For organisations that transfer personal data from the UK to other jurisdictions, new data sharing agreements are now in force.
The ICO’s International Data Transfer Agreement (IDTA) is another step along the way to greater clarity, after the upheavals of Brexit and the landmark European privacy ruling, Schrems II.
What is the IDTA?
The IDTA is the UK’s version of standard contractual clauses (‘SCCs’) – a form of data sharing agreement used to legally allow the transfer of personal data to a country outside of the scope of GDPR (a restricted transfer).
Post-Brexit, the ICO adapted EU SCCs for a UK context. The IDTA now replaces those amended SCCs (old SCCs) – giving the UK its own template international data sharing agreement.
The agreement ensures the personal data that is transferred continues to receive a similarly high level of protection, as required by the restricted transfer rules.
When should an IDTA be used?
Some countries are covered by adequacy regulations – meaning they are judged by the UK to have sufficiently similar data protection standards to those under UK GDPR.
Data can flow freely between the UK and these countries, such as EEA countries (a reciprocal EU adequacy decision exists for the UK under EU GDPR). A normal, commercial data sharing agreement will be enough in those circumstances.
An IDTA will be the right agreement to use where:
- New data sharing arrangements are being finalised after 21 March 2022;
- To transfer personal data outside of the UK; and
- There is no adequacy regulation in place for the location the data is being transferred to, e.g., the US.
Do existing agreements need updating?
Eventually, all data sharing agreements based on EU SCCs will need updating – but the deadlines depend on when the agreements were signed and where the personal data is being transferred from.
In 2021, the EU updated its SCCs – and some entities that transfer data from both the UK and EEA to other parts of the world should be using these ‘new SCCs’ if they concluded their arrangements after 27 September 2021.
This means:
- For transfers from the UK only under agreements signed on or before 21 September 2021 (using old SCCs including those modified for the UK context after Brexit) – arrangements need to be documented in IDTA format by 21 March 2024.
- For transfers from the UK and EEA under agreements signed before 27 September 2021 (using old SCCs), arrangements will only be valid until 27 December 2022 and should be transferred to the new EU SCCs and Addendum (see below).
- For transfers from the UK and EEA under agreements signed on or after 27 September 2021 (using new SCCs), the ICO has also produced an Addendum which enable the new SCCs to work with the UK data protection regime.
How do IDTAs work?
The IDTA format is similar to the old SCCs, and includes the following:
- Tables to set out specific information about the exporter, the importer and the restricted transfer;
- The option to include extra protection clauses;
- The option to include commercial clauses agreed by the exporter and importer, provided that these do not contradict the agreement; and
- A set of mandatory clauses, which must always be included, including a Legal Glossary.
The IDTA takes into account some criticisms of the US data protection regime in the Schrems II judgment, so it offers slightly more protection than the old SCCs. But using an IDTA doesn’t take away the new Schrems II requirement to also additionally risk assess transfers to the US (and other jurisdictions where there is no adequacy regulation).
The ICO consulted on a risk assessment tool to help data exporters with this process – they are available in draft form but have yet to be finalised. The ICO is expected to finalise this and other international transfer guidance during 2022.
Our data protection team can be contacted for further information and support.