United Kingdom Flag

On 2 February 2022, the UK Information Commissioner’s Office (ICO) published the final form of its much-anticipated new International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.

The IDTA, EU Addendum, and transitional provisions will now lay before Parliament and (unless objectives are raised, which is unlikely) become effective on 21 March 2022. Once effective, the IDTA and EU Addendum will replace the previous EU Standard Contractual Clauses (EU SCCs) and constitute the United Kingdom’s version of the EU SCCs.

Key takeaway points for employers include the following:

  • Provided that no objections are raised by Parliament, the IDTA and EU Addendum will become effective on 21 March 2022.
  • Any contracts entered into on or before 21 September 2021 on the basis of the “old” SCCs will continue to provide appropriate safeguards for the purposes of the UK General Data Protection Regulation (GDPR) until 21 March 2024.
  • From 21 March 2024, if an employer’s restricted transfers continue, the employer may make a restricted transfer under the UK GDPR by:
    • entering into a contract on the basis of the IDTA;
    • the EU Addendum (where EU SCCs are already in place, the EU Addendum may be annexed to the EU SCCs in order to satisfy the requirements of the UK GDPR);
    • Binding Corporate Rules; or
    • if the receiver is located in a third country or territory or is an international organisation, its coverage by UK “adequacy regulations” (see list of covered countries and territories).

Conducting a transfer risk assessment (TRA) continues to be a requirement in the United Kingdom, as it is in the European Union. A TRA is required to make sure that the actual protection provided by the IDTA or EU Addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws.

The ICO’s consultation also featured a draft international TRA and tool. Work on the draft is not yet complete.


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Glass globe representing international business and trade
Practice Group

Cross-Border

Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now