an Unapproved Territory is currently not covered by the adequacy regulations exemption and will therefore require appropriate safeguards, which can take the form of:
- a legally binding instrument which creates enforceable rights and remedies for the individual whose data is being transferred (essentially between public bodies or bodies containing “appropriate safeguards”);
- binding corporate rules (intended for use between group entities); or
- Standard Contractual Clauses (see below).
What are SCCs?
Standard Contractual Clauses contain contractual obligations on both the importer and exporter of personal data, as well as containing rights for the individuals whose data is being transferred. These rights are directly enforceable against the data importer and exporter.
It is therefore imperative that you incorporate these clauses into any agreement to transfer data to countries that are not subject to an adequacy decision. If you do not do this and no other appropriate safeguards are in place, you will be in breach of the UK GDPR and could be fined up to a maximum £17.5 million or 4% of your global annual turnover, whichever is the higher figure.
How are the SCCs changing and how does it impact your business?
As of 21 March 2022, any business or other organisation wishing to transfer personal data from the UK to a Unapproved Territory will be able to use the IDTA or the Addendum in order to make a restricted transfer. The IDTA and Addendum have been introduced in response to the decision in Data Protection Commissioner -v- Facebook Ireland Limited, Maximillian Schrems (Schrems II), which requires data controllers to evaluate the level of protection afforded by the laws and practices of the Unapproved Territory to which data is being transferred, and whether they reduce the protections contained in the SCCs.
The IDTA and addendum take this decision into account by placing ongoing obligations on the exporter to carry out Transfer Impact Assessments (TIAs) on the third country to which data is being transferred. Therefore, you must keep up to date with the laws and policies of the country you are transferring data to, ensuring that they do not negatively affect the rights contained under the IDTA or Addendum. You must also carefully document your TIA, so you are able to demonstrate your compliance with the Schrems II decision.
The change in requirements will not be enforced retrospectively in the first instance. If you have existing data transfer agreements in place, these can remain as drafted (providing they incorporate the original SCCs) until 21 March 2024. After this date, all data transfers from the UK or UK and EU must use either the IDTA or the Addendum as appropriate. However, for good practice, you may choose to voluntarily move to the new regime after 21 March 2022 to minimise risk of inadvertently becoming non-compliant in due course.
For all new contracts, the following shall apply:
- For contracts concluded between 21 March 2022 and 21 September 2022, you may use either the old SCCs, or the IDTA or Addendum (as appropriate).
- For contracts concluded after 21 September 2022, you must use the IDTA or Addendum.