Parliament approves UK Data Transfer Agreement and addendum

Introduction

Following on from the UK Information Commissioner's Offices (ICO) announcement, on 02 February 2022, that the following documents were to be laid before Parliament:

• UK form of international data transfer agreement (IDTA);

• international data transfer addendum to the European Commission's standard contractual clauses (EU SCCs) (Addendum); and

• a document setting out transitional provision,

the ICO has now confirmed that the IDTA and the Addendum have been approved by Parliament with effect from 21 March 2022.

The ICO has also indicated that the following guidance documents will follow:

• Clause by clause guidance to the IDTA and Addendum.

• Guidance on how to use the IDTA.

• Guidance on transfer risk assessments.

• Further clarifications on its international transfers guidance.

In this article, we consider the practical implications and key features of the IDTA and Addendum for clients. Further implications of the IDTA and Addendum may become clear in due course once the guidance documents referred to above are published. This article therefore represents a "first pass" at the new documents.

Practical implications and key features

From a process perspective:

• When to implement the new IDTA and Addendum: the transitional provisions allow organisations to continue using the "Transitional Standard Clauses" published by the ICO until (and including) 21 September 2022. While this leeway is helpful, we see limited downside to implementing the new clauses more quickly if possible.

• When to repaper existing transfers: The transitional provisions identify 21 March 2024 as the date by which this must happen.

• Which to use - the IDTA or the Addendum? Organisations will wonder whether to use the IDTA (a freestanding UK form of data transfer agreement) or the Addendum (essentially a "UK law converter" for the EU SCCs, which incorporates them by reference). In short, until we have received the guidance documents, it is too early to tell precisely what is expected of organisations and therefore what the benefit of using one rather than the other is. The differences between using the IDTA and the Addendum do not seem substantive. We expect that international organisations will generally prefer to use the Addendum as it results in the obligations which apply to importers in the group being more uniform.

In terms of the contents of the IDTA and Addendum:

• Substance over form: as well as being drafted in plain English, the IDTA and Addendum make clear in various places that organisations are free to set out the information required by the clauses in the forms they wish, can remove clauses that are not applicable, may amend the IDTA for use in multi-party arrangements and that the clauses do not need to be signed to become binding. These are welcome clarifications for organisations which will be integrating these documents into wider commercial agreements or intra-group data transfer agreements which also address other countries' laws. It's also helpful that the IDTA is automatically updated if the UK-approved form template of it is updated.

• No Modules: unlike the EU SCCs, the IDTA does not include modular terms that apply based on whether the exporter and importer are controllers or processors. However, it does require the parties to specify their roles and, in some places, make clear that obligations only apply in certain circumstances. As referred to above, it is possible to edit the IDTA if certain clauses are not applicable and we expect that organisations will want to do that. Please see also our comments on "separate agreements needed for processors".

• Separate agreements needed for processors: also unlike the EU SCCs, the IDTA makes clear that if the importer is a processor or a sub-processor instructed by the exporter, a separate agreement meeting the requirements of Article 28 (relating to the appointment of processors) will need to be entered into. This represents an unhelpful administrative burden, particularly in relation to sub-processors with which exporters have no other direct contractual relationship.

• The "Linked Agreements" concept - helpful or unhelpful? The IDTA includes the concept of "Linked Agreements" which refers broadly to agreements related to the IDTA. On the one hand, this concept is helpful insofar as it saves the parties from re-stating (or updating) the details of the data transfer. On the other, including obligations on organisations to comply with their obligations under the Linked Agreement in the IDTA could be viewed as unnecessary duplication of obligations. Additionally, as information in the IDTA is not captured in one place, in some circumstances the parties will need to provide information from Linked Agreements to others, including data subjects, on request. Overall, therefore, the Linked Agreements concept is a mixed blessing.

• "Extra Protection Clauses": the IDTA includes the concept of "Extra Protection Clauses" as well as the more familiar (from the EU SCCs) placeholder for a description of the technical and organisational security measures which apply (referred to as "Security Requirements"). Our interpretation is that Extra Protection Clauses are only mandatory if the importer carries out automated decision-making using the data it is processing. It will be interesting to review the further guidance on this point.

• What about Schrems II? the IDTA includes provisions requiring the importer to notify the exporter of public authority access requests, where permitted by law, which are broadly similar to those in the EU SCCs. It also includes provisions requiring exporters to carry out "reasonable checks" on their importer's ability to comply with the IDTA and requiring importers to support exporters. There are also a few references to Transfer Risk Assessments or TRAs. It remains to be seen what the requirements in relation to TRAs will be (and how if at all they will differ from the European Data Protection Board's recommendations in relation to transfers to which the EU GDPR applies). Again, we expect the position on this to become clearer once the further guidance has been issued.

• Need for importers to be familiar with UK data protection law: while in certain places the IDTA spells out what importers are required to do (for example in relation to data breach response), in others importers are required to familiarise themselves with the requirements under UK law as if it applied to them. Also, the IDTA requires the parties to specify whether the UK GDPR applies to the importer. If it does, certain provisions of the IDTA are disapplied. We expect that many importers will not have carried out this analysis. In both cases, there will therefore likely be a job for importers to do.

Conclusion

The approval of Parliament and subsequent coming into force and effect of these documents represents an important step in the implementation of the UK's compliance requirements relating to international data transfers. While further guidance is expected (on which we will comment when it becomes available), organisations can now start putting in place processes in relation to international data transfer compliance as well as in relation to re-papering the agreements relating to their existing transfers.