The Information Commissioner’s Office (ICO) has recently issued new standard contractual clauses (SCCs) for international transfers of personal data from the UK to “third countries” or international organisations. These transfers are known as “restricted transfers”.
If organisations export personal data out of the UK to these third countries (i.e. countries that are not in the EEA or that are not on the list of countries deemed by our government to have adequate legal safeguards for the transfer of personal data), they will most likely need to use SCCs with the importing organisation to ensure that the transfers comply with the EU’s General Data Protection Regulation 2016 (EU GDPR) as amended and incorporated into UK law following Brexit (UK GDPR).
These new SCCs are contained within the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (Addendum).
Both documents (the IDTA and Addendum) are the UK’s equivalent of the EU’s own SCCs which are used for the transfer of personal data from EU member states to third countries. The European Commission adopted the latest version of the EU SCCs (the “new” EU SCCs) in June 2021 and, following Brexit, they are no longer valid for restricted transfers under the UK GDPR. The UK had until recently continued to use the “old” EU SCCs, namely those which were adopted under the Data Protection Directive 95/46/EC.
Data exporters may now use either the IDTA or the Addendum when making restricted transfers of personal data outside the UK. The differences between the two alternatives can be explained as follows:
The IDTA and Addendum may be used as one of the “appropriate safeguards” referred to in Article 46 of the UK GDPR for restricted transfers of personal data from the UK which are not covered by the UK’s “adequacy” regulations. These regulations currently cover restricted transfers to countries in the EEA as well as countries, territories and sectors covered by existing EU “adequacy decisions”.
The IDTA and Addendum were issued under Section 119A of the Data Protection Act 2018 and came into force on 21 March 2022 following Parliamentary approval. Although these SCCs may be used immediately, the ICO has issued an accompanying document setting out transitional provisions which confirm the following:
The IDTA and Addendum are designed to provide further clarity for UK organisations transferring personal data to organisations based outside of the UK or EEA. In particular, they should address the uncertainty which followed the European Commission’s adoption of new EU SCCs in June 2021.
The ICO is expected to publish additional guidance in due course regarding the use of the IDTA and Addendum for international transfers of personal data. In the meantime, data exporters may wish to consider the following:
Hosted and sponsored by Michelmores and organised by the SCL Tech Transactions Group. Join SCL’s Technology Transactions Group on 28 November 2024 for a half day event focusing on how...
Our next MAINstream Pitch Event will be taking place at our Exeter office on Tuesday 3 December. There will be time to catch up over...