In 2022, the UK ICO published the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (“the Addendum”). In short, the UK’s answer to the EU’s Standard Contractual Clauses for helping legitimise cross-border transfers of personal data.
When announced, businesses were told that the EU SCCs would no longer be deemed to provide “adequate safeguards” and that as a result:
- all new UK data transfer agreements executed on or after 21 September 2022 would need to incorporate the Addendum or IDTA; and
- all existing agreements incorporating the old standard contractual clauses would need to be updated by 21 March 2024.
This follows a similar sunset arrangement for the revised EU SCCs which has already passed.
With that deadline fast approaching, business may want to consider re-visiting agreements entered into prior to 21 September 2022 to ensure that any EU SCCs are either replaced with the IDTA, supplemented with the Addendum, or replaced with another transfer mechanism. For example, certain data transfers can now be made to the U.S. from the EU and UK via the adequacy decision for the Data Privacy Framework. Business should be particularly mindful that the requirements apply not only to formal, standalone data transfer agreements, but also to any agreement that involves the cross-border transfer of personal data to “third countries”.