Data transfers contracts update deadlines set in the UK

The 21 March 2024 deadline will also apply to any new contracts agreed between now and 21 September 2022 where the data transfers provided for in those agreements are underpinned by old EU standard contractual clauses (EU SCCs).

The deadlines were confirmed by the UK’s Information Commissioner’s Office (ICO) after a new international data transfer agreement (IDTA), and other supporting documents, were laid before the UK parliament last week. They will not come into force until 21 March 2022.

UK data protection law, like its EU equivalent, places restrictions on the transfer of personal data outside of the jurisdiction, reflecting the fact that data protection standards vary globally. The legislation requires exporters to ensure, via the legal tools available to them, that the transferred data is governed in accordance with the data protection standards that apply in the UK.

The IDTA is designed to govern the handling and safeguarding of personal data by those importing personal data from the UK and give exporters confidence that the data transfer arrangements are in line with the UK General Data Protection Regulation (UK GDPR).  Like the new EU SCCs published last year by the European Commission as a transfer tool to comply with the international transfer provisions under the EU GDPR, the IDTA will be available from 21 March as a transfer tool for exporters with obligations under the UK GDPR.

Alongside the UK IDTA, the ICO has also published an addendum that businesses can enter into alongside the EU SCCs to ensure their data transfer arrangements comply with UK data protection law.

Many businesses that operate internationally already rely on EU SCCs as a tool for complying with the EU GDPR, so the ability to add UK compliant clauses to the EU SCCs will be welcomed by multinational companies, according to data protection law experts at Pinsent Masons.

Kathryn Wynn of Pinsent Masons said: “As well as offering a consistent approach for companies already using the EU SCCs, the addendum provides a tidy compliance solution for exporters with obligations under both the EU and UK GDPR. The approach the ICO has taken in relation to the EU SCCs differs from the approach it has taken in respect of binding corporate rules (BCRs) – another legal tool to support international data transfers – where it requires organisations to produce UK versions of their EU BCRs.”

 “Overwhelmingly, since the ICO consulted on the new ITDA and addendum last year, what we have seen is an appetite from businesses to use the EU SCCs with the UK addendum – particularly those organisations with an EU presence that want consistency. While the language of the UK IDTA does seem to be more user-friendly than the legalistic EU SCCs, whether organisations will default to the familiarly of the EU SCCs or will start to gravitate towards the UK IDTA now that it is in final form remains to be seen.”

Commenting on how the addendum will sit alongside the EU SCCs, Rosie Nance of Pinsent Masons said: “The hierarchy provisions in the addendum are a potential point of tension. The final version includes a more detailed explanation of hierarchy and attempts to override the EU SCCs’ provision that in the event of a contradiction between the EU SCCs and related agreements, the EU SCCs shall prevail. However, the ICO have said that in the event of any inconsistency or conflict between the two, the UK addendum will override the addendum EU SCCs ‘except where (and in so far as) the inconsistent or conflicting terms of the addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the [UK clauses]’.”

Wynn said organisations will generally welcome the clarity brought by the ICO’s announcements.

Wynn said: “Organisations have been grappling with data protection uncertainty around international data transfers since the EU referendum when this created the potential risk that personal data could no longer flow freely between the UK and the EU27. Brexit then created further uncertainty because the EU and the UK became misaligned in terms of the SCCs being updated to reflect the requirements of the EU and UK GDPR and the ‘Schrems II’ decision. The final versions of the agreement and addendum and clarity on timescales will mean that organisations can now start the ‘Schrems II’ remediation process with confidence.”

Schrems II is a colloquialism used to describe a case ruled on by the Court of Justice of the EU (CJEU) in 2020. In its judgment, the court identified shortcomings with the existing EU SCCs that the European Commission previously developed, and it confirmed the due diligence exercise businesses must complete to satisfy themselves that their data transfers arrangements will comply with the EU GDPR.

The ‘Schrems II’ ruling spurred the Commission to issue updated EU SCCs and the European Data Protection Board (EDPB) to publish finalised recommendations on measures that supplement transfer tools to help businesses comply with the EU GDPR when transferring personal data to ‘third’ countries.

Because the Schrems II ruling was issued prior to the end of the Brexit transition period it continues to have effect in the UK. Only the Court of Appeal in England and Wales or the UK Supreme Court can overturn UK case law set in the Schrems II case by the CJEU, unless the government legislates to do so itself. The move to establish the new ITDA is the ICO’s attempt to reflect the requirements of the CJEU’s judgment and help businesses meet their legal obligations in the UK.

The ICO has said that additional tools to provide support and guidance will be available soon. In the meantime, it has issued updated guidance on data transfers to reflect the new ITDA. The guidance, among other things, confirms the transitional arrangements and the risk assessment requirements businesses must meet before transferring personal data outside of the UK.

The ICO said: “You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. All contracts on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR, until 21 March 2024. From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the addendum or find another way to make the restricted transfer under the UK GDPR.”

“When you are entering into a contract on the basis of the IDTA or the addendum you must still carry out a risk assessment. This is to make sure that the actual protection provided by the IDTA or addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws,” it said.

Wynn said: “Organisations need to remember that the case law from Schrems II is the law of the land in the UK. Therefore, even though the new UK SCCs do not yet apply, organisations need to be carrying out third country risk assessments, implementing supplemental measures to address any risks identified via such assessments and including provisions requiring importers to notify them of foreign public authority data access requests in their contracts.”

Provision has been made for the IDTA to be updated in future to account for any changes made to UK data protection laws. The government consulted on potential reforms last year and is expected to set out its policy intentions in the coming weeks.

The international transfer of personal data can arise in many different contexts. An example is where a business based in one part of the world outsources back-office functions, such as IT, human resources or payroll, to a service provider based in another jurisdiction, or where those functions are performed by another company in the same group but based overseas.

Another example is where businesses engage cloud providers to host their systems and data or provide software services, and the provider’s servers are located all around the world.

‘Follow the sun’ remote IT services, where the jurisdiction from where the services are provided varies over the course of the day, is another example where personal data transfers are made and where consideration from a compliance perspective is required.