Ann-Maree Blake, Partner
When Britain left the EU in January 2021 many businesses were apprehensive about changes to data transfer laws. If the UK were not granted ‘adequacy’ by the EU (meaning its data protection laws and safeguards are ‘adequate’ enough to meet GDPR data protection standards) transferring personal data to the EU would have quickly become tricky and expensive. Thankfully, in June 2021, the EU granted the UK adequacy. In the same month, the European Commission approved a new set of Standard Contractual Clauses (SCCs) with safeguards to permit international data transfers. The new SCCs were not approved by the UK, so businesses were required to continue using the previous version of the clauses.
Following extensive consultation the ICO created the template international data transfer agreement (IDTA) and the template international data transfer addendum to the EU’s SCCs (the Addendum). Collectively these are essentially the UK version of the new EU SCCs. Following Parliamentary approval, the IDTA and the Addendum came into force on 21 March 2022.
Continue reading to discover the changes brought in by the new EU SCCs, the IDTA and the Addendum, and how they work together.
What are the Standard Contractual Clauses?
SCCs are standardised contractual clauses that businesses transferring data from the EEA or a country that has been granted adequacy to a third country (i.e. a nation that has not been granted adequacy) must use to ensure the rights and freedoms of the person whose information is being transferred are upheld.
The SCCs provide appropriate safeguards for international data transfers under Article 46 of the GDPR. Neither data controllers nor processors are permitted to alter them, although additional, non-contravening safeguard provisions can be added to the contract.
What are the key differences between the old and new set of SCCs?
The new SCCs cover a wider range of situations than the former models. Transparency between businesses and customers has also increased and parties to the transfer have additional obligations concerning assessing the legality of the handover of personal data.
A modular approach has been taken with the new SCCs, as set out below:
- Module one: Controller – controller.
- Module two: Controller – processor.
- Module three: Processor – processor.
- Module four: Processor – controller.
The modular approach allows for distinct types of transfer scenarios. It also permits multiple parties to adhere to the SCCs.
The SCCs also consider the binding judgement of the European Court of Justice of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems Case C-311/18, commonly referred to as Schrems II. This decision invalidated the Privacy Shield (a programme that allowed EU businesses to transfer data to the US) because of the extensive opportunity of surveillance provided by US national security laws (namely US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333, and Presidential Policy Directive 28).
You will need to transfer to the new SCCs by 21st March 2024 at the latest.
Is the IDTA identical to the EU SCCs?
The IDTA differs from the SCCs in that it is a standalone agreement rather than a series of modules. It and the Addendum both allow for the decision in Schrems II.
How do I use the IDTA and the Addendum?
The IDTA and the Addendum are alternative ways to ensure compliance with Article 46 of the GDPR when transferring data to third countries. Whether you choose to adopt the SCCs, IDTA, or the Addendum will depend on how your business operates. For example, if you have organisations across the UK and EEA may prefer to implement the EU SCCs and UK Addendum rather than the IDTA. However, for data transfers from the UK to the US, the IDTA is the appropriate form to use.
Wrapping up
The decision in Schrems II and the finalisation of Brexit means that businesses required clarity regarding data transfers to third countries. The EU SCC and UK IDTA and the Addendum provide this. If you have any questions regarding ensuring data transfers comply with the GDPR, our data protection solicitors can advise you.
To find out how we can assist you on all matters relating to GDPR and data protection law, please contact Ann-Maree Blake (ablake@quastels.com), Partner in our Corporate/Commercial Team who specialises in Data Protection & Privacy or call +44 (0)20 7908 2525 to make an appointment.
Please note – this article does not constitute legal advice.