In the UK, changes are expected in the area of data protection law and notably international data transfers . They show willingness adopt approach which encompasses the lived realities of businesses in a post-Brexit world and some down to earth application on the privacy regulation. A month ago, the ICO’s International Data Transfer Agreement (IDTA) and the much-expected amended addendum (UK Addendum) to the European Commission’s standard contractual clauses (EU SCCs) were laid before Parliament by the Department for Culture, Media and Sport.
In terms of timeframe, the negative procedure before Parliament means that if no objection is raised within 40 days, the IDTA and the UK Addendum will come into force on the 21st of March. From then on, and until the 21st of September 2022, businesses will be able to choose between using the old EU SSCs or opt in for either of the new UK international data transfers mechanisms. Thereafter, new transfers will not be able to benefit from the EU SCCs. Finally, 21st March 2024 will mark the end of the transition period and all international data transfers will need to have a mechanism in place for their international data transfers.
IDTA vs the UK Addendum to the EU SSCs: What is the difference?
In order to meet their obligations under Article 46 of the UK GDPR, data controllers will have to rely upon either one of the two available transfer mechanisms. On one hand the IDTA which replaces the old EU SSCs, and on the other hand the UK Addendum to the EU SSCs which are already in use by organisations. The latter removes EU law provisions and replaces them by domestic provisions.
Therefore, where an organisation has the complex task of processing both UK and EEA data, they would choose the more pragmatic UK Addendum to the EU SCCs which they are probably already using and not the IDTA.
The IDTA though will serve well domestic businesses transferring personal data to third countries. However, as most international businesses are already using the EU SSCs mechanism in their agreements, even if they transfer solely UK data it seems reasonable that they will choose to simply add the UK Addendum.
Whilst the substance of the UK Addendum is pretty much the same as what was proposed by the ICO in its initial consultation, if you had an opportunity to read it, some of the duties of importers and exporters of data have been amended and clarified under the IDTA.
Inter alia, risk assessment obligations will now fall on the importer of data which will entail an obligation to provide to the exporter a package of information on local laws. With regards to the provision of a copy of data subjects’ transferred data to data subjects, this will be no longer free of charge; and further importers’ data breach notification obligation are now more extensive.
Restricted transfers
Further, the Guide to the UK GDPR has been amended to reflect the approach taken by the ICO on restricted transfers which is aligned with EU law. The ICO confirms that transfers to data receivers located outside of the UK and in a non-adequate country will be deemed to be restricted transfers and will require either of the mechanisms provided for in the UK law.