ICO publishes consultation draft of International Data Transfer Agreement and guidance

The ICO has published a draft consultation of its International Data Transfer Agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for transfers of personal data out of the UK.

On August 11, the Information Commissioner’s Office (ICO) launched a consultation on its draft International Data Transfer Agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for transfers of personal data from the UK.

The ICO has published the following draft documents:

International Data Transfer Agreement (IDTA), which includes:

  • Template tables specifying the details of the data exporter, the importer, the status of the importer (ie processor, sub-processor or otherwise), the transfer, the data transferred and the applicable security requirements. Use of these tables is not mandatory provided the required information is provided.
  • A number of mandatory clauses – like the EU-SCCs, some of which only apply to certain processing relationships (i.e. controller-processor, controller-controller, processor-sub-processor or processor).
  • The ability to include additional safeguards related to: (i) technical security measures; (ii) organizational protection; and (iii) contractual protection. This is only a template table and does not contain any formulation suggestions.
  • The possibility of including trade clauses agreed between exporter and importer, provided that these do not contradict the transfer agreement.

UK Addendum to the New EU SCCs

This is an example of the ICO’s consultation on whether it would make sense to issue an IDTA in the form of an addendum to the model of data transfer agreements from other jurisdictions (as well as the SCCs, the equivalent documents issued by New Zealand and ASEAN).

Risk assessment and tool for international transfers

This sets out when and how to conduct a Transfer Risk Assessment (TRA) to determine whether a transfer of personal data outside of the UK is in compliance with data protection law.

A TRA is required if:

  • You are performing a restricted transfer: according to the current definition of the ICO, sending or making available personal data to which the UK GDPR applies to a separate company or individual to which the UK GDPR does not apply, although the ICO is advising whether they should change this definition; and
  • You want to rely on any of the transfer tools under Article 46 of the UK GDPR, including the IDTA.

A TRA is not required if:

  • You are transferring data to a country for which an adequacy decision applies; or
  • the transfer is subject to an exception.

Before using the TRA, you need to assess whether it is suitable. It is only suitable when the IDTA is used to conduct a routine transfer of personal information to an importer based in a country outside of the UK. It is not suitable if the particular circumstances make the transfer too risky or too complex for the tool.

The TRA tool has 3 steps:

  • Assess whether the tool is suitable for the transfer and whether the transfer meets the other UK GDPR obligations including data minimization, security, legal basis, processor contractual obligations and transparency?
  • Assess whether the IDTA is likely to be enforceable in the target country. If you have any concerns about this, you will need to conduct an additional risk assessment to determine whether this creates a risk for the individuals concerned and whether additional steps or protective measures could replace the risk.
  • Assess whether the data in the target country is adequately protected from access by third parties.

The tool contains decision trees and instructions to answer these questions.

You can continue with the transfer if:

  • the target country’s regime of regulating third party access to data (including surveillance) is reasonably similar to the principles underlying the UK regime;
  • the possibility of data access by third parties (including surveillance) is minimal; and
  • the risk of harm to the data subjects is low, even if access by third parties (including surveillance) has taken place.

The ICO has also published a consultation paper that includes practical questions about the usability of the draft documents, as well as some legal technical issues.

The consultation ends on October 7th, after which the ICO will finalize the documents and submit them to Parliament. We will monitor progress and report when the documents are ready. While the TRA tool looks helpful, its length and complexity makes it clear how complicated it can be to transfer personal data to a country outside the EEA that does not have an adequacy decision.

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...