New data protection rules for international data transfers

Data protection laws protect individuals’ rights to have their personal information dealt with by businesses in a manner that is fair, safe and transparent. The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are the key pieces of legislation that require businesses in the United Kingdom to uphold these rights. One way that they achieve this is by imposing rules on international transfers of personal data (ie ‘restricted transfers’)

Since leaving the European Union on 31 January 2020, international transfers of personal data which are not covered by adequacy regulations (ie data transfers where the recipient is not based in a country with an adequate level of data protection) have been able to use the ‘old’ Standard contractual clauses (SCCs) as a safeguard to comply with data protection rules. On 21 March 2022, new safeguards came into force for international transfers of personal data from the UK. 

Changes to restricted transfer requirements

The International Data Transfer Agreement (IDTA) 

The IDTA is effectively the UK’s new equivalent to the EU’s new SCCs. It is a document that businesses can use to safeguard their data transfers out of the UK. It covers, for example, security requirements and measures that businesses use to ensure data protection. 

The Addendum to the new EU SCCs

The Addendum (which is incorporated into the EU SCCs) is a document that businesses can use in combination with the EU SCCs when transferring data outside of both the EU and the UK. Using this method saves users a lot of time, as aspects of the EU SCCs will not need to be repeated to cover transfers from the UK, as they would be if the EU SCCs and IDTA were used. For businesses based exclusively in the UK (ie with no EU presence), however, using the IDTA may have advantages in that users will not have to keep track of changes to the EU SCCs, as they would if using the Addendum. 

Transitional provisions

Although the new IDTA and Addendum came into force on 21 March 2022, transitional provisions mean that data transfers governed by contracts entered into before 21 September 2022 will be able to rely on the ‘old’ UK SCCs until 24 March 2024. After 24 March 2024, the IDTA or the new EU SCCs together with the Addendum will need to be used.

What do these changes mean for businesses?

The introduction of the IDTA and the Addendum is widely appreciated within the legal industry, due to the documents being more commercially pragmatic and easier to follow and use than their EU-based predecessors. 

Rocket Lawyer is currently working to create easy to use templates that businesses can use to create SCCs, an IDTA or an Addendum.

For more information on the new provisions, read the Information Commissioner’s Office (ICO) guidance on international data transfers. If you would like assistance understanding how these new provisions apply to your business, you can Ask a lawyer.

India Hyams