What entered into force and what does this mean for data transfers?

The Information Commissioner's Office ('ICO') launched a public consultation on its IDTA and UK Addendum on 11 October 2022. The Department of Culture, Media & Sport ('DCMS') consequently laid a final version of the documents, accompanied by Transitional Provisions, before Parliament, on 2 February 2022. The three documents were scheduled to enter into force on 21 March 2022, unless Parliament decided to make any changes therein.

With 21 March now upon us, Long outlined the impact of this new data transfer mechanism:

"The next few months will be a key time for international companies to consider their international data transfer arrangements. With the transitional periods now running, and with the new EU SCCs and the UK IDTA now in force, companies will need to rapidly start to implement actions under their data transfer projects. These projects will require the involvement of a number of stakeholders in the business, from legal, compliance, information security, and procurement, and will involve not only a design stage in determining the contract updates required but also an implementation stage where decisions will need to be taken as to how to prioritise contract updates, how to deal with contract negotiations, the form of technical and organisational measures to be included in the contracts, how to respond to Schrems II data transfer assessments and how to train and prepare staff who are implementing these changes. At the same time, a careful eye will need to be given to continuing developments in international data transfers, with increasing cases following Schrems II, and with possible new data transfer solutions, such as a new EU-US Privacy Shield 2.0, and new adequacy decisions, particularly from the UK."

Timeline for implementation 

The Transitional Provisions serve to explain that contracts concluded on or before 21 September 2022 on the basis on any EU SCCs continue to provide appropriate safeguards under Article 46(1) of the UK GDPR until 21 March 2024. Article 46(1) states that a controller or processor may transfer personal data to a third country or international organisation only if such controller or processor has provided appropriate safeguards and where enforceable data subject rights and effective legal remedies for data subjects are available. As such, the transfer may continue to take place, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those SCCs ensures that the transfer of personal data is subject to appropriate safeguards. Contracts concluded after this date of 21 September 2022 must utilise either the IDTA or the UK Addendum alongside SCCs in order to comply with the UK GDPR.

Choosing between the IDTA or UK Addendum

The ICO has outlined that organisations can now choose to either use the IDTA or the UK Addendum when making restricted transfers under the UK GDPR. Specifically, the ICO highlighted that the IDTA incorporates and amends the new EU SCCs, providing an appropriate safeguard under the UK GDPR for personal data sent or made accessible to a recipient in a third country that does not have an adequacy decision. On the other hand, the UK Addendum allows organisations to use the EU SCCs themselves to cover both transfers, avoiding the need to use both the EU SCCs and the IDTA.

In terms of the factors for organisations to consider when choosing between IDTA or EU SCCs in tandem with the Addendum, both Long and O'Rorke drew attention to the impact of an organisation's location on its decision-making.

Transfers in context of operations in EU, UK, and third countries

Specifically, Long highlighted, "Where the company is exporting personal data from the EU and the UK it is likely that the more favoured approach will be to use the UK Addendum as this will allow use of the EU SCCs for transfers from the EU and also use of the EU SCCs with a UK Addendum added on top for transfers from the UK. This makes the drafting required much easier and will likely result in less discussion and negotiations with the data importer who will likely be used to the SCCs but not the UK IDTA. This approach will likely also assist with consistency in relation to the contractual provisions applying to international data transfers from the EU and the UK."

O'Rorke further highlighted the potential advantages of the UK Addendum in such a scenario: "Where companies are operating globally – in the sense of having group operations or service lines that cover the UK, EU and third countries – I just can’t see any sensible option other than using the new EU SCCs as the base transfer mechanism, with a local law addendum (which works for the UK and also Switzerland, for example).

For one thing, of course, the IDTA on its own simply wouldn’t work; and secondly, building all global processing off the same core contractual model keeps everything streamlined, mitigates the need for additional operative clauses on top of the SCCs, and minimises the need for negotiation and explanation with stakeholders."

Transfers in context of operations predominantly in UK and third countries 

Conversely, in the context of operations primarily in the UK and third countries, Long identifies additional factors to be accounted for: "For companies that only export data from the UK to third countries, or where the predominant transfers are from the UK then there are some factors that may convince the company to use the IDTA. The IDTA allows for incorporation of a 'linked agreement' into the IDTA, such as services agreement, which can be useful so the data protection provisions sit within the broader commercial arrangement. This contrasts with the SCCs which just incorporate the Article 28 data processing provisions."

It is also worth noting that the IDTA does not follow the same modular approach as the EU SCCs, which contains dedicated streams for controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller contracts. Instead, the IDTA consists of four major parts applicable to restricted transfers:

1. Part 1: Tables related to parties and signatures, transfer details, transferred data, and security requirements;
2. Part 2: Extra Protection Clauses, technical, organisational and contractual;
3. Part 3: Commercial Clauses; and
4. Part 4: Mandatory Clauses.

Commenting on these structural differences, O'Rorke considered a potential advantage to opting for ITDA: "If a UK-based organisation has not previously used any contractual mechanism for transferring personal data overseas, and their data does not need to pass through the EEA, it might find the IDTA to be a slightly more methodical and user-friendly way to get started."

Long further elaborated, "The IDTA also allows for more flexible commercial provisions, such as arbitration clauses, and allows for supplementary measures, required by a Schrems II data transfer impact assessment, to be listed in the IDTA. The IDTA not being based on the modular approach in the SCCs is also arguably more flexible in that it can be used in cases where there is no SCC module, such as if a processor transfers to an importer which is neither its instructing controller or its sub-processor. However, despite certain flexibilities in the UK IDTA it is likely that companies with data transfers from the EU and the UK, or even just from the UK, will use the EU SCCs (with a UK Addendum) as these are now commonly used and understood."  

Priority actions for US-based companies

US-based companies relying on the EU SCCs as a recognised transfer mechanism might question whether they should use the UK Addendum from 21 March as a priority or if there are additional considerations. Referring to the difference in transition periods for contracts concluded before or after 21 September 2022, O'Rorke clarified, "If the processing involves exports from the UK then […] getting the UK Addendum in place is a priority – because it should not take long to do, if the new SCCs are in good order already, and also because the new EU SCCs strictly don’t work under UK law without it. The transition period only applies where they are using the old SCCs as an ongoing mechanism for existing transfers. 

In truth, on paper, there is no reason why the old SCCs (without a UK Addendum) would be better, or offer more legal protection, than the new SCCs. But that’s the reality of the regime we're in. Whether the ICO would see this as something worth enforcing over is another matter: but if you're a US company relying on the new EU SCCs then I can't see why you'd delay with the UK Addendum now it's in force."

Next steps for organisations

Practically, the introduction of the IDTA, UK Addendum and Transitional Provisions may pose operational challenges for affected organisation. For O'Rorke, the entry into force of the IDTA represents "an opportune moment [for organisations transferring personal data from the EEA to a third country and particularly for organisations exporting personal data from the UK] to make sure you have a handle on all of those transfers, the nature and volumes of the data involved, and the various directions in which it is traveling around the world."

Additionally, it is also to be considered that, in line with the Court of Justice of the European Union's ruling in Schrems II, ICO released its draft international Transfer Risk Assessment ('TRA') and tool alongside its initial draft IDTA in October 2021. However, the TRA has yet to be finalised.

In this regard, O'Rorke further highlighted the need to "assess the lawfulness of those data transfers with reference to the important case law developments of the last couple of years (notably, Schrems II) and in light of regulatory guidance (principally from the European Data Protection Board ('EDPB') and ICO – but consulting local regulatory guidance too on a country-by-country basis in the EU); and record that assessment in a 'data transfer impact assessment' (which could be based on ICO's 'TRA' and tool, but notably this hasn't formed part of what came into force on 21 March 2022 so we might assume the draft is subject to further consultation)." 

Generally, Long advised that "organisations need to engage in a data transfer project if they have not already started one, which should involve:

• data mapping to identify international data transfers from the EU and UK;
• identify what is an appropriate data transfer mechanism e.g. determine if the country receiving the data is an adequate country or not, such as Japan, and if not whether SCCs, Binding Corporate Rules ('BCRs') or some other GDPR derogation is appropriate, such as where the transfer is necessary for performance of the contract;
• carry out a Schrems II data TRA based on the guidance from the EDPB and, once published by the ICO, the UK form of TRA;
• determine whether to implement EU SCCs for EU data transfers with a UK Addendum for data transfers from the UK or the IDTA;
• review intra-group data transfer agreements and other data transfer agreements with third parties, such as vendors and other controllers, to determine the required amendments to update for EU SCCs and the IDTA;
• consider data privacy laws in countries outside the EU/UK, such as in Argentina, China, Brazil, India, and the US, that may impact international data transfer agreements, to determine if updates will also be required for such countries; and
• develop a strategy to roll out the contract updates, including communications to customers and vendors and training of relevant staff that will need to operationalise the updates."

Further reform on the horizon? Alternative transfer mechanisms, derogations, and impact on adequacy

As part of the Government's consultation paper 'Data: A New Direction', which was issued in line with Mission 2 of the National Data Strategy and which proposed various categories of reform to the UK's regime for data protection, the Government noted its intention to continue improving the design of alternative data transfer mechanisms to ensure the global regulatory framework supports the free flow of personal data (Paragraph 16).

Paragraph 257 of the consultation paper outlines its objective to explore amendments to the international transfers regime to give organisations greater flexibility in their use of transfer mechanisms, spotlighting work by ICO to take greater advantage of existing options for tailored transfer mechanisms like BCRs, Codes of Conduct, and Certification Schemes.

Considering the impact of the IDTA and UK Addendum for alternative data transfer mechanisms under the UK GDPR, Long added, "The UK Government is looking to develop a suite of alternative transfer mechanisms for UK organisations that provide additional flexibility. This includes possibly empowering organisations to create or identify their own alternative data transfer mechanisms, in addition to those listed in Article 46 of the UK GDPR, such as the use of bespoke data transfer agreements. This is an approach similar to that under the New Zealand data protection regime. The Government is also looking at broadening the availability and acceptance of certification schemes, such as transfer mechanisms based on certifications that follow privacy management programmes."

Long further highlighted that the Government's plans for reform in relation to data transfers include "increasing the ability to be able to rely on derogations, such as making it explicit that repetitive use of derogations under the GDPR for data transfers, such as performance of a contract, is permitted."

Commenting on the above, O'Rorke opined, "personally, I see scope for more of a role for well-judged use of derogations in the UK; and we should all hope that ICO enforcement priorities will prioritise real-world risk, rather than on-paper compliance (which, in fairness, the updated EDPB Guidelines also nod towards)."

However, O'Rorke warned that, in his view, "the suggestion of a more favourable, less bureaucratic regime for data exporters falls squarely in the political and legal territory that will cause trouble with the European Commission," adding, "If lawmakers are serious about the commitment in the UK data reform consultation to maintaining our adequacy decision as a priority, they may have to row back on some of these ambitions."

Long also suggested that the UK will need to "strike a balance", cautioning that "the EU will be watching carefully what changes are made to determine whether these undermine the UK adequacy decision made by the EU in June 2021 and which can be reviewed at any time."

Amelia Williams Senior Privacy Analyst
[email protected]

Comments provided by:

William Long Partner
[email protected]
Sidley Austin LLP

Owen O’Rorke Partner
[email protected]
Farrer & Co.