The United Kingdom has finalized, and laid before Parliament, its International Data Transfer Agreement (“IDTA”).  The new IDTA will come into force on 21 March 2022, together with a supplemental document to the new EU Standard Contractual Clauses (“UK Addendum”) and transitional provisions, to address requirements under the UK GDPR and UK Data Protection Act.

Both the IDTA, UK Addendum, and transitional provisions will replace use of the previous EU Standard Contractual Clauses (approved by the European Commission) under the UK GDPR (“Directive SCCs”).

What does this mean for companies?  In terms of timing, contracts concluded on or before 21 September 2022, on the basis of the Directive SCCs continue to provide appropriate safeguards until 21 March 2024 for the purposes of the UK GDPR, as long as the processing operations and the subject matter of the contract remain unchanged, and reliance on those Directive SCCs ensures that the transfer of personal data is subject to appropriate safeguards.  This means organisations will be afforded time to update existing prior agreements based on the Directive SCCs.

For any new contracts involving for data transfers from the UK, however, the UK Addendum or the IDTA will need to be used going forward.

Further Information.  To read more about this development from the Information Commissioner’s Office, click here.  If you have any questions about this or any other privacy law, please do not hesitate to reach out to one of the Contacts listed below.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.