Have you heard news of a 27th December 2022 deadline? Maybe something about updating your EU SCC documents? Announcements of a new ‘ITDA’ and an ‘ICO UK Addendum’? Mutterings of ‘old SCCs’ and ‘new SCCs’? Well, read on and let us unravel the international data transfer changes.
What actually is an EU SCC document?
This stands for the EU Standard Contractual Clauses, which is an EU approved document which allows for international transfers of personal and special category data from a company within the UK or EU to countries outside of the UK/EU. It’s a document that requires the overseas transferee of personal data to process it lawfully, safely, securely and in compliance with the various data protection rules that exist.
Does this apply to me?
If you are a company that transfers data to other companies or group entities, who are based in a country outside of the UK/EU, and if that country is not covered by the ‘adequacy regulations/requirements’, then you need to take note. There have been changes to the documents you need to make complaint international data transfers. You may ask, what does this actually mean? What are the adequacy regulations, what are international data transfers? This guidance explains all.
What are the adequacy regulations/requirements?
Under UK data protection laws, you may not make a transfer of personal/special category data to another country if that country is located in a country which is not covered by the UK ‘adequacy regulations’. Countries covered by the adequacy regulations have been deemed by the UK as having legal frameworks that provide adequate protection in respect of individuals’ data protection rights.
If the adequacy regulations do not apply, then you need to consider whether to put in place other appropriate safeguards instead – such as an approved data transfer agreement. This can be the use of EU SCCs (with a UK Addendum) or a new UK International Data Transfer Agreement.
More information on ‘adequacy’ can be found on the Information Commissioners website here.
But we left the EU…right?
Yes, since Brexit the UK is no longer a member of the EU. However, UK companies that have already signed up to EU SCCs can still rely on them. However, it depends on what version of the EU SCCs you have in place.
If you signed the old EU SCCs (2010 version), then you need to either:
(1) enter into a new EU SCC (2021 version) together with the new UK Addendum (which makes amendments to the standard EU SCC to ensure it is relevant to the UK); or
(2) you can enter into a new UK specific International Data Transfer Agreement (also known as the ITDA).
What is the 27th December 2022 deadline all about?
Under the transition period for the new EU SCCs, which were introduced in 2021, replacement of existing old EU SCCs to the new EU SCCs must be completed by 27 December 2022 for all data transfers. After this date the old EU SCCs won’t have any legal effect, and any data transfers will not be compliant with data protection law.
What is the difference between an old and new EU SCC?
The old EU SCCs are based on the 2010 version and the new ones are dated 2021. Depending on which version you already have in place will determine what action you need to take. The following table applies to UK entities making transfers outside of the UK/EU to a country which does not meet the adequacy requirements:
|I have an old (2010) EU SCC in place||You need to replace this with a new 2021 EU SCC before 27th December 2022|
|I have a new (2021) EU SCC in place||You need to prepare a UK Addendum to sit alongside your existing EU SCC.|
|I don’t have any international data transfer agreements in place but I transfer data out of the UK to a country not covered by adequacy requirements||You have two options:|
What’s the difference between all these documents?
The EU SCC is the EU-approved standard document for international data transfers.
The UK Addendum is a document that UK companies can use alongside the EU SCCs to make it compliant with UK data protection laws (now that the UK has left the EU).
The International Data Transfer Agreement is a document that UK companies can opt to use instead of the new EU SCC / UK Addendum combination. It is a standalone agreement that can be used in the same way as the EU SCCs. It has been drafted (by the ICO) specifically for transfers of data from the UK and ensures compliance with the UK GDPR. This document simply places contractual obligations on organisations exporting data to another organisation in a different jurisdiction.
What should we do?
Well, it depends on whether you are already using EU SCCs or whether you are entering into an international data transfer agreement for the first time. Generally, organisations that already have the new EU SCCs in place are using the UK Addendum to align their documents with UK laws. For organisations with no historical documents in place, then companies are opting for the new UK International Data Transfer Agreements – one document is easier to manage!
Another factor is whether you are based in the UK and other EU countries. If your group has entities in the UK and other EU countries, then it might be simpler to adopt the EU SCC / UK Addendum option. If you are only based in the UK (with no plans to expand into EU countries), then the UK International Data Transfer Agreement would be preferable.
Take a look at the guidance issued this month by the ICO on international transfers (found here (International transfers | ICO). They have also prepared a Transfer Risk Assessment guidance, and a TRA Tool. These resources from the ICO will help organisations work out the steps they need to take and the documents that should be put in place to stay the right side of data protection laws.
Feel free to reach out if you need an audit of your international data transfer agreements. Equally, if you have a supplier asking you to enter into a new data transfer agreement and you want to check it’s the right one, then we can do a health check on the agreement for you. We can analyse what you have in place and advise you on the neatest way to seek compliance… and all before the 27th December deadline!
Clare Veal is a Consultant Solicitor in our Commercial Department and has been advising companies on their data protection requirements through all the evolutions of GDPR and UK data protection laws.