Standard contractual clauses are one of the key tools relied upon by organizations that transfer personal data to recipients in ‘inadequate’ countries under the UK and/or the EU General Data Protection Regulation.
However, unlike in the European Union – where new SCCs were adopted in 2021 (the “New EU SCCs”) – the old EU SCCs have remained a valid transfer mechanism under the UK GDPR. (For more information on the UK GDPR, refer to our UK Privacy Update post.)
The UK has sought to replace the old EU SCCs with more UK GDPR-specific transfer tools. So, following a consultation by the UK Information Commissioner’s Office in 2021, the UK government put final versions of the following new data transfer tools (“New UK-specific Transfer Tools”) before the UK Parliament:
- A UK International Data Transfer Agreement (IDTA).
- A UK addendum to the New EU SCCs that may be used to supplement the New EU SCCs where UK data transfers occur alongside EU data transfers.
Based on the proposed transitional provisions/arrangements also presented to Parliament (provided that the UK Parliament raises no objections), the timeline for the rollout of the New UK-specific Transfer Tools will be as follows:
- 21 March 2022: The New UK-specific Transfer Tools enter into force and can be used as a transfer mechanism under the UK GDPR.
- 21 September 2022: All new contracts governing UK data transfers need to use one of the New UK-specific Transfer Tools.
- 21 March 2024:
- Until this date, existing contracts can continue to rely on the old EU SCCs, assuming the subject matter of those contracts remains unchanged.
- After this date, all contracts governing UK data transfers need to use one of the New UK-specific Transfer Tools.
We will provide a further update on the practical impacts of the adoption of these New UK-specific Transfer Tools – including an analysis of any similarities and differences between the IDTA and the New EU SCCs – in an upcoming blog post.