UK sets out two alternatives to provide adequate contractual protection for the export of personal data from the UK
In February 2022, the UK government published 2 alternative sets of contracts that can be used by organisations wishing to export personal data from the UK to countries that do not otherwise provide adequate protection, both of which take account of the ECJ’s decision in Schrems II. The contracts are not needed if the destination country’s laws provide adequate data protection – so are not needed for data export to the EU (or EEA, or other countries with adequate statutory protection). The two alternatives are:
- an addendum to the SCCs recently published by the European Commission (“SCC Addendum“), which in large part adopts the new EU SCCs
- a UK only International Data Transfer Agreement (“IDTA“)
Background – UK GDPR requires adequate protection for personal data export
Following Brexit, UK data protection law (specifically UK GDPR) continues (for now) to largely mirror EU data protection law. Articles 44-50 of the UK GDPR prohibit the export of personal data from the EU to a third country unless the data exporter can ensure that ‘the level of protection of natural persons‘ is the same after export as within the UK.
UK GDPR sets out alternative ways in which the legally required protection for exported personal data can be achieved:
- first, the UK may find that the third country’s laws provide adequate protection (article 45 GDPR) and personal data may be exported on that basis.
- second, personal data may be exported where appropriate safeguards are put in place with enforceable data subject rights and effective legal remedies for data subjects are available (article 46(1) GDPR). GDPR specifies what appropriate safeguards may be used:
- a legally binding and enforceable instrument between public authorities or bodies (art 46(2)(a))
- binding corporate rules (art 46(2)(b))
- use of standard data protection clauses adopted by the UK Government or ICO (art 46(2)(c)and (d))
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(e))
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(f))
- subject to approval byICO, contractual clauses and/or cross border administrative arrangements (art 46(3)
- Finally, there are limited derogations (art 49) which allow the export of personal data in the certain ‘exceptional’ circumstances. The derogations should not be relied on for routine ‘business as usual’ data export.
Timing and transitional provisions
Unlike the EU, the old EU SCCs remain valid for data export from the UK until 21 March 2024 provided that they were entered into before 21 September 2022.
Whilst the new arrangements only become mandatory from 22 September 2022, we recommend that they are used for all new data export contracts and that a process is started to review and replace existing arrangements before March 2024.
UK SCC Addendum
It is very welcome that the Addendum effectively adopts the EU SCCs, and allows companies that are using the SCCs for their EU (and EEA) data export to effectively adopt the same approach for the UK.
In practice, multi-national organisations are using the Addendum in preference to negotiating UK specific data export arrangements.
The UK IDTA is a solution is search of a problem, and whilst it offers an interesting alternative to the SCCs its use in the real world seems likely to be very limited.