by James Davey
23 February 2024
Deadline to update standard contractual clauses is fast approaching.
As of 21 March 2024, the EU standard contractual clauses issued by the European Commission under the old Data Protection Directive (Directive 95/46/EC) (“old SCCs”) will no longer be sufficient as a standalone mechanism for international data transfers under UK data protection law. Consequently, it will be necessary to identify, and rely upon, an alternative transfer mechanism under Article 46 of the UK GDPR (for example, UK binding corporate rules, updated standard contractual clauses or an approved code of conduct, to name a few).
If, like many UK organisations, you rely on standard contractual clauses to transfer data outside the UK, then you will need to enter into either:
- the ICO’s international data transfer agreement (“IDTA”); or
- the new EU standard contractual clauses issued by the European Commission under the GDPR (“new SCCs”), and (importantly), supplement this with the international data transfer addendum (“Addendum”) issued by the Information Commissioner’s Office (“ICO”).
The below provides a recap of what standard contractual clauses are, what the changes mean for organisations subject to UK data protection laws and what steps organisations can take to ensure continued compliance following the 21 march deadline.
What are the standard contractual clauses (“SCCs”)?
Under the EU GDPR (and now also the UK GDPR), it is a requirement for a controller or processor to implement appropriate safeguards and to provide data subjects with enforceable legal rights and effective legal remedies if they intend to transfer personal data to a third county (a country outside of the relevant jurisdiction (- being the EEA where EU GDPR applies, and the UK where UK GDPR applies) or an international organisation, that does not benefit from an adequacy decision. This is known as a ‘restricted transfer.’ One method of ensuring such a transfer is compliant with the relevant iteration of the GDPR-, is the implementation of appropriate SCCs.
Whilst the old SCCs have been widely used by UK organisations (largely because of their convenience and the pre-Brexit legislative landscape), the UK now has its own versions of SCCs to be used where a party is transferring personal data outside the UK. These were issued by the ICO,and came into force on 21 March 2022. As noted above, these are the IDTA and the Addendum and these replace the old SCCs for use as an appropriate transfer mechanism under the UK GDPR.
What does this mean for UK organisations?
As part of the new regime, the ICO provided a two-year transition period during which old SCCs entered into prior to 21 September 2022, would remain valid for restricted transfers under the UK GDPR.
However, following the 21 March 2024 deadline, organisations can no longer rely upon the old SCCs to transfer data outside the UK. They will either need to enter into an IDTA or use the Addendum (alongside the new SCCs), or identify an alternative appropriate transfer mechanism or rely upon a relevant exception.
What is the difference between the IDTA and the Addendum?
The IDTA is a standalone agreement, much like the old SCCs, whereas the Addendum is a much shorter document designed to be used in conjunction with, and to amend, the new SCCs, to make them suitable for restricted transfers from the UK. Therefore, in the majority of instances where an organisation is already using the new SCCs, it is likely to be more time and cost effective for organisations to use the Addendum.
What if we do not have SCCs in place?
Compliance with the UK GDPR in respect of international transfers of data is an area that is often overlooked and organisations should ensure that, where this is the case, it is rectified as soon as possible.
Whilst the process may initially appear complex due to the requirement in certain instances to carry out a transfer risk assessment, and the number of options for transfer mechanisms available under Article 46 of the UK GDPR, the ICO has provided some useful guidance along with a step by step approach (available here).
However, for the majority of organisations wishing to carry out a restricted transfer the following steps will need to be taken:
- Ascertain whether the recipient organisation is based in a country that benefits from an adequacy decision. Where this is the case, no further action will need to be taken as the country in question has been deemed to provide adequate legal protections for data subjects rights and freedoms.
- If the country in question does not benefit from an adequacy decision, the next step would be to identify a potential Article 46 transfer mechanism and conduct a transfer risk assessment (“TRA”). This will allow you to assess what protections the recipient country provides to data subjects and the protections being implemented under the transfer mechanism you wish to rely upon. Where your assessment finds that the transfer mechanism does not provide sufficient protection, extra steps and protection must be implemented in order to provide such protection. The result of the TRA should be recorded to ensure that your actions can be justified to the ICO, where necessary.
- If your chosen Article 46 transfer mechanism is sufficient, continue to implement the mechanism and any relevant steps prior to carrying out the restricted transfer. For the majority of UK organisations transferring personal data to a separate legal entity in a third country, standard contractual clauses such as the IDTA or the Addendum are likely to be the most suitable mechanisms.
Whilst the law does set out eight exceptions available for those looking to carry out restricted transfers, which are worth considering, the majority of them are unlikely to be applicable in the context of a commercial arrangement, and those that are, will need to be necessary and proportionate. Therefore, if it is far more likely that an Article 46 transfer mechanism would be most appropriate for carrying out restricted data transfers.
Next steps
We would encourage any organisation carrying out restricted transfers from the UK to conduct an immediate review of their existing contractual arrangements and in particular, to identify whether any such transfers are being carried out on the basis of the old SCCs as the appropriate mechanism. Where contracts relying on this mechanism are in place, these contracts should be updated accordingly prior to 21 March 2024, to ensure continuing compliance with UK GDPR.
If you require any assistance reviewing your existing contracts or advice on the most appropriate transfer mechanism for your organisation’s international data transfers, please contact a member of the Protecting Data Team here.