Other Author Kahroba Kojouri, Trainee Solicitor
In August 2021, the ICO launched a consultation on replacing the use of the old EU based standard contractual clauses for international transfers of personal data outside of the UK ("Old SCCs") with new transfer tools to reflect the post-Brexit environment. Following the end of that consultation, the Department for Culture, Media and Sport (DCMS) has now laid the final versions of these new standard form contracts before the UK Parliament.
Provided that the UK Parliament raises no objections, these new standard form contracts will be approved for use from 21 March 2022. Businesses may continue to use the Old SCCs as a valid transfer mechanism for transferring personal data from the UK under new contracts until 21 September 2022. Any agreements incorporating the Old SCCs for transfers of personal data outside of the UK will need to be renegotiated to instead adopt one of the new UK standard form contracts by 21 March 2024.
Once the new international transfer tools are adopted by the UK Parliament, businesses can use one of the following new contractual safeguards when making an international transfer of personal data that is restricted under the General Data Protection Regulation ("GDPR") in the UK (i.e. a transfer of personal data from the UK to a third country that does not benefit from an adequacy decision from the UK): (i) enter into the new UK international data transfer agreement with the recipient of the data ("IDTA"); or (ii) enter into a new UK addendum with the recipient of the data ("Addendum") which can be used together with the new EU standard contractual clauses published on 4 June 2021 ("New EU SCCs"). The use of the Addendum will be convenient for international businesses that carry out international transfers of personal data that are subject to both the EU GDPR and the UK GDPR and are already relying on the New EU SCCs to carry out transfers of personal data from the European Economic Area.
Considering that the IDTA reflects the same GDPR requirements as the New EU SCCs, the IDTA is not significantly different in substance to the New EU SCCs. For instance, following the decision in ‘Schrems II’, the New EU SCCs require the parties to conduct a transfer impact assessment taking into account various factors, including the laws and practice of the recipient country and the contractual, technical and organisational safeguards put in place during transmission and processing of data. Similarly, the IDTA requires data exporters to undertake a transfer risk assessment to consider the local laws, practices, and risks which might render the protections provided by the IDTA insufficient. The IDTA does depart from the New EU SCCs in a few notable ways, including the following:
- The IDTA has a wider scope and can be used in more varied transfer situations. For instance, the IDTA can be used for transfers from sub-processors to processors, whereas the New EU SCCs does not allow for such transfers.
- The IDTA expressly recognises that the parties may have entered into a separate commercial agreement (referred to as the 'Linked Agreement' in the IDTA) and allows for the parties to incorporate the terms of the Linked Agreement into the IDTA.
- The IDTA is made up of four parts:
- Part 1: This part is comprised of tables where parties can insert their names, signatures and details of the transfer, information about the data transferred and any security requirements.
- Part 2: Parties can insert extra protection clauses where supplementary measures are needed.
- Part 3: Parties can insert additional commercial clauses if there is no 'Linked Agreement' accompanying the IDTA.
- Part 4: This part sets out the mandatory clauses that the parties are subject to.
- The IDTA allows parties to resolve any disputes arising out of or in connection with the IDTA through arbitration; whereas the New EU SCCs include mandatory jurisdiction and governing law provisions.
- The parties are able to agree on audit provisions in the Linked Agreement. The audit provisions in the IDTA will only apply where the Linked Agreement does not provide an audit mechanism.