What is the UK International Data Transfer Agreement and What Are the Implications?

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.?The international data transfer agreement (IDTA) and the UK Addendum to the current European Commission’s standard contractual clauses (SCCs) are the next steps in providing a transfer tool for complying with the UK GDPR when conducting restricted transfers of personal data.

Background

As part of Brexit post the EU referendum, the?GDPR?was adopted as UK law through the Data Protection Act (2018), and those parts of it applying to people in the UK became known as the ‘UK GDPR’.?The UK left the EU on 31 January 2020 and entered a transition period until 31 December 2020.

At the end of that transition period, the ICO adopted the approach that transfers of personal data outside of the UK could temporarily rely on the EU provisions for restricted transfers, namely the EU SCCs.?In June 2021, the EU updated the SCCs, which many organisations have since adopted.

These SCCs, however, were not included in the UK GDPR, as the ICO developed a UK-specific framework for personal data transfers.?This framework includes the ICO’s own scheme for determining whether the recipient country (the ‘data importer’) provides an ‘adequate’ level of protection of individuals’ rights over the processing of their personal data in a third country (i.e., neither the UK nor an EU Member State).

Why is this Needed?

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgment on the adequacy of previous safeguards, i.e., the EU-US Privacy Shield and the previous EU SCCs designed to safeguard transfers of personal data to the United States and other third countries outside the EU, a ruling now commonly known as Schrems II.?As a result, the Privacy Shield scheme was ruled unlawful and the EU SCCs were swiftly updated, and supplementary arrangements applied.?This judgement forced organisations across the UK and EU to carefully consider arrangements for making restricted transfers, not just to the USA, but to any third country that does not have a decision of ‘adequacy’.

The ICO defines a transfer as being restricted if:

• The?UK GDPR?applies to the personal data being transferred
• The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
• The importer is a separate organisation or individual (including another organisation in the same corporate group).