Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

common-default.jpeg

Terms / Notices

Cookies

Privacy Policy

Reporting Hotline

Attorney Advertising

Alumni

  Linkedin

MoFo LinkedIN

  Facebook

MoFo Facebook

YouTube

MoFo Youtube

Morrison Foerster - Footer

A MoFo Privacy Minute Q&A: The UK’s Deadline to Conclude New Standard Contractual Clauses for Existing Contracts Approaches

You have not solved the recaptcha challenge yet or session expired, try again.

Email Disclaimer

Disclaimer

Unsolicited e-mails and information sent to Morrison Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html">Privacy Policy</a>, may not receive a response, and do not create an attorney-client relationship with Morrison Foerster. If you are not already a client of Morrison Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

About Morrison Foerster

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.Question: My business still relies on the old EU Standard Contractual Clauses under Directive 95/46/EC (“old EU SCCs”) as a data transfer mechanism when transferring personal data subject to the UK GDPR outside the UK (a “restricted transfer”).By when does my business need to replace the old EU SCCs? Answer: As of March 21, 2024, businesses subject to the UK GDPR (“UK businesses”) that carry out restricted transfers to countries without a UK adequacy decision can no longer use the old EU SCCs as a data transfer mechanism. Instead, they will have to rely on the UK International Data Transfer Agreement (IDTA) or the new EU Standard Contractual Clauses with the UK Addendum (“UK SCCs Addendum”), unless the business has obtained a UK Binding Corporate Rules authorisation or can rely on an exemption for the restricted transfer. This means UK businesses that routinely carry out restricted transfers subject to the UK GDPR should review their data transfer mechanisms in case they are required to implement either the IDTA or UK SCCs Addendum.Under the EU GDPR, businesses are required to use the new EU Standard Contractual Clauses (“new EU SCCs”) or another valid data transfer mechanism. However, when the UK government adopted the IDTA and UK SCCs Addendum in February 2022, it provided a transitional period whereby UK businesses were required to switch to the IDTA or UK SCCs Addendum by September 21, 2022 for new contracts but had until March 21, 2024 to update their existing contracts.As a reminder, the UK SCCs Addendum incorporates and adapts the new EU SCCs so they work under UK law. In contrast, the IDTA is structured slightly differently but covers issues not addressed by the new EU SCCs or the UK SCCs Addendum (such as the ability to rely on the IDTA as a transfer mechanism when the data importer is outside the UK but subject to the UK GDPR). Over the past two years, many UK businesses have chosen to use the UK SCCs Addendum rather than the IDTA for their restricted transfers, given their existing familiarity with the new EU SCCs, and for simplicity when the UK business is facilitating data transfers subject to both the EU GDPR and UK GDPR. We note, however, there are some benefits to relying on the IDTA when the restricted transfer is only subject to the UK GDPR but not the EU GDPR.In addition, and as discussed in more detail in our <a href="/resources/insights/221201-a-step-but-not-quite-a-leap" target="_self">client alert</a>, UK businesses will also need to conclude a transfer risk assessment (TRA) when carrying out a restricted transfer. Recently, the UK Information Commissioner’s Office (ICO) confirmed that UK businesses making restricted transfers to businesses in the United States (see our <a href="/resources/insights/240109-building-bridges-a-qa-about-the-uks-extension" target="_self">article</a>) can simplify and replace their TRA with <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/international-data-transfer-agreement-and-guidance/transferring-personal-information-to-the-us/" target="_blank">template language proposed by the ICO</a>.Michal Pati, London trainee solicitor, contributed to the drafting of this alert.

A MoFo Privacy Minute Q&A: The UK’s Deadline to Conclude New Standard Contractual Clauses for Existing Contracts Approaches

Sign Up

Annabel is a partner at Morrison Foerster and co-Managing Partner of the London office. As a member of our renowned global data privacy team, Annabel specializes in employee data protection and data crisis management. Described by clients as “excellent, very pragmatic , efficient and completely client-oriented”, she works across a variety of sectors, including technology, retail, and financial services, and frequently manages multi-jurisdictional advice for international clients. Her practice includes advice on:<ul><li>cross-border labor and employment matters</li><li>employee litigation</li><li>data privacy compliance management</li><li>data security breach management</li><li>internal and regulatory investigations</li></ul>Annabel regularly helps senior management and HR executives with the “people” aspects of takeovers, restructuring projects, business and share sales, and outsourcings. She also advises employers in relation to sensitive claims, such as unlawful discrimination, equal pay, and whistleblowing. Annabel also advises on team moves.She supports her clients on all aspects of General Data Protection Regulation compliance and regularly advises organizations facing ICO enforcement action. She has developed particular specialties in complex areas, such as the collection and use of data relating to criminal offenses and the application of data protection law to insolvency practitioners.As an experienced litigator with experience in helping clients defend group litigation, Annabel helps clients develop their strategy for responding to regulatory action and court claims relating to the use of employee and customer personal data. She regularly designs and presents employment and data protection law training and updates to senior managers and HR executives and is involved in preparing responses to UK government consultations.In addition, Annabel is qualified to practice in the British Virgin Islands, where she spent three years advising on cross border commercial litigation and insolvency matters, including high value board and shareholder disputes, freezing orders, and third-party disclosure orders.

Annabel Gillham

Managing Partner, London

Mercedes Samavi is a member of both the Technology Transactions Group and the Global Privacy Group.She advises domestic and international clients in relation to commercial contracts, tech licensing, digital regulatory compliance, outsourcing, and M&A and investment deals. As part of her privacy work, Mercedes advises clients on a spectrum of complex privacy compliance matters, ranging from developing global and pan-European privacy programmes and strategies, responding to regulatory requests and investigations and implementing data protection contractual arrangements. In the words of her clients, “Mercedes Samavi is incredibly responsive and a dream to work with. Nothing is ever too much trouble, she will always go the extra mile to ensure the client’s needs are met, and her legal expertise is exceptional and her advice always delivered in a practical, realistic way for the client.” (Legal 500 UK).In addition, Mercedes is involved with the firm's extensive pro bono practice and has worked for a variety of clients, including UK and international charities, third sector organisations and social impact businesses. Her pro bono work has been recognized by Morrison Foerster, which awarded her the 2019 Kathi Pugh Award for Pro Bono Service.She has also spent six months in each of the firm's Singapore and DC offices, as well as providing support on multiple client secondments across a a wide variety of sectors.﻿Mercedes is qualified as a solicitor in England and Wales. She is fluent in Farsi.

Mercedes Samavi

Of Counsel

Dan Alam is a member of Morrison Foerster’s Global Privacy + Data Security and Employment + Labor Groups, based in London.A dynamic lawyer and pragmatic problem solver, Dan supports clients on their contentious, advisory and transaction-related data protection and employment issues on a UK, pan-European and global level. He is described by Legal 500 UK as advising on the “intersection of employment and data protection law”.He regularly works on multijurisdictional projects, and advises clients in a variety of sectors, such as those operating in the technology, media, insurance, pharmaceutical, hospitality, retail, shipping and logistics industries.Dan has a wide breadth of experience advising on a range of complex matters, such as supporting clients with deploying artificial intelligence (AI) systems, responding to data security incidents and creating comprehensive whistleblowing compliance programs. Dan also regularly assists clients with internal investigations and their dealings with data protection regulators.Dan is a founding member and a main contributor to MoFo’s <a href="/gdpr-european-privacy/whistleblowing" target="_self">Whistleblowing Resource Center</a>, which is relied upon by many organizations to support their compliance efforts, and is also leveraged by Thomson Reuters Practical Law to provide <a href="https://uk.practicallaw.thomsonreuters.com/w-034-1767?transitionType=Default&contextData=(sc.Default)&firstPage=true" target="_blank">updates</a> to its subscribers. Dan has been closely monitoring the implementation of the European Union (EU) Whistleblowing Directive since its inception. He has presented on and advised clients on the implementation of the Whistleblowing Directive across the EU, and regularly provides practical advice to clients on the new requirements and how to incorporate them into their global whistleblowing and investigations processes. Examples of Dan’s other experience include:<ul><li>Advising technology companies and a global logistics and delivery company on the launch of new products, including those involving AI.</li><li>Providing support to clients on how to comply with cross-border data transfer and data localization restrictions.</li><li>Helping to respond to regulatory requests from the UK Information Commissioner's Office (ICO) and other data protection regulators, including in relation to direct marketing, the collection and use of children’s data and the ICO’s Children’s Code and data security incidents.</li><li>Advising on age assurance mechanisms and obligations under the UK Online Safety Act.</li><li>Defending clients against claims for compensation in respect of alleged breaches of privacy and data protection law.</li><li>Negotiating data processing agreements on behalf of clients acting as controllers and/or processors.</li><li>Providing specialist data protection and employment support on various public and private transactions, with particular experience advising on the acquisition of technology and AI companies.</li><li>Guiding employers on their employee monitoring practices and the collection of diversity and inclusion data.</li><li>Representing the administrators of a technology company in respect of an asset sale of its business, advising on collective redundancy and Transfer of Undertakings (TUPE) issues.</li><li>Participating in industry working groups to respond to government consultations on employee data protection issues.</li></ul>Before joining Morrison Foerster, Dan spent two months working at the Irish Data Protection Commission.Dan actively contributes to the firm’s pro bono initiatives by working for a variety of charities and NGOs. In addition to assisting organisations on data protection and employment matters, he also advises on social security and statelessness issues. Dan was part of the collaboration between Asylum Aid and various law firms that was recognized with the “Excellence in Pro Bono” Award by the Law Society of England and Wales in 2021 for work addressing the issue of statelessness in the United Kingdom. Dan is also co-chair of the Morrison Foerster London ethnic minority network – MoFo Together.Dan is qualified as a solicitor in England and Wales.

Dan Alam

Associate

Privacy + Data Security

United Kingdom