IDTA: New UK standard contractual clauses for international transfers
New standard clauses mean organisations will need to incorporate either the International Data Transfer Agreement or the UK Addendum in all contracts concluded on or after 22 September 2022.
This is the case if the contract involves the transfer of data from the UK to a third country whose data protection regime has not been deemed ‘adequate’ by the UK Information Commissioner (known as a ‘restricted transfer’).
The International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum (UK Addendum) came into force in the UK on 21 March 2022. Both can be used as a transfer mechanism to comply with the requirement under Article 46 of the UK General Data Protection Regulation (UK GDPR) when making restricted transfers.
Under Article 46, organisations making restricted transfers of personal data out of the UK must provide appropriate safeguards for personal data to ensure that data subjects are given the same level of protection as they would have been under the UK GDPR.
The IDTA and the UK Addendum replace the previous Standard Contractual Clauses for international transfers (SCCs), mainly reflecting the judgment of the European Court of Justice commonly known as “Schrems II”. Although the UK has left the EU, the decision in “Schrems II” came ahead of Brexit and the UK is still bound by it.
The requirement to provide appropriate safeguards when making a restricted transfer also applies under the EU GDPR for personal data transfers from the EU/EEA to any country without an adequacy decision from the EU Commission.
If you would like to know more about the new EU Standard Contractual Clauses (SCCs) adopted following the decision in “Schrems II”, please see our summary of the key features to look out for and steps to take here.
The UK was the subject of an EU adequacy decision in 2021, so the new SCCs do not need to be used for data transfers from the EU/EEA to the UK. This may be reviewed if UK data protection laws move away from the EU GDPR, which they currently mirror. However, the incoming UK government under Liz Truss signalled last week that the second reading in parliament of the controversial Data Protection and Digital Information Bill has been postponed, and that the legislation would be considered further.
As for organisations making restricted transfers out of the UK, they can choose whether to use the IDTA or the UK Addendum in their respective contracts. The main difference between the two is that the IDTA is a separate agreement to be signed by the parties whereas the UK Addendum is meant to be used together with the new SCCs, varying them ever so slightly to fit the UK GDPR narrative. The IDTA is therefore appropriate in transactions where the use of the new SCCs is not necessary. The UK Addendum, on the other hand, would be valuable in multinational transactions where both the UK and the EU GDPR regime must be followed.
What should you do?
According to the transitional provisions in the legislation, organisations will need to incorporate either the IDTA or the UK Addendum to all contracts concluded on or after 22 September 2022.
Contracts concluded on or before 21 September 2022 may still use the old SCCs, which will provide appropriate safeguards for the purpose of Article 46 of the UK GDPR up until 21 March 2024.
We would therefore suggest considering including either the IDTA or the UK Addendum to all newly-formed contracts to avoid future need for any changes. Organisations should also identify any contracts already in place that will need to be updated.
How can we help?
If you’d like any guidance on this matter, please get in touch. We can help by:
- undertaking a review of your existing contracts and identify which will need to incorporate the IDTA or the UK Addendum
- advising on the amendment of existing contracts to incorporate either the IDTA or the UK Addendum
- advising whether to choose the IDTA or the UK Addendum
- advising on the implementation of the IDTA or the UK Addendum in future contract negotiations
- acting as UK or EU representative via our sister company Willans Data Protection Services. If you are processing data about people in the UK or the EU (as the case may be) and don’t have an establishment in those territories, the EU and the UK versions of GDPR require you to appoint a local representative. For more information, please visit our website.
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact our dedicated team.