On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March 21, 2024 to update existing contracts, but should use the new model clauses for any new contracts they sign as of September 21, 2022.
Following Brexit, UK privacy law remained very similar to the EU General Data Protection Regulation (GDPR). Both EU and UK law restrict transfers of personal data outside their respective territories. One of the common ways to comply with the restrictions is for the data exporter and the data importer to enter into model clauses (also referred to as standard contractual clauses (SCCs)). The European Commission issued new model clauses to enable companies to transfer personal data outside the EU in June 2021 (New EU SCCs) (see here). The UK followed the European Commission and issued new model clauses to enable companies to transfer personal data outside the UK (New UK SCCs). This came after a public consultation on the ICO’s first draft SCCs from August 11, 2021 and October 11, 2021. In the gap between the adoption of the New EU SCCs and the New UK SCCs, the ICO directed companies to rely on UK-adapted versions of the former European Commission model clauses (Old UK SCCs).
What Is “New” to the New UK SCCs?
The New UK SCCs include i) an international data transfer agreement (IDTA) (see here) and ii) an addendum to the New EU SCCs (Addendum) (see here). The IDTA may be used without entering into the New EU SCCs, whereas the Addendum is intended to complement the New EU SCCs. Thus, if a contract already includes the New EU SCCs, it will be sufficient to add the Addendum to cover UK transfers. It will not be necessary to also conclude the IDTA.
- IDTA. The ICO’s IDTA includes obligations that are similar to those under the New EU SCCs, with some deviations (e.g., audit not regulated by the New UK SCCs, possibility for arbitration under the New UK SCCs). Importantly, unlike the New EU SCCs, the IDTA does not cover all mandatory elements that need to be included in a controller-to-processor data processing agreement (DPA). This means that controllers and processors entering into the IDTA for UK transfers would also need to enter into a separate DPA.
- Addendum. The Addendum adapts the New EU SCCs to the UK and provides that UK law prevails in case of conflict. In practice, global businesses may find it easier to use the Addendum (rather than the IDTA) if they intend to enter or have already entered into New EU SCCs.
What Should Companies Do Now?
The ICO stated that the New UK SCCs are now available for use by organizations transferring personal data outside the UK, subject to the caveat that the New UK SCCs are still pending Parliamentary approval. Companies transferring personal data outside the UK can still use the Old UK SCCs in new contracts up until September 21, 2022, but should update all contracts by March 21, 2024 with the New UK SCCs. In short:
- Between now and March 21, 2022, companies may continue using the Old UK SCCs. Companies may also use the New UK SCCs, but they may need to be amended if objections are raised in Parliament (although it seems unlikely that there will be amendments);
- Between March 21, 2022 and September 21, 2022, companies may continue using the Old UK SCCs, or use the New UK SCCs. Companies should use this time to update their template agreements with the New UK SCCs so that any new contracts entered into after September 21, 2022 only refer to the New UK SCCs;
- Between September 21, 2022 and March 21, 2024, companies will no longer be able to use the Old UK SCCs for new contracts. All new contracts signed after September 21, 2022 will need to use the New UK SCCs. However, contracts signed before September 21, 2022 that include the Old UK SCCs can remain effective until March 21, 2024, provided that the processing operations that are the subject matter of the contract remain unchanged;
- After March 21, 2024, any contracts—existing or new—will need to use the New UK SCCs.
In addition, irrespective of whether companies use the Old UK SCCs or the New UK SCCs, they will need to perform a data transfer impact assessment (DTIA, also referred to by the ICO as “transfer risk assessment” (TRA)) and, if appropriate, implement supplementary measures before the transfer in accordance with the Schrems II ruling (see here).
The next step is for the UK Parliament to approve the New UK SCCs, which are expected to become effective on March 21, 2022. The ICO announced that it will issue further guidance on this topic, including i) a “clause-by-clause guidance” for the IDTA and Addendum, ii) guidance on how to use the IDTA, iii) guidance on DTIAs, and iv) further clarifications on international transfers guidance.
Our privacy and cybersecurity practice routinely advises on EU and UK data transfer restrictions and can help you tackle the challenges raised by this fast-moving area. For more information, please contact Cédric Burton, Laura De Boel, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.