Transferring UK Personal Data to the US Using the UK International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses
This article is an update to an article previously published in the Utah Bar Journal that my colleague, Robert Snyder, and I authored in 2021. Rachel Naegeli and Robert Snyder, "Navigating Changes to European Union Data Privacy," 34 Utah B.J., 33, Nov/Dec 2021.
In “Navigating Changes to European Union Data Privacy,” we explained how to use the European Union’s updated Standard Contractual Clauses (New EU SCCs) to transfer “EU Personal Data,” the personal data of individuals in the European Economic Area (EEA) – which includes the twenty-seven European Union (EU) countries plus Norway, Iceland, and Liechtenstein – to the United States. To quickly recap, an approved transfer mechanism like the Standard Contractual Clauses is necessary because the United States has been deemed not to have adequate privacy laws by the EU and the UK, among others. Thus, personal data transfers from those jurisdictions to the US are considered restricted transfers. Under the EU General Data Protection Regulation (2016/679) (GDPR), appropriate safeguards, including an approved transfer mechanism, are required in order for restricted transfers to be lawful.
The New EU SCCs were adopted by the European Commission in June 2021, providing one possible mechanism for EU Personal Data to be lawfully transferred to the US.1 At the time of our article’s publication, one question that remained unanswered was how the United Kingdom would handle transfers of UK residents’ personal data to the US in light of its exit from the European Union. Following Brexit, the UK adopted a piece of data privacy legislation almost identical to the EU GDPR. The UK version (the UK GDPR) contains an equivalent provision regarding restricted transfers in its Article 46, which also calls
for appropriate safeguards for international transfers to countries that have not received an adequacy decision. Initially, the UK Information Commissioners Office (ICO) allowed transfers to continue on the basis of the “old” EU SCCs, which had been drafted to meet the requirements of the pre-GDPR EU Data Protection Directive, while the UK developed its own international data transfer mechanism. The big question was whether the UK would adopt standard contractual clauses that were nearly identical to the New EU SCCs or adopt something different.
In February 2022, the UK government answered this question when Parliament was presented with a New UK International Data Transfer Agreement (IDTA), a stand-alone document equivalent but not identical to the New EU SCCs, and a data transfer addendum, an add-on to the New EU SCCs (the UK Addendum). The IDTA and the UK Addendum came into force on March 21, 2022. Organizations can now use the IDTA or the UK Addendum as a mechanism to comply with UK GDPR’s requirement under Article 46, to take appropriate safeguards when making restricted transfers.
At the same time, the UK also adopted transition provisions, which allowed continued use of the Old EU SCCs, provided that the contract was entered into before September 21, 2022. Since this window has closed, the transition provisions will not be discussed herein, though it is worth noting that if your client put the Old EU SCCs in place for UK transfers prior to the September 21, 2022, the processing described in the agreement remains unchanged.
This article introduces the IDTA and the UK Addendum and explains how your Utah-based clients can use the IDTA and the UK Addendum to transfer UK Personal Data to the US. For most Utah-based companies, compliance efforts will hinge on their implementation of the New EU SCCs. Organizations that do not already use or do not plan to concurrently implement the new EU SCCs will need to implement the IDTA.
Both the IDTA and the UK Addendum have been made available on the ICO website. The remainder of this article will discuss these documents; thus, you might find it useful to have them open for your reference.
For organizations that do not use the New EU SCCs
Organizations that do not transfer personal data from the EEA and only need to provide a mechanism for transferring UK personal data should use the IDTA for UK to US personal data transfers.
The IDTA comprises contractual clauses addressing data protection and privacy that satisfy the UK GDPR’s requirement to provide appropriate safeguards when transferring UK Personal Data to countries that have not received an adequacy decision.
Using a preapproved contractual mechanism to protect personal data is a familiar concept to lawyers that have been following data privacy laws in Europe. As noted above, the IDTA fills a similar role for transferring UK Personal Data as the New EU SCCs do for EU Personal Data. At this point in your read, I suggest you open the IDTA online. You will note that the IDTA is presented in a friendly, fill-in-the-field format. The process of completing the IDTA is relatively straightforward. That said, there are a few important details to keep in mind.
First, unlike the New EU SCCs, the IDTA does not take a modular approach. Instead of selecting a version of New EU SCCs Module 2 or 3, you will identify the roles of the parties vis-à-vis the data – as either the data importer or data exporter – and the roles of the parties relative to one another – as either controller, processor, sub-processor – in IDTA Table 2, Transfer Details.
Second, unlike the New EU SCCs, the IDTA does not meet the requirements of an Article 28 data processing agreement (DPA). While the New EU SCCs can be used without an accompanying DPA, the IDTA requires a DPA in what it calls a “linked agreement.” To reiterate, the IDTA cannot merely be attached to a master services agreement unless that agreement itself contains all the Article 28 elements. Instead, you should be aware that when assisting your clients with compliance with UK data privacy obligations, you may need to draft an addendum to the master services agreement that incorporates the linked agreement and the IDTA.
Finally, the IDTA requires that organizations conduct a Transfer Risk Assessment to ensure that the safeguards provided by the IDTA do not conflict with legislation in the country to which the UK Personal Data will be transferred and that a sufficient level of data protection is achieved. The ICO published a draft TRA Tool in August 2022, which will help you guide your clients through their UK data protection efforts.
For organizations that use EU SCCs
The majority of organizations transferring data across the Atlantic to the US do not limit their data to that of UK data subjects. Thus, most of your clients have likely already incorporated the New EU SCCs into their existing agreements. By way of a reminder, organizations transferring EU Personal Data to the US had until September 27, 2021, to begin using the New EU SCCs in new agreements. For existing agreements, at the time of this writing, organizations are still within a grace period that ends on December 27, 2022, during
which they can revise previously concluded agreements to implement the New EU SCCs. Thus, if your client transfers data out of the EEA, chances are good that it is already using the New EU SCCs. In such cases, the UK Addendum can be used. The remainder of this article will provide some tips on how to use the UK Addendum along with the New EU SCCs for UK data transfers.
Like the IDTA, the UK Addendum is laid out in tabular fashion. The various tables comprise fillable blanks where organizations can include their contact details and information on the version of the New EU SCCs the Addendum modifies. The New EU SCCs are modular, requiring parties only to implement the modules that apply to the international data transfer described in the underlying agreement. Recall that the New EU SCCs include Module 1, which govern transfers between controller to controller, Module 2, which governs transfers from controller to processor, Module 3, which governs processor to processor transfers, and Module 4, which governs transfers from processors to controllers. Table 2 of the UK Addendum requires the parties to indicate which Modules are in operation. Within the New EU SCCs are embedded optional clauses, which must also be identified in Table 2 of the UK Addendum. Specifically, parties need to identify whether their personalized New EU SCCs opts to allow utilization of the Clause 7 Docking Clause, the optional language under Clause 11, whether general or specific authorization is required for the addition of sub-processors under Clause 9a, and the time period for notification of new sub-processors under Clause 9a. Finally, parties are required to indicate whether personal data received from the data importer will be combined with personal data collected by the data exporter. The applicability and availability of the various options depends on the Modules selected.
Table 3 of the UK Addendum requires the parties to include the information that must be provided for the selected modules in the Appendix of the New EU SCCs including: Annex 1A, List of Parties; Annex 1B Description of Transfer; Annex II, Technical and Organizational Measures; and Annex III, list of sub-processors. Again, the information required may depend on the modules used. For example, Annex III only needs to be completed if Modules 2 or 3 have been selected.
One aspect of the UK Addendum that may cause confusion is how it integrates into the New EU SCCs. Table 2 of the UK Addendum provides two options. The option that is most appropriate for your client depends on how the New EU SCCs themselves were incorporated into the underlying agreement. Remember, the New EU SCCs can be attached in their entirety to an agreement, exactly as they were approved by the European Commission, with instructions on which modules and options apply to be included in the agreement. We can call this Option A. The other option, which we will call Option B, is to attach only the relevant module(s) of the New EU SCCs to the agreement, customizing these modules to only include the appliable optional language and to identify the clauses that were inoperative.
If Option A was the approach that was used initially, then when your client adds the UK Addendum, you need to select the second check box, which reads, “the Approved EU SCCs, including the Appendix information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:” and then fill in the boxes that appear below it to identify the modules and options that have been selected. If, on the other hand, Option B was the approach that was used to incorporate the New EU SCCs, then you can select the first check box in Table 2, which reads, “The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information” and then simply include the signature date of the New EU SCCs. These two approaches are both valid and are technically equivalent.
If you are putting the New EU SCCs in place concurrent with the UK Addendum – e.g., for a new agreement – the choice of which approach to use is yours. It is worth highlighting that Option B (the first check box approach) may minimize confusion for the parties by removing the modules and options that do not apply. In addition, since extraneous material is excised, this approach is more concise. The choice ultimately turns on personal preference, but brevity and clarity favor the more tailored approach of Option B.
The remaining selections available in the UK Addendum should be relatively easy to walk through with your client. The ICO has published additional guidance on how to use the UK Addendum on its website for further information.2
CONCLUSION
In conclusion, US companies that process UK Personal Data now have a new path to UK data privacy compliance post-Brexit. For most U.S.-based companies, compliance efforts will hinge on adding a UK data transfer addendum to the New EU SCCs that were adopted by the European Commission in June 2021. Others will implement the UK’s standalone IDTA. We trust the tips and suggestions included in this article will assist you as you lead your clients’ efforts to implement the new UK data transfer mechanisms into their data transfer agreements and comply with the latest guidance on data transfers.
1. To access the Standard Contractual Clauses, please visit the following website: European Comm’n, Standard Contractual Clauses (SCC): Standard Contractual Clauses for Data Transfers Between EU and Non-EU Countries, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. (Last visited Dec. 20, 2022.)
2. To access the ICO guidance, please visit the following website: International Transfer Agreement and Guidance, Int’l Comm’n Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/. (Last visited Dec. 20, 2022.)