Legal development

International transfers - Clock starts ticking for UK data transfer remediation

Insight Hero Image

    As of today, 21 March 2022, the UK's international data transfer agreement (IDTA) and the alternative addendum to the EU's standard contractual clauses (Addendum) are in force. Either, the IDTA or the EU standard clauses and Addendum can be used as your data transfer mechanism for transfers of personal data from the UK to third countries.  Organisations also need to carry out third country risk assessments and implement supplemental measures to address any risks identified. We are still awaiting the finalised guidance from the ICO on its approach to transfer risk assessments for UK transfers.   This is expected imminently and we will update you once this is released in final form.


    With all the changes surrounding international transfers in recent years and the two different positions in the UK and EU in recent months, many international organisations may have been burying their head in the sand rather than tackling what is likely to be a large remediation project. However, the approval of the IDTA and Addendum in parliament today is a significant step towards some degree of certainty in this area.

    By way of recap, since the judgment of the European landmark case of Schrems II in July 2020, data transfers have increasingly become an area of scrutiny and focus within the data protection world. Schrems II declared the privacy shield as an insufficient mechanism under which to transfer personal data under EU law (which at that time was also applicable to the UK).  It stopped short of declaring standard contractual clauses invalid. Instead it held that for such data to be transferred organisations should also undertake a transfer risk assessment to assess the laws of the country where the data is being sent to and to put in place supplemental measures to address any risk.  The new EU standard contractual clauses sought to address some of the issues highlighted in Schrems II and the European Data Protection Board ("EDPB") guidance on transfer risk assessments contains guidance on undertaking these assessments.  It is onerous in places and concludes in many cases that in many situations data should not be sent to jurisdictions such as the USA in an identifiable form.  Much uncertainty has followed, showcased recently with a number of European decisions finding that the use of Google Analytics (involving a transfer of personal data to Google in the United States) was unlawful. 

    Here in the UK, we have been awaiting the ICO practical guidance on this decision as EDPB guidance is no longer applicable in the UK.  Over the last year the ICO has been consulting on the IDTA, Addendum and transfer risk assessment guidance.  We now have the first piece of this jigsaw (the standard form agreements) in a settled final form. 

    What does this mean in practice for you?

    In practice, this means that before undertaking any transfer of personal data from the EU or UK to a third country which has not been granted an adequacy decision by the EU or UK you will need to:

    • incorporate into new/existing contracts, the new EU standard contractual clauses or the UK's IDTA/Addendum as applicable;
    • undertake a transfer risk assessment; essentially assessing the laws and practices of the country to which personal data is being sent; and
    • implement supplementary measures (technical, organisational and/or contractual in nature) to address any risks identified.

    Organisations can no longer simply append standard contractual clauses to a contract; instead any data transfer and the laws of the recipient country must be thoroughly scrutinised and assessed before proceeding.  Organisations should be aware that data transfers may not always be obvious.  Access from a country, such as allowing a VPN access from India, amounts to a transfer of personal data to India.  Permitting your IT service providers to host or sub contract the hosting of data or IT support from third countries, will mean that a data transfer is occurring. The enormity of these compliance measures cannot be overstated.

    What should you be focusing on?

    • Implementing an international data transfers compliance project, which as a minimum will include:
      • Data mapping so that you know what data is going where
      • A risk tolerance strategy, to create some certainty for the business who will be requiring some parameters in which they can operate
      • Preparation of key standard documents (data transfer agreements, template transfer jurisdictional risk assessments and potential supplemental measures)
    • Incorporating into your new and existing agreements the new EU standard contractual clauses or the UK's IDTA/Addendum as applicable; noting the below deadlines for doing so:

    How can we help? 

    Here at Ashurst, our dedicated data protection practice can help you navigate this new area of data protection law and work with you to map out your international data transfers compliance project by providing a fully tailored and bespoke package to meet your needs, flexing up or down as needed. This could take the form of providing a full end to end international data transfers compliance offering or working with you on discrete aspects.

    If you would like to discuss how we could support you or if you would like to discuss what the impact of data transfers means for your organisation, please contact us.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest