The UK’s international data transfer agreement and SCC Addendum: What multinationals need to know

10 March 2022
After some uncertainty following Brexit, multinational organisations with a UK presence will soon be able to make cross-border personal data transfers from the UK under new data transfer agreements. Barring Parliamentary objections, UK authorities will approve the new agreements, which broadly align with the EU’s standard contractual clauses.
Two new ways to transfer data from the UK: The IDTA and Addendum

Subject to Parliamentary approval, starting 21 March 2022, businesses can transfer personal data from the UK to third countries by executing new transfer agreements. (Under UK regulations, “third countries” are countries or territories outside the UK.)

The first transfer agreement is the UK Information Commissioner’s Office’s (ICO’s) new international data transfer agreement, or IDTA. This option will primarily be used in cases where a UK organisation has no presence in the EU and wishes to transfer personal data to third countries only from the UK.

The IDTA broadly resembles the EU’s standard contractual clauses, or SCCs. As with SCCs, the IDTA is comprised of contractual clauses that have been pre-approved, in the IDTA’s case to allow data transfers from the UK to third countries by ensuring that appropriate safeguards are in place.

There are however differences between SCCs and the IDTA. The IDTA is a single checklist-type document, whereas SCCs are separate documents based on the nature of the role of the parties involved (for example, controller to controller, controller to processor, etc.). In addition, and perhaps more significantly, the IDTA can cover transfers to organisations located in third countries, even if the data importer is directly subject to Article 3(2) of the UK GDPR. SCCs do not cover this type of transfer.

The second agreement for transferring personal data from the UK to third countries is the ICO’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum). The Addendum will likely be more commonly used than the IDTA for transfers of personal data outside the UK when an organisation has one or more EU entities within its structure (in addition to its UK entity or entities) that are also transferring personal data to third countries outside the EEA.

UK contracts under old SCCs and a grace period

The ICO has confirmed that any contracts under the old, pre-GDPR EU SCCs that are entered into on or before 21 September 2022 will continue to be compliant until 21 March 2024. Such contracts will remain valid as long as the data processing operations remain unchanged and the old SCCs ensure that data transfers are subject to appropriate safeguards (in line with the requirements of the Schrems II decision).

During this grace period, corporations will not need to abandon contract negotiations under the old SCCs. Instead, they will need to complete such contracts on or before 21 September 2022. This benefit, however, only applies to personal data transfers solely from the UK to third countries; this is because transfers from the EU should no longer be done under the old SCCs. For example, if a US-based corporation is transferring personal data from both the UK and the EU, then the corporation should execute the new EU SCCs and Addendum.

UK entities that have existing contracts under the old SCCs will need to remember to switch to an IDTA or the Addendum starting 21 March 2024.

Other considerations

The grace period that allows continued compliance with the UK GDPR is a welcome announcement for organisations with a UK presence. Moreover, the UK authorities’ decision to closely align the new rules with the EU’s approach to international data transfers will help those organisations stem the rising costs of data protection compliance, since they will have related controls already in place. These cost advantages could help the UK remain a competitive target destination for multinational organisations looking to expand into European markets.

That said, it remains to be seen how EU authorities will receive the UK’s IDTA. The UK is of course no longer subject to EU law (apart from what it has chosen to retain), but it continues to rely on the EU’s adequacy decision, which is temporary and subject to revocation by the EU. A challenge by the European Data Protection Board or EU Commission to the IDTA’s effectiveness may lead EU authorities to question the validity of the adequacy decision. Indeed, the EU’s 2021 adequacy decision for the UK warns that the EU Commission will “closely monitor the situation.”

John Tay, Associate, Solicitor, Vistra Corporate Law, contributed to this article.