What is the UK International Data Transfer Agreement and What Are the Implications?

|
|
PUBLISHED on
25 Jul
2022

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.  The international data transfer agreement (IDTA) and the UK Addendum to the current European Commission’s standard contractual clauses (SCCs) are the next steps in providing a transfer tool for complying with the UK GDPR when conducting restricted transfers of personal data.

Background

As part of Brexit post the EU referendum, the GDPR was adopted as UK law through the Data Protection Act (2018), and those parts of it applying to people in the UK became known as the ‘UK GDPR’.  The UK left the EU on 31 January 2020 and entered a transition period until 31 December 2020.

At the end of that transition period, the ICO adopted the approach that transfers of personal data outside of the UK could temporarily rely on the EU provisions for restricted transfers, namely the EU SCCs.  In June 2021, the EU updated the SCCs, which many organisations have since adopted.

These SCCs, however, were not included in the UK GDPR, as the ICO developed a UK-specific framework for personal data transfers.  This framework includes the ICO’s own scheme for determining whether the recipient country (the ‘data importer’) provides an ‘adequate’ level of protection of individuals’ rights over the processing of their personal data in a third country (i.e., neither the UK nor an EU Member State).

Why is this Needed?

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgment on the adequacy of previous safeguards, i.e., the EU-US Privacy Shield and the previous EU SCCs designed to safeguard transfers of personal data to the United States and other third countries outside the EU, a ruling now commonly known as Schrems II.  As a result, the Privacy Shield scheme was ruled unlawful and the EU SCCs were swiftly updated, and supplementary arrangements applied.  This judgement forced organisations across the UK and EU to carefully consider arrangements for making restricted transfers, not just to the USA, but to any third country that does not have a decision of ‘adequacy’.

The ICO defines a transfer as being restricted if:

  • The UK GDPR applies to the personal data being transferred
  • The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
  • The importer is a separate organisation or individual (including another organisation in the same corporate group).

What’s Changing?

After 21 September 2022, organisations processing UK personal data must use the IDTA or the UK Addendum if they want to enter into new arrangements for transfers which are subject to the UK GDPR.  In addition, any existing arrangements for transfers out of the UK based on the old EU SCCs must be replaced by 21 March 2024.

For EU-based organisations which need to transition their arrangements for EU data transfers to the new EU SCCs, these need to be completed by 27 December 2022, a much shorter timescale!

It is important to note that the IDTA and UK addendum are only intended to legitimise restricted international transfers and do not include controller to processor clauses defined in UK GDPR and EU GDPR Article 28 – these must be included in a separate commercial agreement/contract governing the processing and referenced within the IDTA.

Implications and Next Steps

  1. Review and update intracompany agreements – if you have transfer agreements within your organisation, for example from UK to US entities, these need to be reviewed and updated to use either the IDTA or the ‘new’ (2021) EU SCCs and UK Addendum.
  2. Conduct or review personal data transfer risk assessments – transfer risk assessments (TRAs) must be conducted for any existing or potential new restricted transfers.
  3. Review data sharing agreements with suppliers – review agreements with suppliers to determine if SCCs are, or should be, within the data sharing agreements.  Where they are, these should be updated to include either the IDTA or the ‘new’ EU SCCs and UK Addendum.
  4. Implement law enforcement request policy – if your organisation (or suppliers) has/have any entities in jurisdictions where law enforcement can issue subpoenas or warrants for disclosure of personal data, a policy should be developed on how these will be responded to.

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
21/7/2022
THE GDPR – 5 Myths Dispelled

The adoption of the General Data Protection Regulation (GDPR) in April 2016 had wide-ranging impacts. These affect all organisations.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
26/1/2024
Facial Recognition Technology and Data Protection Compliance

URM’s blog outlines the DP concerns around the use of facial recognition technology (FRT), and offers guidance on making sure your FRT use is GDPR compliant.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
27/3/2024
The Data Protection and Digital Information Bill No.2

URM’s blog discusses the Data Protection and Digital Information (DPDI) Bill, how it will diverge from the current GDPR, and the impact it may have when passed.

Read more
URM have been consistently helpful, friendly and efficient in assisting us through the Cyber Essentials and Cyber Essentials Plus accreditation process.
Experts in optimisation, forecasting, artificial intelligence and algorithm auditing
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.