International Data Transfers – Do you need to update your agreements?

The Information Commissioner’s Office (ICO) has given UK businesses until 21^st March 2024 to put in place either the UK’s International Data Transfer Agreement (IDTA) or the EU’s new Standard Contractual Clauses (SCC’s) together with the international data transfer addendum in place of the EU’s previous standard contractual clauses when making international transfers of data or what the ICO refers to as restricted transfers.

What this means in practice is that UK businesses who have traditionally made use of the EU’s standard contractual clauses in order to transfer personal data abroad cannot rely on that method from 21^st March 2024. A failure to update contracts by the 21 March 2024 and the continued transfer of personal data to third country(ies)  using the expired SCCs will be a breach of data protection law punishable with administrative fines up to £17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher and liability under Art. 82 of the UK GDPR.

In this blog we will explore the new rules a bit further together with other developments on the law relating to international transfers and explain what UK businesses need to do to ensure they stay the right side of the law.

What is a restricted transfer of data?

A restricted transfer of data is basically the transfer of personal data to a person (a receiver) who is based outside of the UK. The restricted transfer occurs both when personal data is transferred or sent to a receiver outside of the UK and when that personal data is accessed from outside of the UK. A restricted transfer would include storing personal data on servers based outside of the UK.

Are all international transfers restricted transfers?

No. A restricted transfer will not take place where you are a UK based processor and are either simply returning the personal data to a controller who is based outside of the UK or where you are acting on the instructions of the controller i.e. you are told by the controller to transfer the data to another processor or controller outside of the UK. In these circumstances however it is likely that you will be under a contractual obligation in relation to the transfer of the personal data and/or the controller will be subject to the UK’s GDPR legislation and therefore the rules on restricted transfers will apply to the controller.

What do I need to do to make a restricted transfer lawful?

This will largely depend on where you are transferring the personal data to i.e. where the data receiver is located. We have summarised the basic rules in the table below.

Location of data receiver	What steps need to be taken before the restricted transfer can be made.
European Union (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden).	None. These countries have adequacy regulations in place and data can be transferred to data receivers located in them without the need for further steps being taken.
EFTA (Iceland, Norway and Liechtenstein)	As above. No prohibitions on restricted transfers
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and South Korea	As above.  No prohibitions on restricted transfers
Canada	As above. No prohibitions on restricted transfers (but only applies to person data that is subject to Canada’s Personal Information Protection and Electonic Documents Act (PIPEDA)
Japan	As above. No prohibitions on restricted transfers (but only applies to personal data transferred to private sector organisations subject to Japan’s Act on the Protection of Personal Information)
United States (members of the Data Privacy Framework UK extension)	As above
All other countries in the world not listed above (including receivers in the US who are not members of the Data Privacy Framework UK extension)	No adequacy regulations in place. Restricted transfers prohibited unless an appropriate safeguard is in place.

 What is an appropriate safeguard?

Restricted transfers to many countries in the world cannot be made without first putting in place an appropriate safeguard. The most common safeguards are as follows:

• UK Binding Corporate Rules or UK BCRs – UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships. They need to be approved by the ICO and in practice are likely to be applied for at the same time as an EU BCR.
• Standard data protection clauses – For the UK these consist of either the UK’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (Addendum). They are a set of contractual clauses which are entered into between the data exporter and the data importer (receiver). The Addendum must be used in conjunction with the EU’s Standard Contractual Clauses for data transfers outside of the EU and is therefore used when it is both UK and EU personal data that is being transferred.

Use of either the IDTA or the Addendum (plus the EU SCCs) was mandatory from 21^st September 2022 but there was a transition arrangement under which any legacy arrangements remained valid for a finite period of time. This expires on 20 March 2024 and contracts must be updated from 21 March 2024.

With all of these safeguards it is also important to carry out a data transfer risk assessment (TRA) prior to transferring data. A TRA is likely to be concerned with any risks to people’s rights arising in the country of the receiver for example where a government has particular powers to intercept or access personal data and in relation to the ability to enforce the safeguard in that country because, for example, the system of justice is not well developed or has failed. As a result of the TRA it might then be necessary to put into place additional or supplementary safeguards which might be contractual, organisational or technical in nature.

Are there any other exceptions?

Other exceptions or derogations which permit restricted transfers do exist. These are however generally based on “necessity” and are typically used for one-off transfers rather than any more systematic transfers. Examples include where the transfer is necessary for the public interest, establishing a legal claim or defence, or for fulfilling obligations under a contract.

What is the position with transferring personal data to the US?

On 10 July 2023, the EU Commission announced the enforcement of the new EU-US Data Privacy Framework. The main driving force behind the framework was to provide legal certainty on the transfer of personal data between the EU and US. On 21 September 2023, the UK introduced an extension to the EU-US Data Privacy Framework – the ‘UK-US Data Bridge’. This bridge allows the UK to benefit from the lawful and safe transfer of personal data to the US following Brexit.

• What is the EU-US Data Privacy Framework?
  The EU-US Data Privacy Framework allows the free flow of personal data from the EU to organisations within the US without the need to adopt additional safeguards, such as EU standard contractual clauses. The European Commission held that the new EU-US Data Privacy Framework guarantees a level of protection ‘essentially equivalent’ to that provided within the EU – a key requirement set out in the EU GDPR. To benefit from this framework, US organisations must apply to the US Department of Commerce for certification. US President Joe Biden describes the EU-US data framework as a ‘joint commitment to strong data privacy protections’, stimulating economic growth and innovation between the two countries. The new framework was implemented into US law in October 2022 by Executive Order 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (‘EO 14086’).
• The Need for Legal Certainty Following Shcrems II
  Prior to this framework, digital trade between the EU and US had been restricted by the annulment of two preceding frameworks. In a case known as Schrems I, the CJEU declared the Safe Harbour data transfer agreement invalid after finding that the US did not ensure an adequate level of protection of personal data. In Shcrems II, the CJEU annulled the Privacy Shield data transfer agreement. The CJEU held that the digital surveillance processes adopted by US law enforcement and intelligence agencies breached EU privacy law, deeming US and EU privacy laws to be no longer ‘essentially equivalent’. The CJEU found that US agencies had access to EU personal data beyond what was ‘strictly necessary’, and EU residents did not have access to an effective legal remedy.
  Amid the absence of an EU-US data framework and mounting legal uncertainty on transatlantic data transfers, US companies relied on previous data transfer tools, such as standard contractual clauses (SCC’s), to carry out new data exports.
• Schrems III: Third Time Unlucky?
  Data protection platform ‘NOYB’, founded by data activist Max Schrems, has criticised the new EU-US data agreement for failing to meet the standards of EU data protection law for the third time. In its July statement, ‘NOYB’ referred to the new agreement as a ‘copy of the failed Privacy Shield’ and announced Mr Schrems’ intention to bring a third case before the CJEU. According to Mr Schrems, an ‘essentially equivalent’ data framework between the EU and US in accordance with the EU GDPR requires a material change in U.S surveillance law.
• The EU-UK Data Bridge Extension
  The UK extension to the EU-US Data Privacy Framework (the ‘UK-US Data Bridge’) was introduced on 21 September 2023 and has been in force since 12 October 2023. The Data Protection (Adequacy) (United States of America) Regulations 2023 allows UK organisations to transfer personal data to certified US organisations without reliance on additional safeguards, such as SCC’s. US organisations must self-certify under both the EU-UK Data Bridge and the EU-US Data Privacy Framework in order to transfer personal data freely.

Conclusion

Much has changed in related to the making of international transfers of data from the UK recently.  Many UK businesses have traditionally relied on the EU’s standard contractual clauses as a safeguard for international transfers of data and this will no longer be possible from 21^st March 2024. The mechanisms for transferring data to the US have also changed recently with the coming into force of the Data Privacy Framework and its UK extension or bridge and it may be that many UK businesses can now take advantage of this or perhaps persuade their US suppliers to sign up to the Data Privacy Framework and its UK extension.

Should you have any queries in relation to international transfers of data, or indeed any other data privacy law matters, please contact Nick Phillips or any other member of our Intellectual Property Team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now