New Regime for International Data Transfers

February 3, 2022
Tim Heywood


View profile

Readers may be aware that the ICO’s proposed new safeguard arrangements (that will enable the lawful transfer from the UK of personal data to countries that do not have the benefit of an “adequacy decision”) have now been laid before Parliament.

Assuming there is no objection by Parliament, the new rules will come into force on 21st March this year.

Prior to that date, data protection officers and heads of IG will want to be sure they have updated and revised their arrangements for “restricted” international data transfers.

In brief, the changes are –

(i) personal data already subject to an agreement dated on or before 21 September 2021 can continue to use the existing safeguards (principally the EU’s SCCs) until 21 March 2024;
(ii) any changes to such an agreement will mean having to adopt the new UK safeguards;
(iii) all other restricted transfers will, similarly, need to utilise one of the two new mechanisms.

The package of measures laid before Parliament contains:

(a) a new, UK International Data Transfer Agreement (IDTA);
(b) a form of UK Addendum to the EU Standard clauses (which were adopted by the EU last year.); and
(c) details of the transitional arrangements.

The package is the result of the ICO’s recent fairly extensive consultation process which we, like many others, responded to in some detail.

Its main aim is to ensure that, now the UK is no longer an EU member, it has in place its own comprehensive data transfer regime whilst ensuring, as far as possible, that nothing in the new UK legislation risks losing the benefit of the adequacy decision the EU has already given to the UK. That decision continues to facilitate the relatively smooth transfer of data from the EEA to the UK.

The UK has similarly made an adequacy decision in favour of the EU.

The package of measures will only be relevant where a proposed international transfer is to a country (such as the US) that does not have the benefit of an adequacy decision.

As well as continuing to update the data processing provisions in their commercial agreements (and their data processing agreements) to reflect the new UK GDPR, data protection officers and Heads of IG will want to overhaul their transfer processes to ensure their transfer risk management is up to date and their organisations are ready to use the new safeguards in the form of either an IDTA or an Addendum.

Tim Heywood FRSA is a solicitor and partner at gunnercooke specialising in Data Protection law and practice.