On August 11, the ICO launched a consultation on international data transfers and published a draft “International Transfer Risk Assessment and Tool” and a draft “International Data Transfer Agreement” (“IDTA”). IDTA would replace the existing Standard Contractual Clauses for transfers of personal data from the UK.
The consultation is divided into three sections:
Proposal and plans for updates to ICO guidelines on international data transfers;
Transfer risk assessments; and
the draft of the IDTA.
1. ICO Guide to International Data Transfers
The ICO has published guidelines on international data transfer on its website. As part of the consultation, the ICO is now asking for comments on proposals to update these guidelines, in particular with regard to:
the interpretation of Article 3 of the UK GDPR (the extraterritorial scope of the UK GDPR); and
the interpretation of Chapter V of the UK GDPR which governs restricted transfers from the UK.
These topics cover areas of concern to businesses such as:
whether the UK GDPR should inevitably apply to the overseas processor or the joint controller of a UK based controller;
where a limited transfer is expected to take place (e.g. whether this would involve returning data from a UK processor to a non-UK controller); and
the application of the exemptions under Article 49 of the UK GDPR, including the extent to which the exemptions can be invoked.
The feedback received may have an impact on the final positions the ICO takes on updated guidelines on international data transfers.
2. Transfer risk assessment
The ICO has published a draft of the “International Transfer Risk Assessment and Tool” (“TRA”), which is intended to assess the risks in connection with an international transfer of personal data and thus whether a “transfer mechanism” according to Article 46 such as the IDTA (if accepted)) that you can rely on.
The steps of the TRA include the consideration of:
the facts of the transfer, including the intended specific transfer (e.g. types of personal data, categories of data subjects, purposes of the transfer);
the particular facts about the destination country (e.g. the possibility of enforcing foreign judgments); and
the potential effects / damage for individuals, especially taking into account suitable protective measures to restrict third party access to the data.
It should be noted that the ICO points out that when carrying out the assessment, data exporters only need to check the parts of the target country’s regime that are relevant for data transmission.
The TRA closely follows the recommendations of the European Data Protection Board (“EDB”) on measures that may be required to complement the “transfer mechanisms” in Article 46 of the GDPR, published earlier this year after the Schrems II case. The key for the UK is to determine whether the destination country provides data subjects with a level of protection “substantially equivalent” to that of the UK regime.
3. The International Data Transfer Agreement (“IDTA”)
The IDTA, which will replace the current Standard Contractual Clauses for transfers of personal data from the UK, takes into account different types of transfer agreements (z Depending on the transfer, the parties will have several options to choose from.
The IDTA consists of four parts:
Tables to be completed for each relevant transfer, such as the names of the parties, the details of the personal data transferred and any security measures;
additional safeguard clauses if the TRA has determined that the data exporter needs to take additional security precautions;
Trade clauses that the parties may wish to include, e.g. B. if there is a related agreement; and
mandatory clauses that must be adopted in their entirety, except only to adapt cross-references, delete the sections that the parties have expressly agreed to include, and include other parties in the IDTA.
It’s worth noting that the ICO has also proposed that the new EU Standard Contractual Clauses published by the European Commission in June 2021 could be used as an alternative to the new IDTA for transfers of personal data out of the UK, subject to use of a “UK Supplement”. The UK addition replaces references to the EU data protection regime with UK law and addresses issues such as applicable law and choice of forum and jurisdiction to deal with disputes. This will be a relief for many controllers and processors transferring personal data from both the UK and the EEA as it essentially allows them to use a number of clauses for their data transfers (with the UK addition for transfers from the UK).
What does this mean for companies?
The ICO’s consultation on the “updates” of its own current guidelines on international data transfers is both welcomed (for clarity) and somewhat alarming. Alarmingly, as in some areas, the ICO seems to propose the possibility of not only “updating” its current guidelines, but actually making substantial changes to them. The nature of the changes determines the impact on companies. If they result in a less restrictive regime for international data transfers, the changes are welcomed. If they result in major constraints, organizations must reassess their previous analysis of such transfers and make the necessary changes.
With regard to the draft TRA and IDTA, these are currently in draft form until the end of the consultation and therefore no concrete action needs to be taken at this time. However, organizations should keep this space in mind for the final drafts, and in the meantime it may be useful to review current practices and transfers and take into account any changes that may be required.
In addition to the IDTA, the ICO also intends to create practical tools and instruction templates, such as optional additional safeguard and trade clauses, a multi-party IDTA and an example of a completed TRA & IDTA to help organizations comply with them.
The consultation is open until October 7, 2021.