28th February 2024
Organisations using the old European Union standard contractual clauses to transfer personal data out of the UK have until 21 March 2024 to make alternative arrangements. Walker Morris Regulatory & Compliance Partner and data protection specialist Andrew Northage explains the options.
Standard contractual clauses have traditionally been a key mechanism for transferring personal data to countries that don’t benefit from a data adequacy decision. Changes have been made over the past few years to update these arrangements following both Brexit and the European Court of Justice’s decision in the “Schrems II” case.
On 4 June 2021, the European Commission adopted a set of new and improved SCCs for personal data transfers from controllers or processors in the European Economic Area to those established outside the EEA. The new clauses replaced the old SCCs that had been in place for around 20 years.
Then, on 21 March 2022, an international data transfer agreement (known as the IDTA) and UK Addendum to the new EU SCCs came into force in the UK. They replaced the old EU SCCs for transferring personal data out of the UK.
However, under transitional arrangements, organisations could still use the old EU SCCs until 21 March 2024 for contracts concluded on or before 21 September 2022. With that window now closing, organisations still using the old EU SCCs to transfer personal data out of the UK need to make alternative arrangements.
For transfers of personal data out of the UK, organisations have a choice whether to use: the IDTA; the UK Addendum alongside the new EU SCCs; or another appropriate safeguard mechanism such as binding corporate rules.
A key consideration is whether the particular transfer requires compliance under both the UK GDPR and EU GDPR regimes. Using the new EU SCCs and UK Addendum can be advantageous where dual compliance is required because it avoids having to enter into two different sets of arrangements.
Note that you still have to carry out a transfer risk assessment (TRA) before relying on any of these options. This focuses on the specific circumstances of the transfer and is a requirement following the Schrems II decision.
The website of the Information Commissioner’s Office contains guidance on international transfers, including how to carry out a TRA. We’re still waiting for clause by clause guidance to the IDTA and Addendum, and guidance on how to use the IDTA.
From 12 October 2023, UK businesses have been able to transfer personal data to those US organisations which are certified under the UK Extension to the EU-US Data Privacy Framework. See this factsheet for details. A TRA isn’t required in this scenario because the arrangement is covered by an adequacy decision.
Navigating data protection compliance can be complex, particularly when there are multiple jurisdictions involved. Please get in touch with Andrew if you need help updating your personal data transfer arrangements, including the use of standard contractual clauses, or with any other regulatory and compliance issue.