Patchworking Data Protection Regimes: UK Adopts New Data Transfer Mechanisms Post-Brexit and Schrems II
Two new United Kingdom (“UK”) data transfer mechanisms, the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum (“UK Addendum”) to the European Union’s (“EU”) new standard contractual clauses (“SCCs”), came into force on March 21, 2022. These new mechanisms replace the UK’s use of the old EU SCCs, which, due to Brexit, were still valid in the UK but were replaced in the EU with new SCCs in June 2021. Contracts entered into on or before September 22, 2022, on the basis of the old EU SCCs will continue to provide appropriate safeguards under the UK General Data Protection Regulation (“UK GDPR”) until March 21, 2024, as long as (1) the nature of the processing of personal data doesn’t change during the term of the contract and (2) the transfer is subject to appropriate safeguards.
The Need for New UK Data Transfer Mechanisms Post-Brexit and Schrems II
For context, the need for these new UK data transfer provisions was due to a combination of the UK GDPR, Brexit, and prior EU data protection laws. Prior to March 21, 2022 (and currently), companies and organizations making personal data transfers from the UK are entering into the old EU SCCs, which were adopted by the European Commission under the 1995 Data Protection Directive.
As we previously reported, in July 2020, the Court of Justice of the European Union (“CJEU”) released its decision in Schrems II, which stated that whether the EU SCCs may constitute a lawful basis for the transfer of personal data outside of the EU depends on whether the recipient of the data operates in a jurisdiction that affords “a level of protection essentially equivalent to that guaranteed within the EU.” Given that the Schrems II decision was handed down during the Brexit transition period, it is still binding on the UK GDPR.
As we reported in June 2021, the EU published new SCCs that take into account the legal analysis from Schrems II; however, because the new SCCs were adopted after Brexit, they are not valid for transfers for which the UK GDPR applies.
Differences between the UK Addendum and the IDTA
The UK Addendum is an “add-on” to the new EU SCCs, meaning that for either large multinational organizations that have plans to have data transfers subject to both the EU GDPR and UK GDPR or organizations that either have already adopted and implemented the new EU SCCs, the UK Addendum is likely a more straightforward choice. The UK Addendum essentially amends and incorporates the new EU SCCs to the extent necessary so that they operate for data transfers where the UK GDPR applies. It adds little to the new EU SCCs apart from adapting them to appropriately refer to the UK, UK laws, and England and Wales as the governing laws.
On the other hand, the IDTA is a stand-alone agreement intended to be used for UK data transfers without also having to enter into the new EU SCCs, meaning that it may be a better choice for organizations that are only UK-based or do not process any personal data for which the EU GDPR applies.
While the substantive obligations still closely track the EU SCCs, the IDTA takes on a “one-size-fits-all” approach rather than the modular structure of the new EU SCCs, with Part 1 organized in a tabular format specifying the contracting parties’ information, the transfer details, the categories of transferred data, and security requirements for storage and processing. Furthermore, Part 2 allows the parties to add “Extra Protection Clauses” beyond those required by law. The “Mandatory Clauses” in Part 4 set out the exporter’s and importer’s obligations, including provisions on how the exporter and importer will ensure there are appropriate safeguards in place, how data subjects can exercise their rights, how to give third parties access to transferred data under local laws, and what actions the parties must undertake in the event of a data breach.
Notably, due to its structure, the IDTA also covers more relationship scenarios than those contemplated by the EU SCC modules; for example, it can be used if a processor transfers personal data to an organization which is not its instructing controller or its sub-processor.
What This Means for You
Whether an organization enters into a contract on the basis of the UK Addendum or the IDTA, the organization is still required to carry out a data transfer impact assessment (“TRA”) to ensure that data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. The UK Information Commissioner’s Office (ICO) published a draft international transfer risk assessment and tool in August 2021, but has not yet released a final version.
Additionally, regardless of which transfer mechanism is selected, the grace period for the old EU SCCs concludes on September 21, 2022. Legacy contracts entered into before that date will continue to be valid for data exports from the UK until March 21, 2024, provided the relevant processing operations that are the subject of the contract remain unchanged.
For organizations that are working toward the December 27, 2022 deadline for implementing the new EU SCCs in legacy contracts, simultaneously implementing the UK Addendum would be efficient. If organizations contract with multiple data importers in both the EU and UK, it is advisable to begin this process sooner rather than later.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.