Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.
Some days it all comes together. The sun’s shining in London for what feels like the first time in months. One of the kids is going on a week-long school trip. And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.
As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers. As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead. Or maybe it’s exactly like that.
A word on terminology. References to the “Old EU SCCs” mean the EU’s 2001 and 2010 SCCs; references to the “New EU SCCs” mean the EU’s 2021 SCCs; references to the “IDTA” mean the UK’s new standalone transfer agreement (that is, which can be used in place of the EU SCCs); and references to the “Addendum” mean the ICO’s document that allows organisations that are subject to the UK GDPR to use the New EU SCCs in respect of UK transfers (that is, they don’t need to rely on the IDTA if using the New EU SCCs and the Addendum).
So the question is: what should you do about UK transfers, and when? In the long term, the most operationally sensible solution – particularly for multinational organisations or those dealing with EU and UK transfers – is looking like using the New EU SCCs and the Addendum for all transfers (ignoring for a moment the threat of a Schrems III takedown of the EU SCCs). Indeed, we are already seeing businesses move towards that approach for their new contracts, which does make sense.
In any event, the first key deadline is 22 September 2022, when new transfers can no longer be papered using the Old EU SCCs (rather, the IDTA or the New EU SCCs and the Addendum must be used). For organisations thinking about a date by which to initiate a wider update of contracts, that wouldn’t be a bad place to start.
The ICO has indicated that it will be producing guidance on its new documents, which would have been nice to have in finalised form for the IDTA rollout, but that wasn’t to be. In the meantime, it’s important to remember that exporters of personal data from the UK still need to conduct transfer risk assessments, and the UK’s draft guidance for doing so is generally clear and pragmatic.
And so, the papering exercise continues. But the good news is that we now have all of the pieces in place to allow organisations to take a consistent approach to their UK data transfers. Two years goes very fast indeed, so it’s worth getting the ball rolling soon.