International Data Transfers: an overview of the current position under UK law

Transfers of personal data outside of the UK – an overview

Under UK law an organisation must not transfer personal data to a country outside the UK (an "International Transfer"), unless:

  • An adequacy decision granted by the UK government exists in relation to that country.
  • An appropriate safeguarding mechanism is used, such as standard contractual clauses or binding corporate rules.
  • A suitable derogation exists which covers the circumstances of the transfer (e.g. an occasional transfer or where the data subject has given consent to the transfer).

The key points for organisations to note are:

Adequacy decisions

All adequacy decisions made by the EU Commission in relation to data transfers from the EU before Brexit have been recognised by the UK under the UK GDPR. There are also adequacy decisions in place for all the EEA countries as well as Gibraltar. The EU has also adopted a corresponding adequacy decision in favour of the UK, which means that data can continue to flow between the UK and the EEA without the need for additional safeguards.

In practice

In practice, the most widely used of the appropriate safeguards are the standard contractual clauses. We are currently in a transition period which means there are a number of different versions of international data transfer agreements which can be relied on and this article aims to help organisations navigate them.

The new UK international data transfer agreements

On 21 March 2022, the following documents came into force under UK law:

  • The international data transfer agreement (the "IDTA").
  • The international data transfer addendum (the "UK Addendum") to the new EU standard contractual clauses (the "new EU SCCs") for international data transfers.
  • A document setting out transitional provisions.

The IDTA and UK Addendum replace the old EU standard contractual clauses (the "old EU SCCs") which UK organisations have previously relied on as an appropriate safeguard for International Transfers to comply with the requirements of UK GDPR when transferring personal data to a territory that is not subject to the UK’s adequacy regulations..

The IDTA is intended to cover an International Transfer in relation to personal data that is solely covered by the UK GDPR. The UK Addendum is intended to be used when an International Transfer is (or could be) in relation to personal data covered both by the UK GDPR and the EU GDPR (for example, if an organisation offers services across the EU and the UK.

We have seen a trend however in organisations opting to use the UK Addendum to cover the risk of any current or future personal data being subject to the EU GDPR. International suppliers are also more familiar with the UK Addendum than the IDTA and tend to be more receptive to using it over the IDTA.

Transitional provisions

The transitional provisions helpfully provide for a grace period – transfer arrangements using the old EU SCCs and concluded on or before 21 September 2022 will continue to be valid until 21 March 2024.

The key dates to note are:

For new International Transfers concluded after 21 September 2022, organisations must use the IDTA or the UK Addendum.

All arrangements for UK transfers based on the old EU SCCs must be replaced with the IDTA or the UK Addendum by 21 March 2024.

For new International Transfers concluded after 21 September 2022, organisations must use the IDTA or the UK Addendum.

All arrangements for UK transfers based on the old EU SCCs must be replaced with the IDTA or the UK Addendum by 21 March 2024.

Transfer risk assessment

Following the Schrems II decision in 2020, a transfer risk assessment must be carried out before any International Transfer is made, regardless of whether you use the IDTA or the UK Addendum.  The purpose of this transfer risk assessment is to ensure that the data subjects are given a level of protection that is equivalent to that under the UK GDPR.

Further guidance from the ICO

The ICO is developing additional tools to provide support and guidance to organisations which will be published soon, including:

  • Clause by clause guidance to the IDTA and UK Addendum.
  • Guidance on how to use the IDTA.
  • Guidance on transfer risk assessments.
  • Further clarifications on its International Transfer guidance.

Practical steps organisations can take now

There are a number of steps organisations can start taking now to prepare for the transition to the new UK international data transfer agreements, including:  

  • Assessing and documenting the organisation's International Transfers (including any intragroup transfers of personal data outside of the UK) and which transfer mechanism is currently being relied on to make those transfers.
  • Assessing which of the new transfer mechanisms (i.e. IDTA or UK Addendum) is most suitable for the organisation and the relevant International Transfer.
  • Assessing the best time to start engaging with counterparties to transfer existing arrangements based on the old EU SCCs to the new transfer mechanism, noting the deadline of 21 March 2024 by which all arrangements for UK transfers based on the old SCCs must be replaced.  You don't want to be the first party to raise this with a supplier, but you also don't want to start discussing this a day before the deadline.

Get in touch

Please do get in touch with our data privacy team.

Related