On 11 August the Information Commissioner's Office (ICO) launched a consultation on its draft international data transfer agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for personal data transfers out of the UK.
The ICO has published the following draft documents:
International data transfer agreement (IDTA), which includes:
- Template tables to set out details of the data exporter, the importer, the importer's status (i.e. processor, sub-processor or other), the transfer, the transferred data and the applicable security requirements. Use of these tables is not mandatory, provided that the required information is provided.
- A set of mandatory clauses – like the EU SCCs, some of these only apply to certain processing relationships (i.e. controller-processor, controller-controller, processor-sub-processor or processor-controller).
- The option to include extra protection clauses in respect of: (i) technical security protections; (ii) organisational protections; and (iii) contractual protections. This is simply a template table and does not provide suggested wording.
- The option to include commercial clauses agreed by the exporter and importer, provided these do not contradict the transfer agreement.
UK addendum to the new EU SCCs
This is provided by way of an example to the ICO's consultation on whether it would be useful to issue an IDTA in the form of an addendum to model data transfer agreements from other jurisdictions (as well as the SCCs, the equivalent documents issued by New Zealand and ASEAN).
International transfer risk assessment and tool
This sets out guidance on when and how to conduct a transfer risk assessment (TRA) to identify whether a transfer of personal data outside the UK complies with data protection law.
A TRA is needed if:
- you're making a restricted transfer: on the ICO's current definition, sending or making accessible personal data to which the UK GDPR applies to a separate company or individual to whom the UK GDPR does not apply, although the ICO is consulting on whether to amend this definition; and
- you want to rely on one of the transfer tools under Article 46 of the UK GDPR, including the IDTA.
A TRA is not needed if:
- you're transferring data to a country covered by an adequacy decision; or
- the transfer is covered by an exception.
Before using the TRA, you need to assess whether it is suitable. It is only suitable when using the IDTA to make a routine transfer of personal data to an importer based in a country outside the UK. It is not suitable if the specific circumstances of the transfer mean that it is too high risk or too complex for the tool.
The TRA tool sets out 3 steps:
- Assess whether the tool is suitable for the transfer and whether the transfer meets the other UK GDPR obligations, including data minimisation, security, lawful basis, processor contractual obligations and transparency?
- Assess whether the IDTA is likely to be enforceable in the destination country. If you have concerns about this, you need to carry out a supplementary risk assessment to identify whether this gives rise to a risk of harm to data subjects and whether any extra steps or protections could replace the risk.
- Assess whether there is appropriate protection for the data from third-party access in the destination country.
The tool contains decision trees and guidance to help to answer these questions.
You can go ahead with the transfer if:
- the destination country's regime for regulating third-party data access (including surveillance) is sufficiently similar to principles which underpin the UK regime;
- the possibility of third-party data access (including surveillance) is minimal; and
- the risk of harm to data subjects is low, even if third-party access (including surveillance) did take place.
The ICO has also published a consultation paper, which includes practical questions about how user-friendly the draft documents are, plus some technical legal questions.
The consultation closes on 7 October, following which the ICO will finalise the documents and lay them before Parliament. We will monitor progress and report when the documents have been finalised. While the TRA tool looks helpful, its length and complexity highlights how complicated it can be to transfer personal data to a country outside the EEA which does not have an adequacy decision.
Please contact one of our specialist data protection lawyers if you need support deciding whether you can make such a transfer and that it complies with the law, or you need advice on transferring personal data out of the UK before the draft documents are finalised.