Data for your diary
21 March 2024 marks last day for relying on old EU Standard Contractual Clauses for International Transfers from the UK
21 March 2024 is the deadline for some important spring cleaning for any organisations still making international data transfers from the UK using the “old” EU standard contractual clauses issued by the European Commission in 2001 and 2010 (old EU SCCs).
Where such contracts were entered into prior to 21 September 2022 there is currently a grace period to allow an alternative transfer mechanism to be identified and implemented. However that implementation window is about to expire, and from 21 March 2024 such transfers will no longer be valid under UK law. Accordingly, if you need to continue making these international transfers after that date you must enter into a new contract on the basis of an approved alternative transfer mechanism.
Alternative options include the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the new EU Standard Contractual Clauses (Addendum).
Steps to take Before 21 March
It would be easy to be caught out by the expiry of what was a fairly generous implementation period. In the weeks running up to the 21 March deadline organisations should be looking to review their international data transfers from the UK to identify any that are still taking place in reliance on the old EU SCCs.
Where such contracts still exist they will need to be re-assessed and replaced by an approved alternative which is appropriate to the circumstances of each individual transfer.
If you wish to rely on the IDTA or the Addendum as an alternative you will also need to conduct a Transfer Risk Assessment (TRA) to satisfy yourself (and potentially the Information Commissioner’s Office (ICO)) that the protections offered by UK data protection law will not be undermined if the transfers continue on the basis of the chosen transfer mechanism.
The ICO’s updated guidance on International Transfers contains helpful practical advice and worked examples , but as this can be a complex area, legal advice should also be sought.
Please contact James Quartermaine from our Data Privacy team for further information.
James Quartermaine
James Quartermaine is a legal director in our data privacy team, advising clients on a wide range of privacy and data protection issues.
- Legal Director
- T: +44 (0)20 3750 2494
- Email me
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.