On January 28, following the European Commission’s June 4, 2021 issuance of modified standard contractual clauses (SCCs), the United Kingdom’s (U.K.) secretary of state for digital, culture, media, and sport, presented the U.K. Parliament with two new mechanisms to effectuate cross-border transfers of data: (1) the International Data Transfer Agreement (the IDTA) and (2) the international data transfer addendum to the European Commission’s SCCs (the Addendum).
Barring any objections from the U.K. Parliament, these documents will become effective on March 21. Businesses, however, may continue using the old EU-based SCCs until September 21. The IDTA and the Addendum can be used immediately, and any contracts entered into on, or before, September 21, 2021 using the transitional standard clauses, will remain adequate until March 21, 2024, in which either the IDTA or the Addendum will need to be adopted.
When the U.K. Parliament gives its final approval to the IDTA and EU SCC Addendum, companies will be one step closer to clarity regarding the transfer of data from the U.K. to third countries, pursuant to Article 46 of the U.K. General Data Protection Regulation (GDPR).
I. Substantive Requirements
Any cross-border transfer of data from U.K. to a third country that is restricted (covered by Chapter V of the U.K. GDPR) needs an appropriate transfer mechanism, such as executing the IDTA or the Addendum.
(A) IDTA. The new IDTA is comparable to the EU’s SCCs. The IDTA includes four parts:
(1) The first part includes four tables, each to include: (A) information on the parties, (B) the transfer-specific details, (C) the data specific information, and (D) the security requirements.
(2) The second part includes an opportunity to adopt any extra protection clauses that might be needed.
(3) The third part allows for the incorporation of any commercial clauses that might need to be added, particularly if the commercial contract isn’t incorporated via another “linked agreement.”
(4) Similar to the EU’s SCCs, the fourth and final part of the IDTA includes mandatory clauses that must be included in the transfer agreement.
Substantively, the IDTA and the EU SCCs are similar, and both require risk assessments to ensure that the appropriate safeguards are in place to protect data from unauthorized access. However, there are many differences in the documents that should be noted. First, the IDTA does not distinguish between different transfer relationships, meaning that there is no difference between IDTAs for controller to controller, controller to processor, or processor to processor relationships. This should allow for a more streamlined implementation process, since businesses will only need to choose to update contracts with either the IDTA or the EU SCC Addendum, rather than updating all legacy contracts with a different module based on which processing relationship is applicable. Second, separate agreements can be referred to, and incorporated, within the IDTA via linked agreements. There is no option for supplemental commercial contracts to be referenced in the EU SCCs. Finally, the IDTA allows for arbitration as a dispute resolution mechanism. The arbitration must be conducted in London under the LCIA rules. The EU SCCs do not allow for arbitration as a dispute resolution mechanism, and the IDTA allowing arbitration could prove to be generally cheaper and faster than litigation.
(B) Addendum. The Addendum is a document meant to supplement the terms of a transfer agreement that already uses the new EU’s SCCs. This is particularly useful in situations where the data transfer includes data of individuals located in both the EU and the U.K., and as such, the transfer is subject to both the EU GDPR and the U.K. GDPR. Substantively, the Addendum does not differ significantly from the EU SCCs. The differences reflect the U.K. GDPR rather than the EU GDPR, such as choice of law and forum selection. Furthermore, the Addendum states that if there is a conflict between the SCCs and the Addendum, the Addendum will prevail for restricted transfers unless the clauses of the SCCs provide more protections for data subjects, in which case, the SCCs prevail.
Many European businesses are in the process of updating their contracts to incorporate the new EU SCCs. The release of the U.K. counterpart will help clarify how U.K. businesses can update contracts for cross-border data transfers. For contracts that are already executed with the new EU SCCs, a single addendum can be added to ensure compliance with the U.K. GDPR. Whereas, for contracts that are only for U.K. data transfers, the IDTA can be executed in order to safeguard the data in transit. The release of the IDTA and the Addendum together provides some uniformity and clarity regarding a streamlined process to update contract templates and execute contract addendums for compliance with the U.K. GDPR.
Troutman Pepper is keeping up with any developments to the U.K. IDTA and the Addendum to the EU SCCs. The U.K. Information Commissioner’s Office has stated that clause by clause guidance to the IDTA and the Addendum, guidance on how to use the IDTA, and guidance on how to perform the transfer risk assessments, are coming. Contact Angelo Stio or Lissette Payne with any questions or to discuss the impact of the new U.K. data transfer mechanisms on your business.