Skip to content

Time to replace the old SCCs from Europe: the final countdown

Insight

Blue abstract

Most organisations will make international transfers of personal data, ranging from small-scale or one-off transfers (eg for a particular HR project) through to regular, business-critical transfers of potentially sensitive personal data (eg reporting to head office in the US). In each case, the UK GDPR’s international data transfer regime applies.

From 21 March 2024, the old versions of the "Standard Contractual Clauses" (SCCs) issued by the European Commission under the 1995 Data Protection Directive (old EU SCCs) will no longer provide a valid mechanism for UK based organisations to export personal data. The old EU SCCs are a widely used contractual mechanism providing a lawful basis for the transfer of personal data from the UK to other countries.

This article explores the implications of this deadline for UK based data exporters and identifies the alternative contractual transfer mechanisms for use after the 21 March 2024.

What is the UK’s international data transfer regime?

Chapter 5 of the UK GDPR sets out the rules for the transfer of personal data to data importers located outside of the UK. The rules apply to all international transfers of personal data and there is no de minimis exception, meaning that the rules apply even to small-scale and low-volume transfers of personal data. That said, the UK GDPR does incorporate the European principle of "proportionality" and the Information Commissioner’s Office (ICO) will take a risk-based approach to enforcement of these rules.

UK based data exporters can rely on one of several "mechanisms" to transfer personal data to another country lawfully, ie in a manner that complies with the Chapter V UK GDPR rules. The principal mechanisms underpinning lawful transfers of personal data are:

  • Transfers of personal data to countries that are covered by "adequacy regulations" (eg the 27 EEA countries, the three EFTA states, Gibraltar, the Republic of Korea, and 13 other countries that have a full or partial finding of adequacy, as listed on the ICO’s website here.
  • Transfers of personal data based on "appropriate safeguards" to ensure that an individual’s data is suitably protected and their privacy rights are enforceable. The most common way of implementing these "appropriate safeguards" is using the "standard contractual clauses" (including the old EU SCCs) or a newer mechanism, referred to by the ICO as the "standard data protection clauses" as explained below. Much more rarely, large multi-national businesses may compile their own set of "binding corporate rules" and have those approved by the ICO or another data protection regulator.
  • Transfers of personal data that fall within one of the eight "derogations" (exceptions) in Chapter 5 of the UK GDPR. These exceptions are to be construed narrowly and should be used cautiously but they can cover, for example, situations where it is necessary for a data exporter to send personal data to an individual they have a contract with (provided that only that person’s data is sent, for the purpose of performing that contract), or where exporting personal data is necessary to perform a contract which is made for the benefit of the data subject(s).


The "standard contractual clauses" are the most commonly used mechanism for making restricted data transfers to countries that do not have an adequacy decision. They are often incorporated into a contract between a data exporter and data importer (eg the SCCs may be annexed to the standard terms and conditions of software-as-a-service providers based in the United States). These model clauses impose contractual obligations on both the data exporter and (primarily) the data importer and they grant rights to individuals whose personal data are being transferred.

The UK’s "new" transfer mechanisms

For a number of years, the old EU SCCs have operated as the standard contractual mechanism used to regulate the transfer of personal data from the UK to a third country. However, following the UK’s exit from the European Union, and the CJEU’s judgment in the Schrems II case from July, the ICO published two different sets of additional standard data protection clauses, which came into force on 21 March 2022:

  1. The International Data Transfer Agreement (IDTA). The IDTA is essentially the UK’s version of the European Union SCCs: it provides a contractual mechanism that incorporates model contractual clauses to ensure that restricted transfers occur with appropriate safeguards in place. The IDTA only works for data exports from the UK, as opposed to personal data being transferred outside of the EEA or elsewhere. It does however provide more of a "one size fits all scenarios" drafting style than the SCCs and it is arguably a bit easier to use with its "complete the boxes" checklist format.
  2. The International Data Transfer Addendum (UK Addendum). The Addendum is an "add-on" to the new EU SCCs which were issued by the European Commission under the EU GDPR on 4 June 2021 (new EU SCCs). The new EU SCCs are not valid for restricted transfers under the UK GDPR by themselves but they can be used with the UK Addendum to allow organisations to use the new EU SCCs for restricted transfers under the UK GDPR. This is useful for organisations with pan-European operations which will export personal data from both the EU (under the EU SCCs) and the UK (relying on the EU SCCs plus the UK Addendum).


Although these UK-specific data transfer mechanisms have been in force for some time, we are aware that many organisations have continued to rely on the old EU SCCs. While that has been fine until now, UK organisations should be aware that personal data transfers that rely on the old EU SCCs will no longer be valid from 21 March 2024.

This means that organisations should be reviewing their contracts that contain international data transfer provisions to ensure that any data transfers from the UK to a third country are based on either (1) the IDTA or (2) the new EU SCCs plus the UK Addendum.

What should organisations consider when reviewing contracts / international transfers of personal data?

We recommend the following steps to help organisations manage this process:

  1. Prioritisation: once the relevant agreements have been identified, organisations should prioritise the contracts that include “higher risk” data transfers. This will be particularly beneficial if organisations have a significant number of contracts that need to be updated by 21 March 2024. In those circumstances, we believe that organisations can justify taking a risk-based approach towards compliance. Whether or not a contract should be prioritised will depend on several factors, including: (i) the volume and sensitivity of the data being transferred under each contract, (ii) the value of the data being transferred, (iii) the value of the contract generally, (iv) the destination of the data importer, and (v) the existing transfer mechanism in place (if any).

    It is also worth keeping in mind that, other than the CJEU cases involving Facebook Ireland (the Schrems litigation), there has so far been very little enforcement action taken in relation to international personal data transfers under the GDPR. As such, organisations which can evidence their consideration of their various compliance obligations in relation to international data transfers and show that they are actively taking steps towards compliance should reduce the likelihood of facing enforcement action from the ICO.
  2. UK-US Data Bridge: the UK-US Data Bridge came into force on 12 October 2023. The UK-US Data Bridge is essentially an extension of the EU-US Data Privacy Framework (DPF) which provides a lawful basis for the transfer of personal data from the EEA to US organisations which have certified with the DPF. If a US organisation has been certified for the DPF and has signed up to the UK extension, organisations can make international data transfers from the UK to that organisation without implementing any additional appropriate safeguards.

    This is a significant development that will streamline international data transfers from the UK to the US. As such, organisations should check the DPF List for its US suppliers / contractual counterparties to check whether they are DPF certified. If they do appear on the List and have signed up to the UK extension, then there is no need to update the contract with them to include either (1) the IDTA or (2) the new EU SCCs plus the UK Addendum. Instead, transatlantic data transfers will be lawful as a result of the UK-US Data Bridge. If the US organisation is not on the List, it may still be worth directly asking the US suppliers whether it intends to apply for certification.
  3. Contract renewals: the updating of contracts for compliance with Chapter 5 of the UK GDPR does not have to be undertaken in isolation. If a contract is shortly due for renewal or set to expire, it would be efficient to update the contract to include either the IDTA or the new EU SCCs and the UK Addendum as part of the wider renegotiation. And since both the IDTA and the new EU SCCs / the UK Addendum have been available for some time, it is also entirely possible that agreements have been or are due to be updated by suppliers / data importers without a need to negotiate this in particular.
  1. Responsibility of suppliers: in some situations, it would be reasonable to require the data importer (often a supplier) to lead any contractual updates to include the IDTA or the new EU SCCs and the UK Addendum. This would be the case if an organisation has contracted on a supplier’s standard terms and conditions. In this scenario, we imagine that most suppliers will want their clients to use the same international data transfer mechanisms to ensure parity between clients, and as such it is in their interest to take the lead on updating the contracts.
  2. Implementation: once an organisation has identified and prioritised contracts appropriately, it will want to standardise the implementation process as much as possible. This will likely involve preparing a template letter to contractual counterparties either: (i) requesting that the existing contract is varied with updated international data transfer provisions, or (ii) suggesting that a separate international data transfer agreement sits alongside the existing agreement. In either case, an organisation can prepare a pre-filled IDTA or a copy of the new EU SCC plus the UK Addendum to streamline the process.


This publication is a general summary of the law as at the date of publication. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, March 2024

Want to know more?

Contact us

About the authors

RGB

Alan Baker

Partner

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Email Alan +44 (0)20 3375 7441
Andrew Rogers lawyer

Andrew Rogers

Associate

Andrew advises clients on a range of commercial, intellectual property (IP) and data protection issues.

Andrew advises clients on a range of commercial, intellectual property (IP) and data protection issues.

Email Andrew +44 (0)20 3375 7324

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top