The UK GDPR prohibits transfers of personal data to countries outside the UK, without there being an Adequacy Regulation, or appropriate safeguards (or other permitted exceptions) in place. This is to seek to ensure that individuals are afforded equivalent rights of protection as they would receive under the UK’s data protection laws, so that their rights are not compromised.
In situations where there was no Adequacy Regulation in respect of a country, the standard contractual clauses (SCCs) tended to be the ‘default’ position for most organisations. These SCCs have been around since 2004 in respect of controller-to-controller arrangements, and 2010 in respect of controller-to-processor arrangements.
However, the landmark European case in July 2020, Schrems II, which saw the demise of the Privacy Shield (which previously acted as an international transfer safeguard mechanism for transfers of personal data to the USA), sent shockwaves around the world in respect of international personal data transfers – not just to the USA, but to countries all around the world.
The European Commission felt that it provided an opportunity (albeit long overdue!) to revisit the SCCs, which had not even been updated to reflect the EU GDPR. So, a ‘shiny’ new set of SCCs were launched in Europe from 4 June 2021 (EU SCCs). However, the UK, still grappling with the effects of Brexit, was stuck with an anglicised version of the old ‘creaking’ SCCs – that is until things changed on 21 March 2022, when the new International Data Transfer Agreement (IDT Agreement), as well as the new International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (IDT Addendum), or IDTAs for short, came into effect in the UK.
How do the IDTAs differ from the SCCs?
The IDTAs do not look anything like the old SCCs, as they have benefited from a ‘facelift’ to bring them into a post-UK GDPR and post-Schrems II era. Furthermore, each IDTA differs from the other, as the IDT Agreement is a set of clauses (with lots of placeholders which need populating!), whilst the IDT Addendum acts a ‘wrapper’ to use with the EU SCCs (which also has a lot of placeholders which need populating!).
Although there are differences inherent in the IDTAs, one of the key advantages which they bring, is the ability to address the different permutations of controller/processor data transfers in one document – something which the SCCs did not do.
What do you need to do?
Whilst the IDTAs came into effect on 21 March 2022, the ICO has stated that if you are currently using the old SCCs and there is no change in the processing activities, you can continue to use the old SCCs until 21 March 2024. Following that, you must then move to the use of an IDTA.
The old SCCs can also still be used in new arrangements up until 21 September 2022 – thereafter, new arrangements must use an IDTA rather than the SCCs.
However, our recommendation is that you start using the IDTAs for new and existing arrangements immediately, due to the issues which are inherent with the old SCCs (including in all likelihood, following the Schrems II decision, that it is unlikely that your organisation will be held to have implemented the SCCs in the way that the Court envisaged them to be entered into). Acting in a timely manner now, will also avoid a frantic rush to moving to the IDTAs under a pressurised deadline – as you certainly will want to avoid that ‘déjà vu feeling’ of 25 May 2018 when the GDPR came into effect!
Is this starting to sound complicated?
If you are thinking that this is starting to sound complicated, you are right! As we have not even mentioned some more acronyms, in the form of ‘TRAs’ which are Transfer Risk Assessments. As the ICO has made it clear that it is mandatory to do a TRA before you undertake an international personal data transfer using SCCs or IDTAs.
TRAs, as the name suggests, are risk assessments…but wait, there’s more! - there can be situations where you may not be able to use a TRA, because a DPIA is required instead! A ‘DPIA’ is a Data Protection Impact Assessment, which is a more comprehensive form of risk assessment, which is taking a holistic approach to UK GDPR compliance in respect of the relevant processing activities, rather than just focussing on the international aspect of the personal data transfer.
You may at this stage be feeling as if you are ‘drowning’ in a ‘sea of acronyms’ and you would not be blamed for doing so. As can be seen from the above, there is a lot that needs to be considered, and simply ‘re-papering’ is not an option when moving from SCCs to IDTAs. The use of IDTAs requires careful assessment of the international personal data transfer, in a way that organisations will not have been accustomed to. Consequently, the sooner that you start this process, the better!