Best Before: 21 March 2024
In just a matter of days, with effect from Thursday 21 March 2024, any international data transfer agreements from the UK to overseas which rely on the safeguard of standard data protection clauses as their lawful basis - specifically the standard contractual clauses (SCCs) or ‘model clauses’ issued by the European Commission and valid as at 31 December 2020 (the SCCs issued under European Commission Decision 2001/497/EC and European Commission Decision 2010/87/EU) (with appropriate amendments to reflect Brexit)) – must find a new safeguard to remain lawful.
As we highlighted in our previous blog post ‘See ya SCCs, enter the IDTA’, since 22 September 2022 Article 46(2)(d) UK GDPR has required any new data transfer agreements for ex-UK international transfers of personal data to rely on standard data protection clauses specified in a document issued by the Information Commissioner. Any data transfer agreements entered into since that date which rely on standard clauses should therefore already rely on either the Information Commissioner’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum together with the European Commission’s modernised SCCs (the standard contractual clauses issued on 04 June 2021) and supplementary measures.
For pre-existing data transfer agreements for ex-UK international transfers of personal data, the transitional relief which was provided by virtue of Schedule 21, Part 3, para.7 of the Data Protection Act 2018, as inserted by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419) (as amended), and enabled the European Commission’s old SCCs to continue to be relied upon is now coming to an end.
Data controllers therefore need to ensure that they have updated their standard contracts and that they have conducted a review of existing contracts to determine whether any are reliant on the old EC SCCs as the safeguard for international transfers of personal data outside the UK. If any such contracts are identified, controllers must urgently consider whether standard clauses remain the most appropriate safeguard (it may be the case that alternate safeguards including adequacy regulations, such as those enabling UK-US personal data transfers under the UK extension to the EU-US Data Privacy Framework are now available, for example) and, if so, take steps to vary the contract to replace the old EC SCCs with either the Information Commissioner’s International Data Transfer Agreement or the Information Commissioner’s International Data Transfer Addendum together with the European Commission’s modernised SCCs and supplementary measures.
In any case, each transfer should be subject to an International Data Transfer Risk Assessment / International Data Transfer Impact Assessment.
Should you require support reviewing existing contracts, determining the most appropriate safeguard for ex-UK international data transfers, conducting International Data Transfer Risk Assessments, or drafting and implementing International Data Transfer Agreements or the International Data Transfer Addendum and modernised EC SCCs, please contact us.
You can access our ‘Helping Hand’ checklist on transferring personal data from the UK overseas here. You can access our other resources on International Data Transfers here.
Find out more about our data protection and data privacy services.