Contact

Find a Law Firm

Personal Data Sharing: New Contractual Requirements

Personal Data Sharing: New Contractual Requirements

For UK organisations sending personal data abroad, the last two years have proved to be challenging and often confusing.

The demise of the Privacy Shield framework with the USA, the implications of the Schrems judgment requiring additional security checks and Brexit, have combined to create much uncertainty as to how UK organisations can remain compliant when sending personal data abroad.

The current situation when transferring personal data abroad is far from ideal with organisations being required to use outdated contractual arrangements which still refer to the UK as being part of the EU – at a very basic level the contracts that UK organisations are required to enter into when sending data abroad simply do not reflect post-Brexit reality.

However, the situation has recently changed and will (to some degree) clarify and streamline the position for international data transfers.

New international data sharing instruments have, this month, been placed before Parliament and are likely to become effective on 21 March 2022. While not formally effective until March, the Information Commissioner’s Office does not anticipate any objection to the new arrangements and has stated that the instruments are “of immediate use” for organisations undertaking international data transfers.

The instruments offer organisations two options:- the International Data Transfer Agreement; or the International Data Transfer Addendum. The former is a standalone agreement for international data sharing, whereas the latter acts as an amendment to the EU Standard Contractual Clauses for UK use.

As matters stand, it is not immediately clear which of the two instruments should be used and when. Further guidance from the ICO is awaited. However, it seems likely that organisations with links to Europe will favour the Addendum to ensure consistency of approach with their EU counterparts, whereas organisations sharing data with other parts of the world may choose to use the Agreement. The Agreement, however, does not go as far as it could in terms of simplifying data sharing arrangements and still requires controllers and processors to enter into a separate processing agreement in order to meet the requirements of UK GDPR.

While the introduction of the new data sharing arrangements will not require organisations to take any immediate steps to change their data sharing arrangements, it will be necessary to revisit data sharing procedures in due course.

Data sharing agreements concluded on or before 21 September 2022, using the EU standard contractual clauses for sending data out of the UK, will remain effective until 21 March 2024.

From 21 March 2024, UK organisations will need to use the International Data Sharing Agreement or Addendum for all transfers of data out of the UK.

In effect, organisations will need to start using the Agreement or Addendum from 21 September 2022 for all new data sharing agreements and ensure that all existing agreements are replaced by the Agreement or Addendum from 21 March 2024.

BTO’s Data Protection Team can guide you through these changes and assist with all of your data protection needs.

Lynn Richmond, Partner, Accredited Specialist in IP and Certified Specialist in Cyber Security.

lyr@bto.co.uk / 0131 222 2934