Coming soon: New UK SCC's presented to Parliament

Lucas Davies image of Houses of Parliament

Coming soon: New UK SCC's Presented to Parliament

Image by Lucas Davies

This month (February 2022) the Department for Culture, Media and Sport (DCMS) laid before Parliament the new International Data Transfer Agreement (IDTA). This document, as well as its associated transfer addendum and a further document setting out transitional provisions follows a consultation undertaken by the Information commissioner’s office (ICO) in 2021.
Providing there are no objections, the IDTA will come into effect on the 21st March 2022. 

Why is this happening? Who will this affect? And what do these new standard contractual clauses mean for your business? 

Why is the IDTA required?

Since its inception, the EU GDPR and now the UK GDPR have both placed strict requirements upon any transfers of personal data to a non-EU/EEA or non-‘adequate’ country. These transfers are termed ‘restricted transfers’. To perform a restricted transfer (e.g. transferring personal data from a UK based company to a USA based company) you must have a legal transfer mechanism to do so. The most common way of doing this is to include Standard Contractual Clauses (SCCs) to the contractual data transfer agreement. Before Brexit, only the EU Commission were allowed to write SCC templates.

Last year, the EU Commissions SCCs were updated as a consequence of the Schrems II decision (for more information see here our earlier article).  Following Brexit and the implementation of the UK GDPR, these updated EU SCCs no longer apply to UK businesses. This resulted in the ICO beginning the process of drafting its own set of SCCs under the applicable UK law (UK GDPR). 

The IDTA has been designed as the UK equivalent of the EU SCCs and will govern the transfers of UK citizen personal data. 


Who will this effect?

Quite simply any UK businesses that is transferring UK personal data to a non-‘adequate’ country will be required to include the IDTA. This list of ‘adequate’ territories is likely to differ from the EU/EEA’s list. Indeed, the UK government has indicated that they are likely to pursue adequacy partnerships with a variety of states that the EU/EEA has not deemed ‘adequate’ as of yet, such as India and potentially the United States.

However as of February 2022, the provisional UK ‘adequate’ list contains the same states as the EU/EEA list, as well as all EU/EEA members.
As such, the inclusion of SCCs will depend upon the type of data subjects whose data you are processing.

The following table will help identify which is required:

Data Subjects Clauses required

Only EU/EEA

EU SCCs

Only UK

IDTA

Both EU/EEA and UK

EU SCCs with the IDTA addendum

What should we expect as a business?

If no objections are raised by Parliament, the IDTA will come into effect on the 21st March 2022. UK businesses may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022.

All contracts on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR, until 21 March 2024. From that date, if the restricted transfers continue, an organisation must enter into a contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR.

All businesses transferring personal data outside of the UK and to a restricted territory should look to identify which SCCs will be most applicable.


About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/

Send us a message

Telephone: +44 20 4526 5699
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.