In 2022, the UK ICO published the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (“the Addendum”). In short, the UK’s answer to the EU’s Standard Contractual Clauses for helping legitimise cross-border transfers of personal data.

When announced, businesses were told that the EU SCCs would no longer be deemed to provide “adequate safeguards” and that as a result:

  • all new UK data transfer agreements executed on or after 21 September 2022 would need to incorporate the Addendum or IDTA; and
  • all existing agreements incorporating the old standard contractual clauses would need to be updated by 21 March 2024.

This follows a similar sunset arrangement for the revised EU SCCs which has already passed.

With that deadline fast approaching, business may want to consider re-visiting agreements entered into prior to 21 September 2022 to ensure that any EU SCCs are either replaced with the IDTA, supplemented with the Addendum, or replaced with another transfer mechanism. For example, certain data transfers can now be made to the U.S. from the EU and UK via the adequacy decision for the Data Privacy Framework. Business should be particularly mindful that the requirements apply not only to formal, standalone data transfer agreements, but also to any agreement that involves the cross-border transfer of personal data to “third countries”.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Samuel Thomson is a trainee associate in the Debevoise London office.