On August 11th, the UK’s Information Commissioner’s Office (ICO) launched a public consultation on its draft International Agreement on Transfers of Data (IDTA) and guidelines to determine how organizations can protect personal information of individuals when they are outside the UK be transmitted.
Pursuant to the UK General Data Protection Regulation (UK GDPR) and the 2018 Data Protection Act (DPA), personal data is transferred from the UK to non-UK GDPR organizations – often because of them Organizations based in jurisdictions other than the United Kingdom, including the European Economic Area (EEA) – are generally considered to be “restricted transfers” and are subject to certain transfer rules. Such rules currently largely correspond to the similar rules of the EU General Data Protection Regulation (GDPR).
In order to ensure that data subjects do not lose the protection of the UK GDPR if their personal data is transferred outside of the UK, the personal data rights of individuals need to be protected in other ways that are essentially equivalent. Such protection is assumed if the jurisdiction in which the recipient is located is subject to UK “adequacy rules” (currently there are UK adequacy rules for the EEA and all jurisdictions covered by existing EU “adequacy decisions”).
In the absence of relevant UK adequacy rules, adequate protection can be ensured by implementing one of several “reasonable safeguards” under the UK GDPR. Such guarantees include, for example, UK binding corporate rules and standard contractual clauses or “SCCs” (agreements between the transferring and receiving organizations that contain standard data protection clauses approved under UK data protection legislation).
Before any such guarantees can be invoked, the transferring organization should conduct an impact assessment for the transfer taking into account the safeguards included in the protection measure and the legal framework of the jurisdiction to which the restricted transfer is to be made. If the impact assessment for the transfer shows that the appropriate protection measure does not provide the required level of protection, the transferring organization can take additional measures to ensure that the transferred personal data is adequately protected.
There are also various exemptions set out in the UK GDPR that may apply (although generally these cannot be routinely relied on).
The ICO notes that the proposed IDTA will replace the current SCCs to incorporate the judgment of the European Court of Justice in the Schrems II case, which requires organizations to conduct further investigations when personal data is transferred outside of the UK or the EEA to countries without Adequacy decision to be transmitted.
The consultation is divided into three parts which propose different options for consideration:
- a proposal and plans for updated guidelines for international transfers
- Transfer Risk Assessments (TRA)
- the IDTA
In relation to the proposal to update the ICO guidelines on international credit transfers, the consultation focuses on a number of suggestions on two important points where updated guidelines may be helpful. This includes whether the UK GDPR inevitably regulates processing through:
- a foreign processor of a “UK GDPR controller” (a controller whose processing falls within the scope of the UK GDPR)
- a joint controller overseas with a joint controller in the UK
The consultation also takes into account the ICO’s interpretation of what constitutes a “restricted transfer” under the UK GDPR. Among other things, the ICO is considering whether or not to keep its current policy that restricted transfers will only take place if the importer’s processing of personal data is not subject to the UK GDPR, on the basis that if the importer is already processing it the data is required according to the British GDPR, no additional protection of the transmitted data is required.
Alternatively, the ICO could update its current guidance to take into account that if an exporter is subject to the UK GDPR (whether in the UK or abroad) and the importer is based outside the UK, a restricted transfer will take place with the question of whether or not the British GDPR is irrelevant for the classification of the importer, which is more in line with the EU’s position on this point.
The consultation is also considering updating the ICO guidance on exemptions under the British GDR, including the interpretation of whether an exemption is “necessary and proportionate”. The ICO is also considering providing guidance on how to combine IDTAs (and other safeguards) with the exemptions under the UK GDPR.
The ICO will also seek views on the draft TRA tool and IDTA, along with the ability to issue an IDTA in the form of an addendum to sample data transfer agreements used by other jurisdictions (e.g. the European Commission’s SCCs that could be amended) in connection with UK data transfers).
The draft international TRA and instrument focuses on two main questions related to the laws and practices of the destination country for personal data: (i) whether the IDTA is enforceable in that country; and (ii) the legal system of the destination country, which may require data importers to grant third parties access to the transmitted data. The focus is not so much on whether third party access is allowed under local law, but whether the laws and practices of the country of destination include safeguards similar to those of UK law.
The draft IDTA contains an introduction to the IDTA and sections on how to complete the IDTA, the IDTA template, various frequently asked questions, and how-to templates.
The ICO will seek opinions on relevant data protection rights as well as legal, political and economic considerations in relation to the new proposals. The ICO is keen to hear the views of all relevant stakeholders before the consultation ends after 5:00 p.m. on October 7, 2021.
It will be interesting to see what emerges from the consultation and to what extent the post-consultation position of the ICO will differ from the EU’s position on international transfers of personal data, especially given that the recently adopted adequacy decision regarding the United The UK is partially dependent on a limited deviation of the UK data protection system from the EU data protection system.
The Information Commissioner’s Office (ICO) has launched a public consultation on its draft International Data Transfer Agreement (IDTA) and guidelines.
https: //ico.org.uk/about-the-ico/news-and-events/news-and-b …