On March 21, 2022, the UK’s International Data Transfer Agreement (IDTA) and Addendum to the European Commission’s Standard Contractual Clauses (SCCs) took effect. The Information Commissioner’s Office (ICO) also announced the entry into force of transitional provisions to align data transfers with SCCs following Brexit and the Schrems II case.
The ICO launched a public consultation on the IDTA and Addendum on August 11, 2021 prior to making its way to parliament on February 2, 2022.
The IDTA replaces the current Standard Contractual Clauses (SCCs) in the UK and was developed in line with the CJEU’s decision in the Schrems II case to enable the continued flow of data with a high level of personal data protection. Data exporters in the UK will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The ICO stated it will also clarify what a restricted transfer is under the UK GDPR and develop tools and guidance for organizations, including:
The IDTA is a set of contractual requirements that organizations can use when transferring data to a third country. It serves as one of the appropriate safeguards under Article 46 of the UK GDPR and replaces the current set of SCCs.
The IDTA provides organizations with a baseline of safeguards that offer a sufficiently similar legal standard to the UK GDPR for data transfers to countries without an adequacy decision.
It’s important to note that the IDTA requires organizations to conduct a TRA to ensure that the safeguards provided by the IDTA do not conflict with third-country legislation and that a sufficient level of data protection is achieved.
In addition to the IDTA, the UK addendum to EU SCCs also took effect. The addendum will provide additional appropriate safeguards for organizations relying on Article 46 transfer tools under the UK GDPR when transferring data out of the UK.
Organizations can now choose to either use the IDTA or the Addendum when making restricted transfers under the UK GDPR. The ICO has stated that the Addendum allows organizations to use the EU SCCs themselves to cover both transfers, avoiding the need to use both the EU SCCs and the IDTA.
The IDTA transitional provisions allow for the continued use of the SCCs that were issued under the Data Protection Directive 1995 (The Directive), as an appropriate safeguard under the UK GDPR for new contracts until September 21, 2022. Organizations can rely on the transitional provisions as an appropriate safeguard under the UK GDPR until March 21, 2024.
The ICO launched its draft TRA tool alongside the public consultation on the IDTA in August 2021. The tool aims to assist organizations when carrying out a TRA and offers a structured methodology for organizations to use when conducting a TRA, including guidance and decision trees.
Similar to the EDPB’s six-step roadmap for supplementary measures, the ICO’s TRA tool breaks the TRA down into three parts:
Organizations should carry out a TRA when making a restricted transfer that relies on an Article 46 transfer tool – this includes the IDTA.
However, a TRA is not necessary when transferring personal data to any country covered by UK adequacy regulations or if the transfer is covered by an exception such as the data subject giving explicit consent for the transfer.