UK: New Obligations for International Data Transfers

Following on from Brexit, the UK has now issued new guidance and documentation which must be complied with by UK businesses transferring personal data outside of the United Kingdom where no adequacy decision or exception applies.

The guidance and documentation is long-awaited to ensure that business are compliant - since the EU mechanisms were technically no longer valid under UK law. In this article, we take a look at what this means for UK data transfers and what businesses need to do by 22nd September 2022.

Read on to find out more!

Background

EU legislation applied to the UK since the UK joined the European Union, until 31st December 2020 when the UK left the EU as a result of a UK referendum resulting in Brexit.  Since this date, the framework regarding international transfers of personal data has been in negotiations by the UK government and we at last seem to have reached a secure position. 

Aligning data protection with other jurisdictions

It is well known how much technology has developed over the years and the extent that we, as a society, can do thanks to these immense improvements.  A significant benefit of this development is the ability to carry out international business, in all sectors of commerce.  As a result of this, data may be transferred from country to country between different businesses or even different entities of a business.  In order to maintain the protection of data within these transfers, it is important to ensure that legislation is aligned, globally.

The General Data Protection Regulation (GDPR) states that it is only possible to transfer personal data outside of the EU provided that certain safeguards are in place in these other countries. These safeguards include the European Commission ruling that the recipient territory provides an adequate level of protection to personal data, akin to the level of protection that can be found in the EU (known as an Adequacy Decision) or by the parties conducting the data transfers entering into special clauses known as the Standard Contractual Clauses (SCCs) which impose certain obligations on controllers/processors to ensure the security, integrity and confidentiality of personal data and to ensure that data subject rights are upheld. This principle is enshrined into UK law despite Brexit.

This is because the UK implemented the GDPR into UK law by way of the UK GDPR and the Data Protection Act 2018. The UK was granted an Adequacy Decision by the European Commission in June 2021, in order to facilitate data transfers between the UK and the EU.

Similarly, the UK Government also recognised the EU as being an adequate territory for receiving personal data from the UK.

However, UK businesses still had to rely on EU law SCCs to transfer personal data from the UK to territories to which an Adequacy Decision or other exception does not apply. As the SCCs are founded in EU (and not UK) law, there was a lot of confusion about how they could validly apply to the UK in the post-Brexit world.

UK action to protect personal data in international transfers

Therefore, on 21st March 2022, the UK Government approved the UK International Data Transfer Agreement (IDTA) and UK Addendum to the new SCCs to create a new UK GDPR-compliant solution for data transfers replacing the old regime. 

This is even more important for parties in the UK sharing personal data with U.S. based companies – especially in light of the Schrems 2.0 case in which the European Court of Justice invalidated the EU-US Privacy Shield and imposed stricter obligations parties transferring data to non UK/EU jurisdictions.

The Information Commissioner’s Office (ICO) has released the Agreement for parties to put in place in order to secure their data transfers originating from the UK.  At the time of writing, the ICO plans to publish further guidance on the IDTA which we will keep you updated on!

So, what does this mean for UK-businesses transferring personal data outside of the UK?

Between 21st March and 21st September 2022, businesses have a grace period of the implementation of the IDTA/Addendum and using the old SCCs.  Effectively, businesses that are based in the UK can use the European SCCs or begin to use the IDTA/Addendum during this grace period for relevant transfers.  

However, once this grace period is complete and from 22nd September 2022, all businesses must put the IDTA or the Addendum in place for any new deals with relevant data transfers. 

By 21st March 2024, all businesses must stop relying on the European SCCs and ensure that the IDTA/Addendum is incorporated into contract / applies to any relevant data transfers.

This may mean that a significant amount of commercial contracts and data transfer arrangements need to be reviewed in order to incorporate these new changes.

Why do we need data protection laws?

We live in a world where, almost, everything is done online; whether that’s ordering clothes or services, using social media or doing business.  For these reasons, our personal data is constantly being used online and therefore, it is essential to have legislation in place to protect this data.  However, a downside to the improvement of technology is that it is easily accessible by cyber criminals if the data is not protected sufficiently.  Unfortunately, individuals can be at risk if their personal data is accessed by the wrong people without their consent, which could lead to identity theft or even, physical harm.  Globally aligning data protection legislation is crucial in order to maintain this goal of securing data as so many activities nowadays are carried out internationally. 

As a business, being compliant with data protection laws demonstrates your care of individuals’ information which is essentially beneficial for your reputation.  

Consequences for non-compliance

On a more commercial note, data protection authorities (including the ICO) are able to impose fines if entities are non-compliant with applicable laws.

By way of example, under the European Union’s data protection legislation, the General Data Protection Regulations 2016/679 (GDPR) the authorities can issue fines of up to €20 million or 4% of worldwide turnover for the previous financial year – whichever ever is more.

In UK terms, the higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have and in relation to any transfers of data to third countries. If there is an infringement of other provisions which are more administrative in nature, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Contact us if you think the UK IDTA/Addendum could impact you and you require further advice on the matter, including assistance implementing the relevant documentation by the deadline!