New Model Clauses for Personal Data Transfers Outside the UK

New Model Clauses for Personal Data Transfers Outside the UK

The Information Commissioner’s Office (ICO), the UK’s privacy regulator, issued in February 2022 new standard contractual clauses (also known as model clauses) (thereafter the “new UK SCCs”) concerning data transfers outside the UK, as part of its data regime reform, which was launched in September 2021 with its public consultation.[1]

As explained in our previous article on the topic, following Brexit, the UK government is striving towards constructing a new legal framework to regulate the UK data protection field. This will result in the replacement of the data protection framework put into place to avoid a void in the legislation after the effective date of the UK leaving the EU, known as the “UK GDPR”. The expected adoption of the new UK SCCs is consistent with this logic.

By proposing these new SCCs, the UK has followed in the EU’s steps. Indeed, the European Commission issued in June 2021 new EU SCCs for the transfer of personal data outside of the EU. For more on these new EU SCCs please see our article in our blog. These new SCCs came into effect after the transition period, which ended on September 27, 2021 (companies were allowed to continue using the old EU SCCs for new transfers outside of the EU until such date).

If approved by the UK Parliament, the new UK SCCs will become effective as of March 21, 2022, meaning that companies transferring personal data outside the UK will have to base new contracts signed as of September 21, 2022, on them. It is to be noted that companies will have until March 21, 2024, to renegotiate and update existing contracts based on current SCCs that were concluded before September 21, 2022.

What exactly are SCCs?

As a quick reminder, SSCs are standard contractual clauses regulating data transfers between the UK and third countries which do not benefit from an adequacy decision from the UK[2]. They aim to ensure appropriate data protection safeguards, thus playing the role of a reliable mechanism for data transfers. These international transfer tools must be used for all personal data transfers outside the UK. Currently, companies transferring data from the UK rely on the old EU SCCs, since the UK has not completely recognized the new EU SCCs and has chosen to develop its own SCCs. In practice, if the new UK SCCs obtain parliamentary approval, companies will have the option to use the new EU SCCs, if a specific addendum is used simultaneously, as detailed below.

So, what’s new?

The new UK SCCs are comprised of (1) an international data transfer agreement (IDTA) and (2) an addendum to the new EU SCCs (addendum).

The IDTA is quite similar to what was introduced under the new EU SCCs. For instance, the obligation for data exporters to undertake a transfer risk assessment of local laws, practices, and risks is also found in the IDTA, However, there are some points on which the IDTS differs from the EU SCCs. Amongst other things, the IDTA has a broader scope, meaning that it can be used in a more situations, such as for transfers from sub-processors to processors[3]. Furthermore, there is a possibility for the parties to seek recourse through arbitration instead of bringing a claim in a court[4], whereas the EU SCCs do not offer such possibility.

Concerning the addendum, it is to be used together with the new EU SCCs. As the name of this document indicates, it is additional material to the EU SCCs. Consequently, the addendum will be used when a contract is already based on the new EU SCCs, whereas the IDTA will be used when the parties do not directly base their contract on the new EU SCCs.

What does it mean for companies?

Since the new UK SCCs are still pending parliamentary approval, companies transferring personal data outside the UK can still rely on the current UK SCCs for the drafting of contracts. They can also decide to already switch to the new UK SCCs, but should keep in mind that they might have to amend the concerned contracts if objections are raised in Parliament to the present form of the new UK SCCs. In all cases, companies and actors of the UK personal data field should closely follow the progress of these new international transfer tools. If the new UK SCCs are accepted by Parliament, companies will no longer have the possibility to use the old UK SCCs as of September 21, 2022, and will have to update contracts signed before such date, which include the old UK SCCs before March 21, 2024.

[1] The public consultation on reforms to the UK’s data protection regime was closed ran from 10 September 2021 to 19 November 2021.

[2] An adequacy decision permits a cross-border data transfer outside the UK, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority.

[3] See Table 2 of the IDTA.

[4] See section 35 of the IDTA.

Recent Posts

Receive our future articles*



* When you provide us with your email address for the purpose of subscribing to our newsletter, you expressly consent to the processing of your personal data in order to allow us to manage your subscription to our newsletter and send it to you. You can withdraw your consent and unsubscribe to our newsletter at any time through our “Contact us” form. For further information on how we collect and use your personal information through your use of our website, please read our privacy policy.

Open chat
Hello, how can we help ?