21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

Some countries have an ‘adequacy decision’ which means they have been judged as having adequate protections in place and so you can transfer personal data to these countries without needing any further specific approval.  A normal, commercial data sharing agreement will be enough in those circumstances.

However, in the absence of an adequacy decision, adequate safeguards will need to be put in place before you can transfer data (unless you are able to rely on one of the limited exemptions in the UK GDPR and Data Protection Act 2018).

One of the most common safeguards used are standard contractual clauses.

Standard Contractual Terms

Prior to 2021, the EU had its own set of standard contractual clauses for data transfers which companies in the UK often used (‘Old EU Clauses’).   It updated these in 2021 (‘New EU Clauses’).

The ICO has since developed two sets of standard contractual clauses for the UK.  Which one is appropriate to use depends on whether data is being transferred from the UK only or the UK and EEA.

UK Only – International Data Transfer Agreement

The ICO’s International Data Transfer Agreement (‘IDTA’) is most appropriate for data transfer agreements concluded after 21 March 2022 where data is being transferred from the UK only to another country.

For older agreements based on the Old EU Clauses, there were some transitional provisions allowing organisations time to move onto the new IDTA model, but these expire on 21 March 2024 and, as such, all organisations need to ensure that they are on the new IDTA model from 21 March 2024.

UK and EEA – New EU Clauses and Addendum

Organisations who transfer data from the UK and EEA to other countries will usually need to use the second set of standard contractual clauses produced by the ICO known as the International Data Transfer Agreement Addendum (‘Addendum’).  This Addendum is used alongside the New EU Clauses.

Companies should have already moved onto the New EU Clauses and Addendum model as all transitional provisions expired in 2022.

Steps you should take now!

Companies need to review their data transfer practices and agreements to understand what international transfers occur and the agreements that govern these.  They need to understand if data is being transferred from the UK only, or from the UK and EEA, and whether any of their agreements are based on the Old EU Clauses. They should also check if any of their agreements are based solely on the New EU Clauses, without the Addendum.

Any which are now out of date will need to be transferred onto the new models to ensure they remain valid and legally compliant.  If not, the organisation runs the risk of not having adequate safeguards in place for the data transfer in breach of the legislation.  Alternatively, organisations will need to consider if an alternative safeguard should be used, such as binding corporate rules or whether it is able to rely on any of the exemptions in the legislation.

Companies should also carry out transfer risk assessments before relying on the standard contractual clauses (or other safeguards) and so this will also need to be considered as part of the updating.

Our data privacy lawyers are on hand to advise you through this process and to help draft up new agreements as needed.