The data transfer mechanisms include the new International Data Transfer Agreement (“IDTA”) and the new International Data Transfer Addendum to the EU Standard Contractual Clauses (“UK Addendum”). As of September 21, 2022, new contracts and relationships that contemplate the cross-border transfer of the UK personal data cannot rely on the EU Standard Contractual Clauses (“SCCs”).

Application and Effective Date

The new UK data transfer mechanisms are currently set forth a grace period after becoming effective. However, that grace period expired on September 21, 2022.

For relationships or contracts that only contemplate the transfer of UK personal data, the IDTA provides standard contractual clauses that must be incorporated. The IDTA is essentially the UK’s version of the EU’s new SCCs, which became effective this past summer.

For relationships or contracts that contemplate the transfer of UK personal data as a part of a larger set of personal data that includes EU personal data, the UK Addendum can be used as a supplement to the EU SCCs—as an extra annex or appendix to the EU SCCs.

Additionally, the UK Addendum can only be used in contracts that are governed by the new EU SCCs; otherwise, the IDTA must be used.

For contracts that were entered into prior to September 21, 2022, the EU SCCs can continue to be the contractual basis for appropriate safeguards until March 21, 2024. After March 21, 2024, old contracts that continue to rely on the EU SCCs will need to be amended to incorporate either the IDTA or UK Addendum.

Background and Need for Separate UK Data Transfer Mechanisms

In January 2021, when the UK formally left the European Union (“EU”), the UK became a “third country” outside of the scope of the EU’s General Data Protection Regulation (“GDPR”). Therefore, the GDPR no longer applies to the UK. To address this shift, the UK amended their existing Data Protection Act of 2018 to incorporate the GDPR’s requirements and principles to form the UK GDPR. The two laws—the GDPR and UK GDPR—are identical in what they require business and organizations to do in terms of privacy and data protection, except for the fact that the GDPR is applicable to (and only enforceable by) the EU, while the UK GDPR is only applicable to (and only enforceable by) UK government entities.

For data transfers from the EU to the UK, businesses and organizations can rely, and have relied on, a 2021 adequacy decision by the EU Commission determine that the UK provided adequate privacy rights and data protection requirements.

Cross-Border Data Transfer

Both the GDPR and UK GDPR have similar cross-border data transfer requirements. In order for businesses and organizations subject to the UK GDPR to transfer personal data from the UK to another country, there are three options: (1) the country must provide adequate data protection and privacy laws; (2) there must be appropriate safeguards in place; or (3) an exception must apply. Exceptions include express, separate consent from the individual whose personal data is transferred or transfers pursuant to the public interest or assertions or legal rights.

Like the US relationship with the EU under the GDPR, the US is not deemed to provide adequate data protection and privacy laws under the UK GDPR. Without an exception to allow the data transfer, businesses and organizations must ensure the entity receiving the personal data in the other country (i.e., the US), has appropriate safeguards in place to adequately protect the personal data.

This is where the two new UK data transfer mechanisms apply. The new data transfer mechanisms offer two new avenues business and organizations can take in complying with the UK GDPR cross-border data transfer requirements.