Thursday, August 12, 2021
On August 11, 2021, the UK’s Information Commissioner’s Office (“ICO”) launched a consultation on its draft International Data Transfer Agreement (“IDTA”) and guidelines for international data transfer organizations (the “Guidelines”). Upon completion, IDTA will replace the existing EU Standard Contractual Clauses (“SCCs”) in the UK. The consultation follows both the UK’s exit from the EU and the Schrems II ruling of July 2020, in which the Court of Justice of the European Union (“ECJ”) (1) invalidated the EU-US Privacy Shield and ( 2) confirmed the validity of the SCCs, but required the executing agencies to carry out an assessment on a case-by-case basis in order to check whether the SCCs offer an adequate level of protection for the personal data transmitted and to take additional guarantees if this is not the case the case is . The European Commission recently published updated SCCs under the EU General Data Protection Regulation (“GDPR”), but these will not apply in the UK after Brexit. The ICO must therefore publish its own set of SCCs under the UK GDPR (the GDPR as incorporated into UK law).
The consultation is divided into three separate sections, which include proposals for the Guide, Transfer Risk Assessments (“TRAs”) and the IDTA. The ICO also provides a Template Addendum on EU SCCs that organizations can use to customize these SCCs to work in the context of UK remittances. The consultation is open until October 7, 2021. Answers can be submitted by completing the consultation paper and questions and sending them to IDTA.firstname.lastname@example.org. Hunton will work with our Center for Information Policy Leadership to prepare a response.
For the guidance, the consultation seeks contributions on questions related to the transfer of personal data, but also includes further questions on the scope of the UK GDPR, for example if Articles 3 (1) and 3 (2) of the UK GDPR apply to foreign processors of UK personal data. Questions are asked when a relevant transmission is considered to have occurred, e.g. B. An interpretation that the return of data by a UK processor to a overseas controller would not be considered a restricted transfer. In some cases, as part of the consultation, respondents are asked to choose different options depending on how the UK GDPR is interpreted. One of the most notable options of the consultation is to maintain the position of the ICO that a transfer to a company already directly subject to the UK GDPR under Article 3 (2) is not a restricted transfer. However, the ICO points out in the consultation that it does not currently intend to take this approach.
The consultation also includes the exemptions available under Article 49 of the UK GDPR and asks whether exporters should attempt a carry-over mechanism before invoking the exemptions and whether the exemption requirements should be interpreted as “necessary” as “strict” necessary “The responses received during the consultation period will influence the ICO’s position on these key issues in the guidance.
The ICO has created a draft TRA tool to assist organizations with routine referrals, although organizations are also free to use their own risk assessment methods. The tool comprises a three-step process for risk assessment.
The organization must first determine that the tool is suitable for the transfer (e.g. transfer is routine rather than high risk). As part of this assessment, the organization must take into account a number of factors such as the type of importer, any onward transfers, the purpose and method of the transfer and its regularity.
Second, the organization must assess whether the IDTA would be enforceable in the target country. If in doubt, the organization should carry out a supplementary risk assessment in order to assess the potential for harm to those affected and to identify additional protective measures that can reduce the risk. The ICO provides information on when the risk of damage is assessed as low, moderate or high, for example the classification of basic employment or contact information as low risk. It also contains information on factors that can reduce or increase the risk of harm to data subjects, with automated decision-making by the importer being a risk factor, as well as information on measures that can be taken to supplement the IDTA.
The final step is to evaluate the target country’s regime for regulating third party access to personal data, including an evaluation of surveillance laws. Again, the ICO provides guidance on factors likely to protect data subjects’ rights and factors that are likely to undermine them, as well as guidance on assessing the likelihood of third party access. The draft instrument specifies that transfers should only take place if the destination regime is sufficiently similar to that of the UK, the risk of third party access is minimal or the risk of harm to data subjects, even in the case of a third party, is low is access. Specifically, the TRA tool says: “If you decide … about Third party access, you can proceed with the restricted transfer using the IDTA along with the additional steps and safeguards that identify you. “
The draft IDTA does not follow the same structure as the EU SCCs, but contains separate sections detailing the parties, the transfer (including the importer’s permission for further transfers and the frequency with which the IDTA will be reviewed), the transmitted data and the purpose of the transmission as well as the security measures that are taken in each phase of the transmission. The IDTA also contains “mandatory clauses” which regulate the obligations of the exporter and importer in relation to the transfer. The mandatory clauses contain provisions on how the exporter and importer will ensure that in relation to the transfer, compliance with ICO requests, the measures to be taken in the event of a personal data breach, onward transfer and sub-processing and data subject rights .
The ICO is seeking feedback on its draft IDTA, including whether it is clear to organizations how the IDTA should be used in conjunction with the TRA tool, whether organizations are likely to use it, whether a modular approach (such as that proposed by the European Commission chosen) in its new SCCs) would be preferable and whether the ICO should provide a separate multi-party IDTA.
The ICO also suggests including additional instruction templates that cover, for example, optional TRA additional protection clauses, trade clauses and examples of a completed TRA and IDTA.
The ICO is also asking if it should issue an IDTA as an addendum to existing model transfer agreements such as the EU SCCs and is providing a template annex amending the EU SCCs to work in the context of UK data transfers. This addendum would potentially provide a practical compliance solution for many companies transferring personal data from the EU and the UK that would otherwise have to enter into separate data transfer agreements.
The full advice can be viewed here.
Copyright © 2021, Hunton Andrews Kurth LLP. All rights reserved.National Law Review, Volume XI, Number 224