UK: ICO opens consultation on its updated international data transfer guidance and tools


On August 11, 2021, the office of the data protection officer (ICO) a public consultation on their draft agreement on international transfers of data (IDTA) and guidelines for data transfer. These updates have been expected for some time to reflect the UK regulatory position following the exit from the EU regarding the Schrems II decision of the ECJ last year and the need to update the Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries.

The advice to the ICO is divided into three sections:

  • Proposal and plans for the ICO to update its guidelines on international transfers;
  • Transfer risk assessments; and
  • ICO model of international data transfer agreements.

The central theses

  • The ICO has published a draft IDTA that, once approved, will replace the SCCs. This is necessary as the current SCCs are over ten years old and out of date as the terms do not take GDPR or Brexit into account (they were simply incorporated into UK law as part of the EU-UK Withdrawal Agreement). The European Commission recently adopted its own implementing decision on standard contractual clauses (“EU SCCs”) Refreshing the SCCs for the post-GDPR period, which makes the UK an outlier when it comes to relying on the old SCCs.
  • As with the EC SCCs, the IDTA summarizes the full range of SCCs that may be required in one document (i.e. controller / processor, controller / controller, processor / processor, processor / controller) the type of transfer.
  • Other key features of IDTA include:
    • Tables at the top of the IDTA that collect specific information about the parties and the transfer, including the relationship of the parties (e.g. controller / processor, etc.);
    • the possibility of including additional safeguard clauses depending on the result of the transfer risk assessment, such as B. additional technical security measures, organizational protective measures or contractual protective measures;
    • the possibility of including commercial clauses agreed by the parties, provided these do not contradict the IDTA; and
    • a series of mandatory clauses that must be included in any IDTA in full and unchanged (with a few exceptions related to changes in cross-references, etc.). Changes to the IDTA format are possible as long as the changes do not reduce the level of protection. As with the EC SCCs, more than two parties can join the IDTA.
  • In addition to the IDTA draft, the ICO has helpfully published a draft of an addendum on the EC SCCs. This can be used as an alternative to IDTA in order to essentially apply EC SCCs in the context of UK data transfers (e.g. replacement of references to EU GDPR by UK GDPR etc.). This is invaluable to organizations that routinely perform data transfers from both the EU and the UK – as the addendum allows you to only use one set of SCCs (the EC-SCCs along with the UK addendum) to to cover both transfers, thus avoiding the need to use both the EC SCCs and the UK IDTA.
  • The ICO has also published a draft risk assessment and international data transfer tool (IN BETWEEN). The TRA offers organizations step-by-step advice and guidance on how to carry out transfer risk assessments when transferring data to third countries, with clear examples of the criteria to be considered, relevant risk factors and practical examples, all presented in a logical step-by-step- Methodology.
  • The TRA provides a three-stage approach:
    • Judgment on the facts of the transfer;
    • Assessment of whether the IDTA is likely to be enforceable in the target country; and
    • Check whether the data is adequately protected against access by third parties.

Each step is accompanied by instructions and decision trees to support the assessment in practice.

  • The overall principle adopted by the ICO is that the assessment should determine whether the applicable laws are “sufficiently similar” to those in the UK to support the transfer. In cases where a decision in this regard may not be clear, the TRA enables the evaluator to investigate or more fully the potential risk of harm to the data subject, any broader safeguards in place to protect the transmission and the likelihood of harm Effects suffered by the affected person. Taken together, these criteria introduce a principle of proportionality into the valuation model, which is widely welcomed as evidence that the ICO is taking a more pragmatic approach to data transfer than the more prescriptive model adopted by the EDPB in its corresponding recommendations.

The new IDTA and TRA guidelines will be welcomed by UK-based controllers and processors as they provide much-needed reassurance on the post-Brexit approach to data transfers from the UK and aid in planning to refresh SCCs. The consultation of the ICO runs until 5 p.m. on Thursday, October 7, 2021.