ICO publishes consultation draft of International Data Transfer Agreement and guidance

0
28

The ICO has published a draft consultation of its International Data Transfer Agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for transfers of personal data out of the UK.

On August 11, the Information Commissioner’s Office (ICO) launched a consultation on its draft International Data Transfer Agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for transfers of personal data from the UK.

The ICO has published the following draft documents:

International Data Transfer Agreement (IDTA), which includes:

  • Template tables specifying the details of the data exporter, the importer, the status of the importer (ie processor, sub-processor or otherwise), the transfer, the data transferred and the applicable security requirements. Use of these tables is not mandatory provided the required information is provided.
  • A number of mandatory clauses – like the EU-SCCs, some of which only apply to certain processing relationships (i.e. controller-processor, controller-controller, processor-sub-processor or processor).
  • The ability to include additional safeguards related to: (i) technical security measures; (ii) organizational protection; and (iii) contractual protection. This is only a template table and does not contain any formulation suggestions.
  • The possibility of including trade clauses agreed between exporter and importer, provided that these do not contradict the transfer agreement.

UK Addendum to the New EU SCCs

This is an example of the ICO’s consultation on whether it would make sense to issue an IDTA in the form of an addendum to the model of data transfer agreements from other jurisdictions (as well as the SCCs, the equivalent documents issued by New Zealand and ASEAN).

Risk assessment and tool for international transfers

This sets out when and how to conduct a Transfer Risk Assessment (TRA) to determine whether a transfer of personal data outside of the UK is in compliance with data protection law.

A TRA is required if:

  • You are performing a restricted transfer: according to the current definition of the ICO, sending or making available personal data to which the UK GDPR applies to a separate company or individual to which the UK GDPR does not apply, although the ICO is advising whether they should change this definition; and
  • You want to rely on any of the transfer tools under Article 46 of the UK GDPR, including the IDTA.

A TRA is not required if:

  • You are transferring data to a country for which an adequacy decision applies; or
  • the transfer is subject to an exception.

Before using the TRA, you need to assess whether it is suitable. It is only suitable when the IDTA is used to conduct a routine transfer of personal information to an importer based in a country outside of the UK. It is not suitable if the particular circumstances make the transfer too risky or too complex for the tool.

The TRA tool has 3 steps:

  • Assess whether the tool is suitable for the transfer and whether the transfer meets the other UK GDPR obligations including data minimization, security, legal basis, processor contractual obligations and transparency?
  • Assess whether the IDTA is likely to be enforceable in the target country. If you have any concerns about this, you will need to conduct an additional risk assessment to determine whether this creates a risk for the individuals concerned and whether additional steps or protective measures could replace the risk.
  • Assess whether the data in the target country is adequately protected from access by third parties.

The tool contains decision trees and instructions to answer these questions.

You can continue with the transfer if:

  • the target country’s regime of regulating third party access to data (including surveillance) is reasonably similar to the principles underlying the UK regime;
  • the possibility of data access by third parties (including surveillance) is minimal; and
  • the risk of harm to the data subjects is low, even if access by third parties (including surveillance) has taken place.

The ICO has also published a consultation paper that includes practical questions about the usability of the draft documents, as well as some legal technical issues.

The consultation ends on October 7th, after which the ICO will finalize the documents and submit them to Parliament. We will monitor progress and report when the documents are ready. While the TRA tool looks helpful, its length and complexity makes it clear how complicated it can be to transfer personal data to a country outside the EEA that does not have an adequacy decision.