If your business transfers personal data outside the UK and European Economic Area (EEA), and is currently relying on old EU standard contractual clauses, those agreements must be updated to the new UK-mandated contractual clauses by 21 March 2024.

Under UK data protection laws, there are restrictions on international data transfers: a business cannot transfer personal data for processing outside the UK unless the international data transfer requirements have been satisfied.

Adequacy regulations and safeguards

Personal data can be transferred without restriction to countries outside of the UK which have been deemed ‘adequate’ by the UK government (the full list of countries or territories covered under the UK ‘adequacy regulations’ can be found on the ICO’s website here). The EEA, for example, is deemed an adequate territory.

However, in the absence of an adequacy finding for the destination territory, the transferor must put ‘appropriate safeguards’ in place. The most commonly used appropriate safeguard has been the implementation of “standard contractual clauses” (or SCCs) in the agreement between the transferor and recipient. Pursuant to the 2020 Schrems II judgment, transferors relying on SCCs must, in addition, carry out an assessment of those transfers (commonly referred to as transfer risk assessments).

New UK standard contractual clauses (SCCs)

In March 2022, the UK ICO published:

  • The UK International Data Transfer Agreement (IDTA), a standalone agreement setting out the UK’s own version of the SCCs and covering international data transfers from the UK to ‘third countries’.
  • The UK Addendum, which can be appended to, and have the effect of modifying, the new SCCs published by the EU (adopted in 2021) so that they work for international data transfers from the UK to third countries. Due to Brexit, the new EU SCCs alone do not suffice for UK transfers.

Further discussion on the IDTA and Addendum can be found by reading “New UK International Data Transfer Agreement.”

Timescales and deadlines: implementing new UK international transfer clauses

In respect of data transfer arrangements subject to the UK data protection laws, contracts entered into prior to 21 September 2022 can rely on old EU SCCs until 21 March 2024 (provided there have been no modifications to the data transfer operations under those contracts).

Therefore, by 21 March 2024, all contracts relying on the old EU SCCs for UK transfers must have been updated to either the IDTA or UK Addendum.

Any new contracts entered into since 21 September 2022 must already be incorporating either the IDTA or the UK Addendum.

Next steps

With the 21 March 2024 deadline approaching, it is recommended that you review your international data transfers. In particular, review any existing agreements incorporating the old EU SCCs to begin updating these over to the new UK SCCs ahead of the statutory deadline.


Authors

Register for updates

Search

Search

Portfolio Close
Portfolio list
Title CV Email

Remove All

Download