Personal data export from the UK

ByRob Bratby Posted on Telecoms regulation, Countries, Data Protection, DSIT, Government policy, Regulatory action, UK
Personal data export from the UK Bratby Law DATA PROTECTION

UK sets out two alternatives to provide adequate contractual protection for the export of personal data from the UK

What happened?

In February 2022, the UK government published 2 alternative sets of contracts that can be used by organisations wishing to export personal data from the UK to countries that do not otherwise provide adequate protection, both of which take account of the ECJ’s decision in Schrems II. The contracts are not needed if the destination country’s laws provide adequate data protection – so are not needed for data export to the EU (or EEA, or other countries with adequate statutory protection). The two alternatives are:

  1. an addendum to the SCCs recently published by the European Commission (“SCC Addendum“), which in large part adopts the new EU SCCs
  2. a UK only International Data Transfer Agreement (“IDTA“)

Background – UK GDPR requires adequate protection for personal data export

Following Brexit, UK data protection law (specifically UK GDPR) continues (for now) to largely mirror EU data protection law. Articles 44-50 of the UK GDPR prohibit the export of personal data from the EU to a third country unless the data exporter can ensure that ‘the level of protection of natural persons‘ is the same after export as within the UK.

UK GDPR sets out alternative ways in which the legally required protection for exported personal data can be achieved:

  • first, the UK may find that the third country’s laws provide adequate protection (article 45 GDPR) and personal data may be exported on that basis.
  • second, personal data may be exported where appropriate safeguards are put in place with enforceable data subject rights and effective legal remedies for data subjects are available (article 46(1) GDPR). GDPR specifies what appropriate safeguards may be used:
    • legally binding and enforceable instrument between public authorities or bodies (art 46(2)(a))
    • binding corporate rules (art 46(2)(b))
    • use of standard data protection clauses adopted by the UK Government or ICO (art 46(2)(c)and (d))
    • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(e))
    • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(f))
    • subject to approval byICO, contractual clauses and/or cross border administrative arrangements (art 46(3)
  • Finally, there are limited derogations (art 49) which allow the export of personal data in the certain ‘exceptional’ circumstances. The derogations should not be relied on for routine ‘business as usual’ data export.

Timing and transitional provisions

Unlike the EU, the old EU SCCs remain valid for data export from the UK until 21 March 2024 provided that they were entered into before 21 September 2022.

Whilst the new arrangements only become mandatory from 22 September 2022, we recommend that they are used for all new data export contracts and that a process is started to review and replace existing arrangements before March 2024.

UK SCC Addendum

It is very welcome that the Addendum effectively adopts the EU SCCs, and allows companies that are using the SCCs for their EU (and EEA) data export to effectively adopt the same approach for the UK.

In practice, multi-national organisations are using the Addendum in preference to negotiating UK specific data export arrangements.

UK IDTA

The UK IDTA is a solution is search of a problem, and whilst it offers an interesting alternative to the SCCs its use in the real world seems likely to be very limited.

Update: data export under the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 introduces changes to the UK framework for data export. The Act gives the Secretary of State additional powers to approve new transfer mechanisms and to make adequacy regulations recognising countries as providing adequate protection for personal data export. These powers are expected to streamline the process for adding new countries to the UK adequacy list, making data export to those jurisdictions simpler.

The Act also introduces a power-to-recognise mechanism for alternative transfer safeguards beyond the IDTA and SCC Addendum. Organisations currently relying on these instruments for data export should monitor commencement regulations closely, as new transfer mechanisms may become available that offer greater flexibility. However, existing IDTA and SCC Addendum arrangements remain valid and do not need to be replaced.

Practical steps for data export compliance

Organisations that export personal data from the UK should maintain a register of international transfers, documenting the transfer mechanism used, the destination country and the transfer risk assessment for each data export. Where a transfer risk assessment identifies concerns about the destination country’s legal framework, supplementary measures may be needed alongside the IDTA or SCC Addendum. The ICO has published guidance on international transfers including a transfer risk assessment tool.

For advice on data export mechanisms, transfer risk assessments and international data transfers, see our page on data governance, transfers and accountability or contact Rob Bratby.

Select topics of interest

Similar Posts