The United Kingdom's exit from the European Union meant that all UK laws that were based on EU regulations are being reviewed. There were a plethora of agreements, treaties, and laws that were intertwined between the two, and now they would require a reassessment.
It wasn't long until the question of data transfers came up. At first, data protection was one of the lesser affected areas post-Brexit as the UK’s 2018 Data Protection Act broadly mirrors the GDPR in various aspects. As far as the law's implementation is concerned, there are several roles the European Commission and European Data Protection Board (EDPB) had that are now under the UK government and the Information Commissioner's Office (ICO).
The UK parliament has since published papers suggesting changes to this law and over time we can expect changes to be made.
In February 2022, the Secretary of State of the UK presented the international data transfer agreement (IDTA) before the Parliament. It came into effect the following month.
What is the IDTA? How does it relate to the Schrems II judgment? And most importantly, how does it affect the current data arrangement between the UK, EU and non-EU jurisdictions?
Brief Background
As per Article 46 of the GDPR, data transfers outside the European Economic Area (EEA) can take place only to adequate countries, i.e., countries where an adequate level of data protection is ensured. For data transfers to non-adequate countries, appropriate safeguards need to be in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the European Union. These safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and ad-hoc contractual clauses.
In 2020, the Court of Justice of the European Union issued its verdict in the Schrems II case that invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of the SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters are required to review the legal regime of the country data is transferred to. Hence, now organizations must carry out a transfer risk assessment to assess if the SCCs are an effective protection for the transferred data and undertake supplementary measures to protect the data further based on their assessment.
In June 2021, the European Commission published new SCCs to address the deficiencies identified in the Schrems II judgment primarily. While it came into effect across the EU, the UK had already left and did not implement the SCCs.
The International Data Transfer Agreement (IDTA) Introduced
For transfers from the UK to non-adequate third countries (mostly countries not in the EEA), the ICO has released the International Data Transfer Agreement (IDTA) and draft guidance on transfer risk assessments. The IDTA is considered to be a replacement of former SCCs and facilitates transfers from the UK to non-adequate third countries.
Starting in August 2021, the ICO released the IDTA for public consultation. Despite the name's suggestion, the IDTA is effectively the UK's version of SCCs.
An additional addendum amends the new EU SCCs, to aid data transfers from the UK to countries that do not have equivalent data protection laws.
Lastly, there are transitional provisions that are to be followed for the next couple of years until more concrete legislation on the matter is done.
There are a fair amount of similarities between the IDTA and the EU's new SCCs, such as exhaustive contractual obligations for both the exporters and importers of data internationally. Crucially, the IDTA considers the Schrems II judgement by placing several obligations upon both the importers and exporters of data to and from the UK.
The transitional provisions mentioned above allow organizations following the old SCCs before 21 September 2021 to continue making international data transfers until 21 March 2024. However, this requires that an organization enter an obligation not to change its processing operations during this period and take the appropriate measures to ensure they comply with the IDTA by 21 March 2024.
IDTA vs. EU SCCs
So, how different is the IDTA from the new EU SCCs?
Many of the differences between the two are superficial such as the IDTA being shorter and the language used is more "user-friendly" than that of the new EU SCCs.
There are various practical differences as well. Some of these include the following:
The IDTA does not follow a modular format like the one prescribed in the new SCCs.
The new EU SCCs consist of modules of processor obligations related to data transfers, such as data controller to a data processor, data processor to sub-processor, processor-to-processor, and processor-to-controller contracts. These modules facilitate the implementation of Article 28 of the GDPR.
The IDTA instead introduces a "linked agreement". If a data importer is a processor or sub-processor, they must have a linked agreement in place in line with the IDTA provisions.
Disputes
Another critical difference between the two is the provision in the IDTA that allows parties to resolve disputes by arbitration, with termination provisions in the Addendum and the main IDTA.
The ICO guidance on international transfer and transfer risk assessment is similar to the one issued by the EDPB with some minor differences. The UK approach consists of the same three steps as required by the EDPB when assessing a transfer:
- Assess the particular transfer,
- Assess the legal protections offered by the third country, and
- Assess the potential impact on the data subjects of the transfer and any risk of harm to data subjects you identify.
Scope
The ICO clearly communicated that organizations could choose whether they want to use the Addendum or the IDTA when making international transfers.
The IDTA is an appropriate safeguard that incorporates and modifies the new EU SCCs accordingly to ensure all incoming and outgoing data transfers are afforded proper protection in countries that do not have an adequacy decision.
Alternatively, organizations may opt for using the Addendum since it allows them to use the EU SCCs when making transfers from the EU and additionally, the Addendum when making transfers from the UK at the same time.
The latter approach will appeal to organizations that want a more straightforward drafting process since they offer simpler contractual provisions between the EU and the UK. Moreover, organizations with experience in dealing with the new SCCs may find it more attractive than complying with the UK IDTA since it allows for a more streamlined approach.
Flexibility of Use
This is more of an extension of the aforementioned difference. The IDTA has been designed keeping in view the data transfer requirements of the UK. At the same time, the Addendum allows organizations to continue using the EU SCCs themselves to cover both transfers.
For organizations with a global presence that requires frequent transfers of data in and out of the UK, the EU, and any third country, the IDTA would be the more cumbersome option compared to the Addendum.
That being said, for organizations that will primarily be transferring data only from the UK to a third country, the IDTA may seem like the better option owing to its linked agreement provision, arbitration clauses, and the more user-friendly text.
How Can Securiti Help?
The IDTA will require organizations to assess data flows from the UK to non-adequate third countries.
Naturally, the sheer volume of data involved in such an exercise renders an incredibly arduous task. However, that's where Securiti can be of help.
Securiti is a market leader in providing enterprise solutions in data governance and data compliance. Thanks to its state-of-the-art artificial intelligence and machine learning algorithms, it can resolve your compliance-related issues at the click of a button.
Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers and remediate discovered vendor risks as per the applicable legal requirements. Securiti can show data transfers between the UK and other jurisdictions, allowing you to evaluate data movements. Securiti provides assessment automation, vendor risk assessment, and reporting to audit how your systems comply with The IDTA.
Request a demo today and see how Securiti's tools can help you achieve compliance with both the IDTA and the new SCCs.
