International Data Transfers: does my organisation need to rewrite its agreements?

Last Updated: April 2nd, 2024

Until now, UK businesses and organisations (together, organisations) have been relying on standard contractual clauses (SCCs) issued by the European commission or using the EU-US data privacy shield for transferring data to data processors outside of the UK and the European Economic Area (EEA). Following Brexit, the UK Information Commissioner Office (ICO) issued a statement to the effect that by 21st March 2024, all organisations must enter into either:

  • the UK’s International Data Transfer Agreement (IDTA); or
  • the EU Commission’s new SCCs in conjunction with the ICO’s international data transfer addendum (UK Addendum), in order to make a lawful international data transfer, what the ICO likes to refer to as a restricted transfer.

As a result, organisations who have traditionally used the EU Commission’s previous SCCs (different versions of which were issued as long ago as 2001 and 2010) or the more recent iteration issued on 4 June 2021 in order to move personal data abroad legitimately to a country outside of the EEA (known in data protection law terms as a third country) cannot now rely on those SCCs with effect from 21 March 2024.

Failure to update contracts by 21 March 2024 will mean that any further transfer of personal data to a third country after that date, using what are effectively redundant SCCs, will constitute a breach of UK data protection law, punishable by a fine of up to £17.5 million or 4 % of the total worldwide annual turnover of the organisation’s group in the preceding financial year, whichever is the greater.

What is a restricted transfer of data?

For personal data located on a server in the UK, a restricted data transfer consists of the transfer of personal data to a person or entity (receiver) based outside of the UK. The restricted transfer occurs both when personal data is sent to a receiver outside of the UK or when that personal data is accessed from outside of the UK, for instance, where the personal data was accessed by a processor on a server based outside of the UK. 

What does not constitute a restricted transfer

There will be no restricted transfer if you are a UK based processor and are either sending back the personal data to a controller who is based outside of the UK or where you are acting on the instructions of the controller.  For instance, if you are told by the controller to transfer personal data to another processor or controller outside the UK.  Where this happens, however, it is likely that you will be under a contractual obligation regarding the transfer of that personal data and therefore the controller will be subject to the UK GDPR.  Which means your activities as processor of that data would be caught by the GDPR.  This would therefore amount to a restricted transfer and so the requisite mechanism would need to be in place in terms of the correct SCCs being entered into by the parties concerned (i.e. controller and processor SCCs) to ensure such transfer is compliant with the GDPR.

How do I make a compliant restricted transfer?

This will largely depend on where you plan to transfer the personal data.  For example, if the receiver is located in the EEA, then as the ICO has already determined that any country within the EEA has an adequate level of protection for the rights and freedoms of UK data subjects under UK data protection laws, a transfer may take place to the EEA without further ado.  On the other hand, if a transfer were being made to Mexico, then because there is no adequacy determination by the ICO in respect of Mexico, a transfer of personal data to that country would not be lawful unless one of the two tools in the ICO’s data transfer toolkit were used, being either the entering into an IDTA by the parties or the new SCCs in conjunction with the UK Addendum (see above).

For details of the countries for which the ICO has made a finding of adequacy and therefore no further measures or steps are needed to legitimise the data transfer, please see the ICO Adequacy List.

Appropriate safeguards

A restricted transfer from the UK cannot be made to many countries in the world without first putting in place an appropriate safeguard. The most common safeguards are as follows:

  • UK Binding Corporate Rules (BCRs). BCRs are intended to be used by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as transactions between parent and subsidiary, joint ventures, franchises, or professional partnerships. BCRs need to be approved by the ICO and generally many months will elapse before approval is obtained.  Hence many organisations prefer to save time and money and use SCCs.
  • SCCs (Standard Contractual Clauses). For the UK, these consist of the ICO’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (Addendum). They are a set of contractual clauses which are entered into between data exporter (exporter) and data importer (receiver) and govern the relationship between controller and processor.  The Addendum must be used in conjunction with the EU version of the SCCs for data transfers from the EEA to outside of the EEA and is therefore mainly used when personal data held both in the UK and the EEA is being transferred to outside of the UK and the EEA.

Use of either the IDTA or the Addendum (in the latter case, together with the EU SCCs) has been mandatory since 21st September 2022, but there were transitional arrangements under which any legacy arrangements remained valid for a finite period of time. This expired on 20 March 2024 and therefore all contracts (either data processing agreements or agreements which contain provisions relating to international data transfers) must be updated from 21st March 2024.

Transfer Risk Assessments

It is a legal obligation under the GDPR to carry out a data transfer risk assessment (TRA) prior to a restricted transfer taking place, whichever safeguard is being employed. A TRA looks at whether there would be any risk to a data subject’s rights and freedoms under data protection laws in the country of the receiver. For example, where a government has the power to intercept or access personal data, as in the case of the US investigatory agencies such as the FBI or the NSA.  Or in relation to the ability to enforce the safeguards in the receiver’s country because, for example, the system of justice is not well developed. Following completion of a TRA, one outcome may well be the putting in place of additional or supplementary safeguards which could be contractual, organisational or technical in nature.

Are there any other exceptions?

Other exceptions or derogations are generally based on “necessity” and are typically used for one-off transfers, rather than any more systematic, regular or repeated transfers. For example, where the transfer is necessary for the public interest; or establishing a legal claim or defence or fulfilling obligations under an ancillary contract (i.e. not the one between the controller and processor which governs how data is to be processed). Caution should be taken when seeking to rely on one of these exceptions, as they are very limited in scope and legal advice should first be taken.

Transfers to the United States

On 10 July 2023, the EU Commission announced the enforcement of a new EU-US Data Privacy Framework. The main purpose was to provide legal certainty on the transfer of personal data between the EU and US.  On 21 September 2023, the UK introduced an extension to the EU-US Data Privacy Framework, known as the ‘UK-US Data Bridge’. The bridge allows the UK to benefit from a lawful and safe transfer of personal data to the US, following Brexit and the outlawing of the previous data privacy framework known as the Privacy Shield.

The EU-US Data Privacy Framework

The EU-US Data Privacy Framework permits the free flow of personal data from the EU (so not from the UK anymore) to organisations within the US without the need for any of the additional safeguards described above, such as EU standard contractual clauses. The European Commission has essentially decided that the new EU-US Data Privacy Framework guarantees a level of protection ”essentially equivalent” to that provided under EU data privacy laws – a key requirement set out in the EU GDPR. To benefit from this framework, US organisations must apply to the US Department of Commerce for certification.

The EU-UK Data Bridge Extension

The UK extension to the EU-US Data Privacy Framework (the ‘UK-US Data Bridge’) allows organisations to transfer personal data from the UK to certified US organisations without reliance on additional safeguards, such as SCCs. US organisations must self-certify under both the EU-UK Data Bridge and the EU-US Data Privacy Framework in order that data may be sent from the UK or the EU respectively to the US organisation in question.

Conclusion

Much has changed in relation to international transfers of data from the UK.  Many UK businesses and organisations previously relied on the EU’s standard contractual clauses as a safeguard for international transfers of data to the US (or to outside of the EEA), but this will no longer be possible with effect from 21st March 2024. UK businesses must now use the UK-US Data Bridge in order to transfer data to the US without breaching UK data protection legislation, provided the relevant requirements are met.

As far as transfers to countries outside of the EEA and the US are concerned, any terms between data controller and processor must be torn up and rewritten using either the IDTA  or a combination of the UK Addendum and the EU SCCs.

Should you have any questions in relation to international data transfers, please do not hesitate to contact Brian Miller.

 

Let us take it from here

Call us on 020 7438 1060 or complete the form and one of our team will be in touch.