ICO consults on protecting personal data transferred outside of UK


ICO advises on the protection of personal data transferred outside of the UK

That Information Commissioner’s Office (ICO) has launched a public consultation on its draft International Data Transfer Agreement (IDTA) and guidelines.

When companies send personal information outside of the UK, they need to ensure that people’s privacy rights are still protected. An IDTA is a contract that organizations can use when transferring data to countries that are not covered by adequacy decisions.

The IDTA will replace the current Standard Contractual Clauses (SCCs) to reflect the binding judgment of the Court of Justice of the European Union (ECJ) in Schrems II. The ruling required organizations to exercise further care when transferring personal data outside the UK to countries without an adequacy decision.

The consultation is divided into three sections which offer a selection of proposals and options that should be considered.

  • Proposal and plans for updates to the guidelines on international credit transfers.
  • Transfer risk assessments.
  • The international data transfer agreement.

The ICO also asks for comments on relevant data protection rights, legal, economic or political considerations and implications. The answers will help the regulator understand the practical implications of the proposed approaches for organizations.

The new IDTA will support the UK digital economy by continuing to enable people to flow around the world with the guarantees of high data protection standards.

Steve Wood, ICO Executive Director of Regulatory Strategy, said, “The modern world involves an increasing flow of personal data about citizens in order to provide goods and services. In order to maintain people’s confidence in the system, it is important to ensure that the data is well protected when transferred outside of the UK. Our new IDTA is designed to ensure that such protections are in place.

“We know that international transfers can be complex, especially for smaller businesses. Our new guidelines have been designed to be accessible and to ensure that they support all organizations, from SMEs without large legal budgets to multinational corporations. The agreements will help organizations continue to operate freely while ensuring that proper safeguards are in place before the data is transferred from individuals.

“This advice is important. We know how important it is for transfer tools to work in practice and the ICO wants to support companies in this area. The responses we receive will feed into our final work, and I encourage all organizations performing international transfers to participate in the consultation and provide feedback. “

The ICO’s work around IDTAs and its consultation is a requirement under s119a of the Data Protection Act 2018. The consultation will inform the final documents that the ICO will submit to Parliament. The consultation hour is open on October 7th, 2021 until 5:00 p.m.