The UK has unveiled its International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum (“UK Addendum”). These form part of the UK’s package of measures designed to assist businesses in transferring data abroad and are likely to form a key part of the data privacy compliance for UK businesses nearly all of whom will transfer data abroad whether to suppliers (including cloud storage providers), related businesses or customers.
Organisations who are subject to the UK GDPR (which includes all businesses which are based in the UK, offer goods or services to people in the UK or monitor the behaviour of people in the UK) can now use the IDTA or the UK Addendum as a tool to transfer personal data out of the UK to third countries that lack adequacy i.e. countries whose data protection laws and practices do not meet the standards of the UK.
The IDTA and the UK Addendum is the UK’s answer to allowing restricted transfers of data from the UK and replaces the EU’s Standard Contractual Clauses (“EU SCCs”) as a tool to do this. Businesses who currently operate on the EU SCCs will be pleased to know that there is no immediate rush to adopt the IDTA; the longstop date to switch over from the EU SCCs to the IDTA is 21 March 2024. It is also possible to keep using the EU SCCs up to 21 March 2024, provided they are in place by 21 September 2022 and your processing does not change in the meantime.
IDTA v’s EU SCCs
Whilst the IDTA closely follows the provisions of the new EU SCCs, there are a couple of key features of the IDTA which “trump” the EU SCCs. The first is that the IDTA can be used for transfers even if the importer is already subject to the UK GDPR, a point which is unclear with the new EU SCCs. The second is that the IDTA is more flexible than the new EU SCCs. This is because the IDTA can cater for a number of different transfer scenarios across different exporter/importer relationships, whereas the EU SCCs are restricted to the transfer scenarios set out in the four modules of the EU SCCs. So if you have a complex transfer scenario (i.e. where multiple data importers and exporters are involved or where the processing chain includes processors and sub-processors), the IDTA is likely to be the easier of the two tools to work with.
Other key features of the IDTA include:
- Standalone Agreement. Unlike the new EU SCCs which adopt a modular structure, the IDTA is an all-in-one agreement that can be signed “as is”.
- Linked Agreement. The IDTA can be executed alongside another commercial “linked” agreement, which allows the parties to incorporate additional terms to reflect the commercial context of the transaction, provided those terms do not impinge upon the rights granted under the IDTA. The ability to incorporate additional terms means the IDTA can be used more flexibly than the EU SCC. For example the parties may wish to include an option for mediation or arbitration as alternative dispute mechanisms (whereas the EU SCCs have mandatory jurisdiction and governing law clauses), or the parties could set out a more detailed process relating to audit (whereas the EU SCCs does not deal with audit timings or process measures).
- Automatic updates. If the IDTA is updated by the ICO, these changes will automatically apply. The parties can also provide in the IDTA that the particulars of the data processing will automatically update if the information is updated in the linked agreement.
Whilst the new EU SCCs are less easy to navigate, unlike the IDTA, they do include the mandatory processor requirements under Article 28 GDPR, so no additional data processing agreements are needed with processors.
When do I use the UK Addendum?
The UK Addendum works alongside the new EU SCCs and operates to amend the new EU SCCs for UK use. Since the obligations imposed on the data exporter and importer under the UK Addendum are identical to those under the EU SCCs, the UK Addendum shares the same advantages and disadvantages of the EU SCCs.
The UK Addendum is particularly useful for UK businesses who also have operations in the EU, and have already entered into the EU SCCs, as the UK Addendum extends the EU SCCs to cover personal data exported from the UK, meaning the data exporter has the same compliance obligations for both territories.
Recap of the key dates
After 21 September 2022, any new arrangement for transfers which are subject to the UK GDPR will need to be governed by the IDTA or the UK Addendum. You will also need to use the IDTA or UK Addendum if your processing changes after this date.
Any existing arrangements for UK transfers based on the EU SCCs must be replaced with the IDTA by 21 March 2024.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.