On March 21, 2022, the UK’s International Data Transfer Agreement (IDTA) and Addendum to the European Commission’s Standard Contractual Clauses (SCCs) took effect. The Information Commissioner’s Office (ICO) also announced the entry into force of transitional provisions to align data transfers with SCCs following Brexit and the Schrems II case.
The ICO launched a public consultation on the IDTA and Addendum on August 11, 2021 prior to making its way to parliament on February 2, 2022.
The IDTA replaces the current Standard Contractual Clauses (SCCs) in the UK and was developed in line with the CJEU’s decision in the Schrems II case to enable the continued flow of data with a high level of personal data protection. Data exporters in the UK will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The ICO stated it will also clarify what a restricted transfer is under the UK GDPR and develop tools and guidance for organizations, including:
- Clause by clause guidance to the IDTA and Addendum
- Guidance on how to use the IDTA
- Guidance on transfer risk assessments
- Further clarifications on their international transfers guidance
What is the International Data Transfer Agreement (IDTA)?
The IDTA is a set of contractual requirements that organizations can use when transferring data to a third country. It serves as one of the appropriate safeguards under Article 46 of the UK GDPR and replaces the current set of SCCs.
The IDTA provides organizations with a baseline of safeguards that offer a sufficiently similar legal standard to the UK GDPR for data transfers to countries without an adequacy decision.
It’s important to note that the IDTA requires organizations to conduct a TRA to ensure that the safeguards provided by the IDTA do not conflict with third-country legislation and that a sufficient level of data protection is achieved.
UK Addendum to the European Commission Standard Contractual Clauses
In addition to the IDTA, the UK addendum to EU SCCs also took effect. The addendum will provide additional appropriate safeguards for organizations relying on Article 46 transfer tools under the UK GDPR when transferring data out of the UK.
Organizations can now choose to either use the IDTA or the Addendum when making restricted transfers under the UK GDPR. The ICO has stated that the Addendum allows organizations to use the EU SCCs themselves to cover both transfers, avoiding the need to use both the EU SCCs and the IDTA.
What are the International Data Transfer Agreement Transitional Provisions?
The IDTA transitional provisions allow for the continued use of the SCCs that were issued under the Data Protection Directive 1995 (The Directive), as an appropriate safeguard under the UK GDPR for new contracts until September 21, 2022. Organizations can rely on the transitional provisions as an appropriate safeguard under the UK GDPR until March 21, 2024.
What is the International Transfer Risk Assessment Tool?
The ICO launched its draft TRA tool alongside the public consultation on the IDTA in August 2021. The tool aims to assist organizations when carrying out a TRA and offers a structured methodology for organizations to use when conducting a TRA, including guidance and decision trees.
Similar to the EDPB’s six-step roadmap for supplementary measures, the ICO’s TRA tool breaks the TRA down into three parts:
- Assessing the transfer
- Determining whether the IDTA is likely to be enforceable in the destination country
- Determining if there is appropriate protection for the data from third-party access
Organizations should carry out a TRA when making a restricted transfer that relies on an Article 46 transfer tool – this includes the IDTA.
However, a TRA is not necessary when transferring personal data to any country covered by UK adequacy regulations or if the transfer is covered by an exception such as the data subject giving explicit consent for the transfer.