Legal Insights

Time to check your personal data transfers from the UK – new rules in place today! 

By Brendan Tomlinson, Vicki Howe & Tara Dhanushkoti

• 21 March 2022 • 8 min read
  • Share

The highly anticipated new rules for personal data transfers to countries outside the United Kingdom come into force today! If the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to you and your company’s or corporate group’s transfers of personal data from the UK to Australia (or other countries), it is important you understand and address these new rules.

So, what’s new? Well, the following documents for overseas data transfers have been introduced:

  • the new International Data Transfer Agreement (IDTA)
  • the new International Data Transfer Addendum (UK Addendum) to the European Commission’s new standard contractual clauses (new EU SCCs)
  • the relevant transitional provisions.

In this article, we refer to the IDTA and UK Addendum collectively as the UK Transfer Documents.

What’s special about the UK Transfer Documents?

In a nutshell, from today, organisations can transfer personal data outside of the United Kingdom by signing either of the following:

  • the IDTA
  • the new EU SCCs (including the UK Addendum).

Importantly, there is a transition period for legacy contracts and data transfers (which we discuss further below).

How did we get here?

To explain what these UK Transfer Documents are, it is useful to set out the context for data transfers outside of the UK.

Under the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 (collectively, the UK Data Protection Laws), organisations are required, among other things, to implement appropriate safeguards when transferring personal data outside the UK to jurisdictions which have not been certified by the UK as having an adequate level of data protection.

Importantly, Australia is not covered by the UK’s adequacy regulations, meaning that it has not been certified as having an adequate level of data protection for the purposes of the UK Data Protection Laws. This means that, if organisations wish to transfer personal data from the UK to Australia, they will need to provide appropriate safeguards for such transfers.

However, before relying on an appropriate safeguard to make this transfer of personal data, organisations must be satisfied that the relevant data subjects continue to have a level of protection essentially equivalent to that under the UK Data Protection Laws. This means conducting a data transfer risk assessment, to identify the risks involved with the transfer and whether additional measures are required to be put in place before the transfer is made.

Using standard contractual clauses (SCCs) is the most common data transfer mechanism – these are essentially standard data protection clauses containing obligations on the data exporter and the data importer (i.e. the receiver of the personal data), and affording rights and effective legal remedies for the individuals whose personal data is being transferred.

For further context:

  1. When the UK was still part of the European Union (EU) and under the predecessor to the EU General Data Protection Regulation (EU GDPR), the European Commission adopted the former SCCs (old EU SCCs).
  2. Following the end of the Brexit transition period on 31 December 2020, the EU GDPR ceased to apply to the UK. The UK then implemented the UK GDPR into UK law.
  3. This meant the new version of the EU SCCs adopted by the European Commission on 4 June 2021 were not valid for transfers to which the UK Data Protection Laws apply.
  4. While organisations cannot rely on the new EU SCCs for transfers of personal data outside of the UK, the old EU SCCs continued to be valid for data transfers under the UK Data Protection Laws (although the UK Information Commissioner’s Office (ICO) adapted them so that they would work in the context of the UK), despite these old SCCs not being fit for purpose (especially given that the old EU SCCs were developed before the introduction of the EU GDPR in May 2018).

In light of the above and following a period of consultation, the UK ICO has prepared the UK Transfer Documents.

What are the UK Transfer Documents?

As mentioned earlier, from today (21 March 2022), organisations can transfer personal data that is subject to the UK Data Protection Laws outside of the UK by signing the IDTA or the new EU SCCs (including the UK Addendum). These UK Transfer Documents replace the current SCCs for international transfers and take into account the binding judgement of the European Court of Justice, commonly referred to as “Schrems II”. A summary of the UK Transfer Documents is below:

  • IDTA: This document may be executed as a standalone agreement to accompany the main agreement between the data exporter and the data importer, to ensure compliance with the UK Data Protection Laws – this means the IDTA is only able to be used in the context of data transfers subject to the UK Data Protection Laws (and not the EU GDPR – which requires the data exporter and the data importer to enter into the new EU SCCs).
  • New EU SCCs (including the UK Addendum): This addendum to the new EU SCCs allows organisations subject to both the UK Data Protection Laws and the EU GDPR to conduct international data transfers without needing to execute a new, separate agreement in respect of the UK (such as the IDTA).

Important dates

UK Transfer Documents

In light of the introduction of the UK Transfer Documents, there are some key dates you should be aware of.

Date

Why is it important for the UK Data Protection Laws?

21 March 2022

From 21 March 2022, organisations can rely on the UK Transfer Documents for international data transfers subject to the UK Data Protection Laws.

22 September 2022

Up until 21 September 2022, organisations can rely on the old EU SCCs for international data transfers subject to the UK Data Protection Laws.

On and from 22 September 2022, organisations must use the UK Transfer Documents for any new arrangements for international data transfers subject to the UK Data Protection Laws.

21 March 2024

Up until 20 March 2024, any existing transfer arrangements that rely on the old EU SCCs will continue to be valid.

On and from 21 March 2024, any existing transfer arrangements (such as those entered into prior to 22 September 2022 which use the old EU SCCs) will need to enter into a contract on the basis of the UK Transfer Documents (or find another way to make a restricted transfer under the UK Data Protection Laws).

EU SCCs

For completeness, there are also important dates in respect of moving over from the old EU SCCs to the new EU SCCs in respect of international data transfers subject to the EU GDPR.

Date

Why is it important for the EU GDPR?

27 September 2021

On and from 27 September 2021, organisations were not able to rely on the old EU SCCs for international data transfers subject to the EU GDPR.

27 December 2022

Up until 26 December 2022, any existing transfer arrangements that rely on the old EU SCCs will continue to be valid.

On and from 27 December 2022, any existing transfer arrangements (such as those entered into prior to 27 September 2021 which use the old EU SCCs) will need to reflect the new EU SCCs.

Whilst it is great to see clearer and more fit for purpose documents being introduced for the purposes of the UK Data Protection Laws, the number of various contracting options (and deadlines to comply) do create complexities for organisations.

Helpfully, the ICO is developing additional guidance to assist organisations with understanding the UK Transfer Documents, which include the following:

  • clause by clause guidance to the IDTA and UK Addendum
  • guidance on how to use the IDTA
  • guidance on data transfer risk assessments
  • further clarifications on the ICO’s international transfers guidance.

In the meantime, if you have any questions or would like assistance with understanding or meeting your obligations under the UK Data Protection Laws or the EU GDPR (including, for example, on preparing appropriate documentation or carrying out a data transfer risk assessment), please get in touch with our team and we would be very happy to assist.

Want to know more?

Get in touch with our Technology, Media & Telecommunications team

By Brendan Tomlinson, Vicki Howe & Tara Dhanushkoti

  • Share

Related articles

Online Access