International data transfers: New UK Standard Contractual Clauses have come into force

On 21 March 2022, new UK Standard Contractual Clauses (SCCs) came into force for transfer of data outside the United Kingdom.

As it had been expected since the introduction of the UK GDPR, new UK SCCs were needed in order to regulate the transfer of data outside the UK to third countries without an adequate level of data protection.

As stipulated in the UK GDPR and in the same ways as it occurs with the EU GDPR, the transfer of data to third countries that do not offer an adequate level of data protection is restricted. Accordingly, in order to be able to effectively transfer data to third countries in a compliant manner, the UK GDPR offers certain ways to ensure compliance when these transfers occur, being one of such is the use of SCCs.

Additionally, and in the exact same way as we explained in our previous article, as a consequence of the Schrems II ruling, when relying on SCCs, carrying out a data transfer risk assessment is essential to determine whether supplementary measures are necessary in order to warrant an adequate level of protection sufficiently similar to the one granted under UK data protection laws.

Two versions of the new UK SCCs

There are two different versions of the UK SCCs. Firstly, the new UK SCCs are contained in the International Data Transfer Agreement (IDTA), which replaces the EU version of it.

The IDTA thus regulates the transfer of data to third countries, ensuring data exporters that their transfer is in line with the UK GDPR, as well as safeguarding the personal data received by a data importer from the UK. The IDTA is intended to allow the transfer of personal data from the UK to third countries.

Together with the UK SCCs, a UK Addendum to the EU SCCs has been provided as well to ensure compliance with both UK GDPR and EU GDPR standards.

This UK Addendum ensures compliance with both the EU GDPR and the UK GDPR and allows the use of the new EU SCCs for data transfers from the UK. Hence, companies can rely on this UK Addendum for data transfers both from the UK and the European Economic Area.

This is particularly relevant because when the European Commission issued the new EU SCCs on 4 June 2021, those clauses were not valid under the UK GDPR, which meant that they had to rely on the old EU SCCs.

With the new IDTA and UK Addendum, though, companies will be able to utilise the new 2021 EU SCCs for data transfers originating from the UK as well.

Key implementation timelines

The two deadlines for implementation of the new UK SCCs are the following:

21 September 2022: After this day, data exporters must use the new UK Addendum when signing new agreements for data transfers subject to the UK GDPR.

21 March 2024: Contracts signed up until 21 September 2022 can still rely on the existing EU SCCs for data transfers to third countries until 21 March 2024. However, no later than 21 March 2024, any existing contract for UK transfer based on the old SCCs must be replaced with the new ones.

What should you do in light of these changes?

If your business is UK based and making international data transfers outside the UK, you should start assessing which DPAs with any third parties will have to be amended, particularly for those cases in which the contract is based on the old EU SCCs.

Moreover, it is also time to start considering whether you will implement the IDTA or the UK Addendum while keeping in mind the implementation periods.