DWF Data In-Depth - 1: UK International Data Transfer Agreement and UK Addendum: An Analysis

As mentioned in our previous article, the new UK regime for international data transfers has been published. Organisations have two options when transferring personal data to third countries outside of the UK for UK GDPR compliance.  In order to effect the changes, they may either enter into the UK International Data Transfer Agreement ("UK IDTA") which is a standalone transfer mechanism for UK compliance only, or the UK International Data Transfer Addendum ("UK Addendum") which "bolts" on to the new EU SCCs, and therefore covers both EU and UK compliance.  We'll refer to these two options as the "UK Transfer Mechanisms". 

Please see our previous article for a high level overview of the new regime. 

In this article, we will provide additional insight into the new regime including when to use the UK IDTA / UK Addendum; how organisations can implement the two options; the risk and obligations implications of the new UK Transfer Mechanisms; and the requirement for Transfer Risk Assessments.  This of course sits alongside the usual checks organisations should do when putting in place new arrangements including an appropriate level of due diligence and a suitable contract.  

Timeline for using the new UK Transfer Mechanisms

The new regime came into force on 21 March 2022 and organisations must adhere to the following timelines: 

• Organisations can continue to enter into new transfers on the basis of the old EU SCCs until 21 September 2022 (either as amended by the ICO or not – note that this is the old EU SCCs not the ones published in 2021); 
• From 22 September 2022, new or amended transfers must be subject to the UK IDTA or Addendum; and 
• By 21 March 2024, organisations must complete their repapering exercise of any existing old transfer documents to the new UK IDTA or Addendum.

UK IDTA/Addendum Timeline vs New EU SCC timeline

Under the transition period for the new EU SCCs which were introduced in 2021, repapering of existing old EU SCCs to the new EU SCCs must be completed by 27 December 2022 for all transfers. With this in mind, organisations may find it helpful to identify which of their transfers are subject to both regimes and align timelines accordingly given the earlier deadline for the EU SCCs and the very common overlap of the now different UK and EU regimes.

Structure and Content of the UK IDTA and UK Addendum

As mentioned above, under the new UK Transfer Mechanisms, organisations either have the option of entering into the UK IDTA or the UK Addendum. Both options are differ structurally and in terms of their content. 

The UK IDTA

The UK IDTA comprises of four parts and whilst parties need to populate a number of details for each of the parts, broadly the information required in each section are as follows:

• Part 1 comprises of four tables - where parties can insert their organisation details, details of the transfer, information about the data being transferred, whether there are any "linked agreements" and any security requirements;
• Part 2 – the parties can insert extra protection clauses where supplementary measures are needed following the completion of a Transfer Impact Assessment/Transfer Risk Assessment (we go into further detail about these assessments later on in the article). These are equivalent to the "supplementary measures" in the EU SCCs;
• Part 3 – the parties can insert additional commercial clauses if there is no "linked agreement" accompanying the UK IDTA; and
• Part 4 sets out the mandatory clauses that the parties are subject to, with the details of the transfer terms.

Please note that references to "linked agreements" in the above section relate to linked commercial agreement(s). The UK IDTA helpfully recognises that if the parties enter into the UK IDTA, it is likely to be part of one or more commercial agreements and this approach ultimately allows for the incorporation of the terms of linked agreement into the UK IDTA.

The UK Addendum

 The UK Addendum is a much shorter document, consisting of two parts:

• Part 1 consists of a number of tables to populate details regarding the transfers. It is worth noting that this is mostly in line with the information required in the new EU SCCs - for example which modules apply.  The one aspect which is not aligned to the EU SCCs is where the parties can choose in Table 2 whether the EU SCCs are being used for EU compliance with UK compliance is being dealt with by the UK Addendum and the EU SCCs, or if they are simply relying on the EU SCCs as part of the UK Addendum for the transfer terms for UK compliance only.  This particular table is not clear – but the first tick box relates to the first option (EU and UK) and the second tick box relates to the second option (UK only).  If the second option is chosen the parties can select which optional EU SCCs clauses the parties will be relying upon; and
• Part 2 contains the mandatory provisions, which amend the new EU SCCs to enable them to work for UK transfer purposes. 

As stated above, the UK Addendum is a much shorter document and the ability for organisations to rely on the new EU SCCs and enter into one set of transfer terms, make this a popular option for transfers subject to both the UK and EU GDPR. 

Points to consider when deciding whether to use the UK IDTA, Addendum and/or the new EU SCCs

As a starting point, organisations will have to determine which laws apply and whether this includes the UK GDPR, EU GDPR or both. 

We have set out below the following high-level checklist to help determine which law applies. Please note that where both tests are satisfied, organisations will have to ensure transfer mechanisms comply for both EU and UK law purposes.

EU GDPR    

1. Entity is established in the EEA; or
2. Entity is not established in the EEA, but is:
   1. Offering goods or services (Free or paid) to data subjects in the EEA; or
   2. Monitoring the behaviour of data subjects in the EEA.    

UK law

1. Entity is established in the UK; or
2. Entity is not established in the UK, but is:
   1. Offering goods or services (Free or paid) to data subjects in the EEA; or
   2. Monitoring the behaviour of data subjects in the EEA.

Organisations will then need to determine whether the transfer in question is a "restricted transfer". 

A "restricted transfer" is set out in Chapter V to the EU GDPR and UK GDPR. This means that organisations, either in their capacity as controller, processor or both, are prohibited from transferring personal data to third countries (i.e. countries outside the EEA and/or the UK that do not benefit from an adequacy decision). Examples of restricted transfers have been included below for illustrative purposes. 

It is important to note that whilst at the moment the UK GDPR takes a somewhat of a 'mirrored approach' to the EU GDPR with respect to adequacy decisions (i.e. when data transfers can occur without the EU SCCs / UK IDTA / UK Addendum), the UK has however signalled its intent to broaden its set of adequacy decisions to include many more countries and has started to do so. In addition, the UK and US have also been in discussion in relation to a new possible UK to US transfer agreement to facilitate transfer of personal data from the UK to the US, separate to the same kind of arrangement also under development between the EU and the US. 

So whilst there are similarities at the point of writing this article, organisations will need to keep a close eye on how the UK progresses in relation to restricted transfers and update its assessments to determine what constitutes a restricted transfer under each regime accordingly.  Whilst the more permissive and expansive UK regime will benefit some UK organisations, those who are caught by EU GDPR as well will need to comply with the more restrictive EU regime as well. 

Once an organisation determines that it will need to enter into a transfer mechanism, it will need to determine which transfer mechanism is most appropriate.  Another key point to consider at this stage is the other party's commercial approach to data transfers.  We are seeing a number of US-based providers in particular refusing to enter into the new UK IDTA on the basis that either the old EU SCCs can be relied upon until March 2024 as noted above (so long as the transfers remain the same) or that the new EU SCCs plus the UK Addendum can be used for consistency of their operations (i.e, they are subject to one regime to manage then, not two – the differences being noted below and detailed in the Appendix). 

A helpful way to understand which transfer mechanism may apply is to consider the following example scenarios:

"A UK entity transfers UK employees' data to third party HR support based in India."

In the above scenario, only the UK GDPR applies as the organisation is established in the UK and the data subjects are in the UK. The transfer is a restricted transfer as the transfer is to India, a country that does not benefit from an adequacy decision and is considered a third country.  The UK entity therefore has the option to rely on either the UK IDTA or the UK Addendum including the EU SCCs for UK compliance only.

"A UK entity offers goods and services to consumers in the UK and France, the UK and French data subjects' personal data is transferred to India for CRM support."

In this case, the organisation is based in the UK but offers goods and services in France, therefore both the UK and EU GDPR applies. As in the first example, the transfer is a restricted transfer, as India does not benefit from an adequacy decision under the EU GDPR either. In line with the new regime, the UK entity can either: (a) enter into the UK IDTA and the new EU SCCs separately; or (b) the organisation can enter into the UK Addendum, which has the ability to rely on the terms of the new EU SCCs for UK transfer purposes as well as EU GDPR compliance.

Key themes, obligations and liabilities

The table in the Appendix provides a high-level overview of how the UK IDTA deals with some of the key themes, obligations and liabilities and if there are any similarities or differences with the new EU SCCs. 

Our webinar goes into additional details regarding these similarities and differences and provides an overview of the practical considerations organisations may wish to take into account in the context of each area.  

We recommend that you watch our webinar for an in-depth analysis, including areas not covered in the Appendix.  Our webinar can be found here. 

UK Transfer Risk Assessments

Regardless of whether an organisation opts to proceed on the basis of the UK IDTA or the UK Addendum, the parties must undertake a Transfer Risk Assessment (TRA) if your organisation is making a restricted transfer. This is equivalent to the Transfer Impact Assessment (TIA) under the new EU SCCs.  We can design models which address both requirements in one consolidated version.  

This is a risk assessment that assists Data Exporters to determine if the mechanisms they intend to use for an international data transfer to a third country plus the recipient organisation and legal regime provide an adequate level of protection in the context of that particular transfer. 

The Schrems II judgment embedded risk assessments into the rules on international data transfers. Please note that as a result of this judgment, the risk assessment must be carried out before a data transfer, and it will inform some of the content which goes into the data transfer documentation.

Steps required to complete a TRA:

1. Inventory phase/know your transfer - i.e. know where the personal data in question is being processed or will be processed;
2. Identify the transfer tools i.e. SCCs, BCRs or other;
3. Country risk assessment and transfer risk assessment i.e. assess the effectivity of the transfer tool relied upon at step ii. above, based on publicly available legislation of third country with the help of the Data Importer(s). One of the elements to address here is whether or not the personal data in question could be accessed by public authorities, and if so, whether or not the access is proportionate and if data subjects are provided with effective redress in the event of any issues; 
4. Discussion on supplementary measures - i.e. what additional measures can be implemented to close the transfer risk identified at step iii. These could include for example, additional technical measures, organisational measures, contractual measures etc.;
5. Procedural steps i.e. understand if the transfer tool at step ii. provides effective/appropriate guarantees in light of the assessment and supplementary measures at steps ii. and iii, if not, do not transfer the data; and
6. Re-evaluation – accountability is a continuing obligation under both the UK and EU GDPR and parties will have to re-assess periodically to ensure the assessment remains relevant.

The ICO has launched a draft TRA tool, which aims to assist organisations when carrying out a TRA. This includes three parts:

1. Assessing the transfer; 
2. Determining whether the IDTA is likely to be enforceable in the third country; and 
3. Determining if there is appropriate protection against third party access. 

DWF's Data Protection and Cyber Security Team has established a practical methodology to assist organisations that are required to complete such assessments as part of their international data transfers. Please watch the webinar for further insight into DWF's methodology.

What next?

The ICO has stated that it will be publishing additional guidance on the new approach including the following:

• Clause by clause guidance on the IDTA and UK Addendum;
• Guidance on how to use the IDTA;
• Guidance on the Transfer Risk Assessments; and
• General clarification around the IDTA;

We anticipate the guidance will provide much needed clarification on the implementation of the new approach, which we will publish more information about in due course.

Contact us for details of our toolkit for international data transfers, including intra-group arrangements and transfer risk assessments. 

Written by JP Buckley and Najiba Sultana