What’s happening with UK international data transfers?
01/02/22 – If you or your organisation transfers, or may transfer, personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection (which currently includes the U.S.), then read on. If not, then feel free to skip.
Back in August last year we looked at a brand new international data transfer agreement (‘IDTA’) template, together with a new international data transfer addendum to be used with EU SCCs (‘Addendum’), that the ICO published as part of its consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK’.
The ICO’s consultation closed on 7th October 2021, and on 28th January 2022 the Department for Culture, Media and Sport (DCMS) laid the final versions of the IDTA, the Addendum, plus the transitional provisions before Parliament. Unless the relevant statutory instrument is ‘objected to’ (which, given its subject matter, is very unlikely), the IDTA, the Addendum and the transitional provisions will come into force on 21 March 2022.
UK data exporters who enter into agreements with their data importers based on the old EU SCCs (i.e. Standard Contractual Clauses issued under European Commission Decisions 2001/497/EC and 2010/87/EU) on or before 21st September 2022 may, if the subject matter of the processing remains unchanged, continue to rely on those agreements until 21st March 2024. Note that this only applies where the agreements based on the old EU SCCs were modified to ‘fit’ post-Brexit UK data protection laws, and will not apply to EU SCCs entered into prior to Brexit.
Although the ICO have not yet published the responses from the consultation, the changes to the IDTA are limited with the main ones being:
- Increased obligations for the data importer in case a data breach when the personal data is being processed by the data importer (see clauses 15.2 and 15.3).
- The right for a party to the IDTA to refer a dispute to arbitration under the Rules of the London Court of International Arbitration, rather than a new (and apparently now abandoned) IDTA Arbitration Scheme (see clause 35.1)
- The right for the ICO to update the IDTA template from time to time (including to reflect changes in UK data protection law), with updates automatically being incorporated into all then-current IDTAs (clause 5.4) This is clearly sensible, given the extensive changes to UK data protection law currently being considered by DCMS.