New UK Cross-Border Data Transfer Mechanisms sent to Parliament for Approval.
Authors: Ryan T. Sulkin; Lucas Schaetzel
The new mechanisms, which are likely to pass Parliament, will become effective on March 21, 2022 and will require businesses and organizations to review existing and new contracts.
The Information Commissioner’s Office (“ICO”), which acts as the UK’s data protection regulator, sent new cross-border data transfer mechanisms to the UK Parliament for approval under the UK’s General Data Protection Regulation (“UK GDPR”).
The data transfer mechanisms include the new International Data Transfer Agreement (“IDTA”) and the new International Data Transfer Addendum to the EU Standard Contractual Clauses (“UK Addendum”). While the effective date is March 21, 2022 for the new data transfer mechanisms, the compliance date is September 21, 2022. Therefore, beginning September 21, 2022, new contracts that contemplate the cross-border transfer of the UK personal data cannot rely on the EU Standard Contractual Clauses (“SCCs”).
In January 2021, when the UK formally left the European Union (“EU”), the UK became a “third country” outside of the scope of the EU’s General Data Protection Regulation (“GDPR”). Therefore, the GDPR no longer applies to the UK. To address this shift, the UK amended their existing Data Protection Act of 2018 to incorporate the GDPR’s requirements and principles to form the UK GDPR. The two laws—the GDPR and UK GDPR—are identical in what they require business and organizations to do in terms of privacy and data protection, except for the fact that the GDPR is applicable to (and only enforceable by) the EU, while the UK GDPR is only applicable to (and only enforceable by) UK government entities.
For data transfers from the EU to the UK, businesses and organizations can rely, and have relied on, a 2021 adequacy decision by the EU Commission determine that the UK provided adequate privacy rights and data protection requirements.
In relation to the GDPR, businesses and organizations in other third countries generally have to rely on the cumbersome SCCs due to the fact that few counties are deemed to provide adequate data protection and privacy laws. In June 2021, the EU Commission set forth new SCCs that business and organizations must rely on moving forward.
Cross-Border Data Transfer
Both the GDPR and UK GDPR have similar cross-border data transfer requirements. In order for businesses and organizations subject to the UK GDPR to transfer personal data from the UK to another country, there are three options: (1) the country must provide adequate data protection and privacy laws; (2) there must be appropriate safeguards in place; or (3) an exception must apply. Exceptions include express, separate consent from the individual whose personal data is transferred, or transfers pursuant to the public interest or assertions or legal rights.
Similar to the US relationship with the EU under the GDPR, the US is not deemed to provide adequate data protection and privacy laws under the UK GDPR. Without an exception to allow the data transfer, businesses and organizations must ensure the entity receiving the personal data in the other country (i.e., the US), has appropriate safeguards in place to adequately protect the personal data.
This is where the two new UK data transfer mechanisms apply. The new data transfer mechanisms offer two new avenues business and organizations can take in complying with the UK GDPR cross-border data transfer requirements.
For contractual relationships that only contemplate the transfer of UK personal data, the IDTA provides standard contractual clauses that must be incorporated. The IDTA is essentially the UK’s version of the EU’s new SCCs, which became effective this past summer.
For contractual relationships that contemplate the transfer of UK personal data as a part of a larger set of personal data that includes EU personal data, the UK Addendum can be used as a supplement to the EU SCCs.
The UK Addendum can only be used in contracts that are governed by the new EU SCCs; otherwise, the IDTA must be used.
Application and Effective Date
The new UK data transfer mechanisms are currently set to become effective on March 21, 2022. However, there is a grace period before compliance is required. Until September 21, 2022, businesses and organizations can continue to use the old EU SCCs in new contracts to ensure adequate safeguards are in place. Therefore, beginning on September 21, 2022, businesses and organizations will need to use the IDTA or the UK Addendum in new contracts to comply with the UK GDPR, unless the transfer is to a country deemed to provide adequate data protection and privacy laws, or an exception applies.
Further, the old EU SCCs can continue to be the contractual basis for appropriate safeguards until March 21, 2024, for contracts that were entered into prior to September 21, 2022. After March 21, 2024, old contracts that continue to rely on the old EU SCCs will need to be amended to incorporate either the IDTA or UK Addendum.
Businesses and organizations that operate in the UK, or that are based in another country such as the US, but that collect, process, or otherwise handle UK personal data, will need to review their contractual relationships. Both existing and new contracts will need to be review in line with the effective date and compliance date of the new UK GDPR cross-border transfer requirements.
As more countries amend or create cross-border data transfer requirements that restrict personal data flows between businesses, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.
Ryan T. Sulkin at rsulkin@beneschlaw.com or 312.624.6398.
Lucas Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.