Data Protection: Time is up for the old EU Standard Contractual Clauses for international data transfers

It seems like only yesterday we wrote about the ICO’s new International Data Transfer Agreement (IDTA) and the UK Addendum to the EU’s Standard Contractual Clauses (UK SCCs) but in fact it was almost two years ago.

The ITDA and the UK SCCs are mechanisms that organisations subject to UK GDPR can use to enable lawful exports of personal data to other countries whose laws do not offer adequate legal protection to data subjects. The IDTA and UK SCCs are intended to create binding contractual obligations equivalent to the requirements of UK GDPR between the data exporter and the data importer. For data transfers to countries which fall within the UK Government’s adequacy decision an IDTA or UK SCCs are not required[1]. This includes all countries of the EEA and a relatively small number of other countries with full adequacy[2]. Canada, Japan and the USA have partial adequacy (see our article for more information about the UK-US Data Bridge arrangements).

The UK SCCs incorporate the latest version of the EU SCCs which took effect from September 2021. In the UK, the old EU SCCs ceased to be valid for new contracts from September 2022 but for existing contracts data exporters were permitted to continue to rely on the old EU SCCs. However, with effect from 21 March 2024 data exporters subject to UK GDPR can no longer rely on the old EU SCCs and need to take steps to replace them.

What do you need to do now?

1. You should review the various international data transfers being made by your organisation.
2. In respect of data being transferred to a country on the adequacy list, or if partial adequacy applies, no further action is required.
3. Where adequacy decisions do not apply, you should review the contractual arrangements with data importers. If you are still using the old EU SCCs you will need to replace them with the IDTA or the UK SCCs. Whether you select the IDTA or UK SCCs may depend on whether your organisation is subject only to UK GDPR or is also subject to EU GDPR, in the latter case, using UK SCCs rather than IDTA may be more practical.
4. You should also check that your privacy notices and policies to ensure refer to UK GDPR and the IDTA or UK SCCs rather than the EU GDPR and the old EU SCCs.

In practice and due to increased awareness of UK GDPR data export requirements among the larger international data importers, it is unlikely that there will be a substantial number of arrangements to be replaced. That said, it is a timely reminder of the need for data exporters to undertake regular international data transfer risk assessments and ensure that their international data transfer arrangements, privacy notices, policies and procedures keep pace with developments in the law and technology.

For further information please contact Anne Todd or Emily Aggett in our Data Protection & Privacy Team.

[1] A data processing agreement is still required between the controller and processor in the usual way.

[2] At the time of writing: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.