News and Publications

UK international data transfers: the proposed new regime

Posted: 27/09/2021


The UK Information Commissioner's Office (ICO) has launched a public consultation on its proposals for an international data transfer agreement (IDTA), which is – as a post-Brexit change - intended to replace EU Standard Contractual Clauses (SCCs) as a safeguard between parties transferring personal data from the UK to countries not covered by adequacy decisions recognised by the UK.

These proposed measures will not affect transfers from the UK to EEA countries or Andorra, Argentina, Canada (commercial companies only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private sector companies only), Jersey, New Zealand, Switzerland and Uruguay, which are subject to EU adequacy decisions recognised by the UK. SCCs have typically been used as a contractual safeguard for transfers of personal data from the UK/EU to many jurisdictions, including the USA, India and China. While the EU has itself recently published new SCCs under the EU General Data Protection Regulation (GDPR), these are not valid for transfers of personal data from the UK in light of the UK’s departure from the EU.

The ICO’s consultation on IDTA remains open until 7 October 2021. The consultation also includes a precedent UK transfer risk assessment (TRA) and a template addendum to the new EU SCCs intended to simplify contract documentation for companies making both UK and EU transfers. These are explained further below. There is also useful guidance for international data transfers from the UK.

We expect the ICO to finalise the form of IDTA and associated TRA guidance early next year.

Current compliance requirements

In the meantime, companies transferring personal data from the UK in a way which requires a contractual safeguard will need to use the old EU SCCs – the ICO has helpfully provided a version of this to facilitate its use for UK transfers, which is available here. Before relying on an appropriate safeguard, companies must undertake a transfer impact assessment to ensure that the data subjects of transferred data continue to benefit from a level of protection equivalent to that under the UK data protection regime. This assessment considers the protections contained in that appropriate safeguard and the legal framework of the destination country.

If the company determines that the appropriate safeguard does not alone provide the necessary level of protection, it is permitted to include additional measures which may collectively suffice to ensure that the transfer could go ahead, for example, additional contractual, technical and organisational measures. The ICO has stated it will issue guidance on this topic in due course.

Consultation in more detail


The IDTA

The IDTA is proposed as an adequate contractual safeguard to be used by companies under the UK GDPR and consists of the following elements:

  • tables containing specific information regarding the restricted transfer at hand;
  • the provision of clauses providing extra protection;
  • optional commercial clauses;
  • mandatory clauses (including provisions relating to how the importer/exporter will ensure there are appropriate safeguards in place, compliance with ICO requests, actions to be taken should a personal data breach occur, onward transfers and sub-processing/data subject rights.)

The ICO has welcomed feedback on the draft IDTA, to ascertain whether it is clear how the IDTA should be used in conjunction with the TRA (explained below) and whether it is preferable over the modular approach adopted by the new EU SCCs.

Addendum

The ICO has released a template draft addendum amending the new EU SCCs to enable them to be used for UK data transfers alongside the new EU SCCs instead of the IDTA. If the addendum is approved, companies which are subject to both the EU and UK GDPR will not need to implement separate transfer agreements for restricted transfers from the UK and the EU, which should serve as a helpful saving of time and resource. This would be an extremely welcome approach, to assist in simplifying transfer documentation.

TRA

To assist companies in making routine transfers, the ICO has released a draft TRA tool. However, they are also permitted to use their own risk assessment methods. The TRA comprises of three stages:

  1. the company must establish the tool is suitable for the transfer at hand (eg it is a routine transfer as opposed to high risk) considering the nature of the importer, any onward transfers and the purpose, method and regularity of the transfer;
  2. the company must consider whether the IDTA is enforceable in the destination jurisdiction. If in doubt, the company must perform a supplementary risk assessment considering any potential harm to data subjects and ways to reduce risk. The ICO provides guidance on this along with guidance on supplementary measures to implement the IDTA; and
  3. finally, the company must assess how the destination jurisdiction regulates third-party access to personal data along with its surveillance laws. The ICO also provides guidance on safeguarding the rights of data subjects and assessing how likely third-party access will be.

The guidance

The guidance for international transfers from the UK poses various questions to respondents, relating to the transfer of personal data along with wider questions relating to the scope of the UK GDPR. It questions when a relevant transfer is considered to have taken place, allowing respondents to select different options depending on how they interpret the UK GDPR. A key point to note in the guidance is that the ICO is intending to update its current position that a transfer to an entity already directly subject to the UK GDPR by Article 3(2) does not form a restricted transfer to reflect that such a transfer occurs whenever the exporter is subject to the UK GDPR (whether they are located in the UK or overseas) and the importer is located outside of the UK.

Next steps

Once closed, the consultation documents will be finalised by the ICO before the proposals are laid before Parliament. If approved, the IDTA should come into force 40 days after its submission. Three months after the IDTA comes into force, companies will no longer be able to use the old EU SCCs for restricted transfers and 21 months after this companies will need to have replaced all old EU SCCs with the IDTA for ongoing transfers. This allows companies three months to implement new safeguards for transfers before they must adopt the ICO’s model and 24 months overall to remove all use of the old EU SCCs.

This article has been co-written by Grace Lymer-Sullivan, associate - IP, IT and commercial.


Return to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority.

Penningtons Manches Cooper LLP