Data exporters need to conduct an international data transfer risk assessment to ensure that existing data transfer agreements based on the old European Commission SCCs provide appropriate safeguards and, if not, that they vary those existing agreements, as well as to ensure that all new transfer agreements entered into as of 22 September 2022 incorporate the Information Commissioner’s IDTA or IDTA Addendum.

New data transfer agreements, including data processing or other sharing agreements, governed by the UK GDPR, which are entered into on or after Thursday 22 September 2022 and which involve the export of personal data from the UK to third countries and will rely on appropriate safeguards under Article 46 UK GDPR in the form of standard data protection clauses, can no longer rely on the standard contractual clauses (SCCs) or ‘model clauses’ issued by the European Commission and valid as at 31 December 2020  (the SCCs issued under European Commission Decision 2001/497/EC and European Commission Decision 2010/87/EU) (with appropriate amendments to reflect Brexit)). Instead, new agreements must incorporate the Information Commissioner’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum.

Following Brexit, and the expiry of the transition period under the UK-EU Withdrawal Agreement, the implementation of the UK GDPR resulted in an amendment to Article 46(2)(d) to remove standard data protection clauses issued by the European Commission as an appropriate safeguard for transfers of personal data. In its place, the UK GDPR provides at Article 46(2)(c) for safeguards to be provided in the form of standard data protection clauses specified in regulations made by the Secretary of State and at Article 46(2)(d) in the form of standard data protection clauses specified in a document issued by the Information Commissioner.

A comparison between the GDPR, UK GDPR and the UK GDPR as proposed to be amended by the Data Protection and Digital Information Bill (as introduced) is available here.

Schedule 21, Part 3, para.7 of the Data Protection Act 2018, as inserted by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419) (as amended), provided that the European Commission’s standard contractual clauses in force as at 31 December 2020 would continue to be a valid safeguard, for data transfers, as would those standard contractual clauses amended in order to reflect changes as a consequence of Brexit.

With effect from, and including, 22 September 2022 however, paragraph 7 of Part 3 of Schedule 21 Data Protection Act 2018 will be disapplied in relation to any new agreements entered into, and will remain valid in connection with agreements entered into before that date only until 21 March 2024 (provided that the agreement continues to offer sufficient safeguards and processing operations remain unchanged).

Any new data transfer agreements entered into will therefore need to either incorporate the wording set out in the Information Commissioner’s International Data Transfer Agreement (IDTA) or otherwise incorporate both the European Commission’s modernised SCCs and the International Data Transfer Addendum. Any template documents, standard terms and conditions or data processing agreements that incorporate data transfer provisions should therefore be reviewed and replaced.

Even in relation to existing agreements, since the Schrems II judgment found that the old SCCs (which were replaced by the European Commission for ex-EEA transfers in June 2021 with modernised standard contractual clauses, which have been mandatory since September 2021) provided inadequate safeguards for transfers of personal data to the US, data exporters will want to ensure that they have conducted an international data transfer risk assessment (IDTRA) to confirm that any existing contractual provisions remain appropriate and, if not, to seek to vary the contract to incorporate the IDTA or IDTA Addendum or to rely on alternate safeguards.