Cross-border data flows: new compliance requirements on transfers to Third Countries by UK businesses

There have been a number of changes over the last year or so relating to the free flow of personal data to and from the UK.

Last year, on the 28 June and following the UK’s exit from the European Union, the UK was awarded “adequacy” status by the European Commission. This was significant as it meant that, whilst the UK was no longer a member state of the EU, we could continue to send and receive personal data from EU member states without the requirement for additional safeguards (such as the inclusion of Standard Contractual Clauses or “SCCs” in our contracts). Companies were able to go about their business without the need to implement additional measures to demonstrate their compliance with the UK’s data protection legislation, and this was well-received by the business community, as one might expect.

It is important to note that the European Commission’s assessment of our adequacy to transfer and receive data from the EU remains under review and will be reassessed periodically. At this point, our UK GDPR is aligned with its EU GDPR counterpart. However, as new laws and guidance develop in the UK, this alignment may diverge which is why the European Commission wants to keep our adequacy status under review.  This will not happen overnight, but it will be something that UK businesses whose processing activities rely upon data transfers with the EU will want to bear in mind.

Building upon this adequacy decision, the UK regulator, the Information Commissioner’s Office, or “ICO”, has examined the data flow mechanism to and from the UK more generally and has updated its guidance on the use of SCCs as a transfer mechanism.  This has been entrenched in law, having been put before Parliament earlier this year.

Since the 21 March 2022, businesses are required to use either an Addendum to the SCCs or a separate International Data Transfer Agreement, or “IDTA”. This will be a requirement under Article 46 of the UK GDPR (the documents are issued under Section 119A of the Data Protection Act 2018) when making restricted transfers and which require more detailed information to be provided.  Some of the more notable details required by the IDTA are listed below:

• The status of importer/exporter as data controller/data processor;
• Any linked agreements (including sub-processors, master service agreements, etc.)
• Where relevant, the onward transfers of personal data by importers to third parties;
• IDTA review dates;
• Security arrangements specific to processing activities;
• Transfer risk assessment to be prepared identifying any specific risks and measures intended to mitigate such risks;
• Additional protective and commercial clauses (such as indemnities);
• Additional obligations on importer of personal data to make exporter aware of any local laws that may affect the transfer;
• Obligation on exporter to carry out reasonable (ongoing) checks on importer’s ability to comply with the IDTA (or provide appropriate safeguards);
• Rights of data subjects including new ones to provide individual with a copy of the IDTA on request;

Businesses already operating under the existing EU SCCs can continue to rely upon these documents for the time being – a long-stop date of 21.3.24 has been provided by the ICO, after which an IDTA or Addendum should be used. Those businesses who have acted in good faith to this point to negotiate contracts incorporating the existing SCCs can continue to use them if they are concluded by 21.9.22, but after this time a switch to the new IDTA/Addendum will be necessary. The good news is that the IDTA as a transfer tool looks to be a more straight forward and practical document than its SCC predecessor. It avoids legal vernacular and should prove an attractive substitute for most businesses operating cross-borders.

If you have any questions regarding this article, please feel free to contact Louise Weatherhead, a data protection lawyer, by email at louise.weatherhead@sintons.co.uk, on Twitter @LNWdataprotect, or by telephone on 0191 2263699.