Legal briefing | |

The ICO consults on its international data transfer agreement

Overview

The ICO has launched a consultation on its international data transfer agreement (IDTA). This is the agreement that would be used as a safeguarding mechanism for restricted transfers of data covered by the UK GDPR.

As part of the consultation, it has also released:

  • a draft transfer risk assessment toolkit for use in conjunction with the IDTA, and which must be completed in order to ensure that the IDTA works as intended in the country where the importer of the data is located.
  • a draft addendum, which is designed to enable parties which are relying on the EU Standard Contractual Clauses (SCCs) to govern a restricted transfer to add an addendum to those EU SCCs so that they also cover restricted transfers made under UK GDPR. This will be useful, for example, when intra group data transfer agreements are put in place involving personal data which is subject to EU GDPR and also personal data which is subject to UK GDPR.

The consultation closes on 7 October 2021, and changes will no doubt be made to the documents following the outcome and responses to the consultation. Nevertheless, the consultation provides a useful heads up of the issues that will be faced by parties who wish to transfer personal data under UK GDPR.

Interaction between Article 3 (extra-territoriality) and Chapter V UK GDPR

The Consultation includes questions on how Article 3 should work with Chapter V UK GDPR, and a conclusion will need to be reached on this. For example, where a processor located in a third country is processing personal data on behalf of a controller which is subject to UK GDPR by virtue of Article 3 (1), should the transfer of personal data to the processor be treated as a restricted transfer, or is it sufficient that the processing is carried out in the context of the UK controller's establishment and that the controller (and the processor) therefore has to comply with UK data protection laws?

This is a key question for which conclusions will need to be reached so that it is clear exactly when controllers and processors will need to use the IDTA in respect of their data transfers to third countries.

The Transfer Risk Assessment (TRA) and accompanying toolkit

The ICO has stated that this must be completed before the IDTA can be entered into, as a requirement of the CJEU's decision in Schrems II, which is now part of English law. By way of recap, in Schrems II the CJEU said that whilst SCCs (such as the IDTA) are still an appropriate safeguarding mechanism to use in respect of data transfers to countries without adequacy decisions, they can only be used once the data exporter and importer are satisfied that the laws and practices of the destination country are sufficient to protect the data.

Points to note about the draft TRA and the toolkit are as set out in the highlighted box below:

  • It is designed to be used in respect of routine restricted transfers; it may well need to be supplemented when it comes to more complex data transfers (eg, where data is being transferred to a number of different countries), or high risk transfers (eg, where the nature of the transfer is such that a data protection impact assessment is also required). In these instances a more complex assessment will be required.

  • There are three stages to the assessment:

    1) Assessing the circumstances of the transfer (eg the nature of the importer and the type and quantity of data being transferred). The answers to these questions ultimately help with assessing the risks of the actual transfer when considering all the circumstances.
    2) Assessing whether the IDTA is likely to be enforceable in the destination country.
    3) Assessing whether there is appropriate protection for the data from third party access.

  • The TRA permits parties to go ahead with a transfer if:
    • the destination country’s regime for regulating third-party data access (including surveillance) is sufficiently similar to principles which underpin the UK regime; or
    • the possibility of third-party access (including surveillance) is minimal regardless of the destination country’s regime; or
    • the risk of harm to data subjects is low, even if third-party access (including surveillance) was to take place.

This is a slightly different approach, with a slightly different emphasis, to the one set out in the European Data Protection Board (EDPB) guidance on measures to supplement transfer tools which was published earlier this summer, and it means that organisations which are subject to both UK GDPR and EU GDPR will have to conduct their transfer risk assessments under each in a slightly different way – at least when it comes to completing the paper trail.

  • The TRA includes helpful guidance on the factors to be considered when deciding whether an IDTA is likely to be enforceable in the destination country, and whether there is appropriate protection for the data from third party access. It also provides useful guidance on how to assess the actual risk posed to the data and the relevant data subject, depending on the nature of the data which is being transferred.

  • As set out in the ICO's Regulatory Action Policy, organisations will need to show that they have used their best efforts to complete a TRA when relying on use of the IDTA as their safeguarding mechanism, although it does not have to be the ICO's TRA that is used. Query whether this would extend to TRAs carried out for use with EU SCCs.

The IDTA

Unlike the EU SCCs, the IDTA is not modular, but can apply in a number of different transfer scenarios, including controller to controller, controller to processor, processor to processor and processor to sub-processor.
The way the IDTA needs to be tailored is slightly different to the EU SCCs, and organisations which are subject to both UK GDPR and EU GDPR will have to get used to the different ways of completing these clauses unless the ICO decides that EU SCCs can be used as an alternative.

Unlike the EU SCCs, the IDTA does not contain Article 28 data processing clauses, though there is scope to link through to, and cross refer to information (eg about the nature of the data transfer) that is contained in any separate data processing agreement so that it is read and interpreted as a linked document with the IDTA. Note however, that the IDTA will override any contradicting terms in linked agreements.

UK Addendum to EU SCCs

As stated above, this will be useful in situations where data transfer agreements are put in place to cover transfers of data which are subject to both EU GDPR and UK GDPR, because the parties will only have to use one set of model clauses.

Implementation

The ICO has suggested that the old EU model clauses would cease being valid for use in relation to new transfers under UK GDPR, three months after the IDTA comes into force (which would effectively be 40 days after it is laid before Parliament). There would then be a grace period of a further 21 months (so 24 months in total) to transition data transfer agreements from the old model clauses to the new IDTA. It is not known yet when the IDTA will be laid before Parliament.

There is no overlap with the timetable for updating restricted transfers which use EU SCCs. As such, to the extent that organisations are carrying out audits of their cross border data transfers for the purpose of updating their EU SCCs, they would do well to make a note of those transfers which are now subject to UK GDPR and which rely on the old EU model clauses as their appropriate safeguarding mechanism, so that these can be updated as and when the IDTA comes into force, and to the extent necessary.

Transition timing

The grey area are those agreements such as intra group transfer agreements, which apply to personal data which is subject to EU GDPR, and personal data which is subject to UK GDPR, and given the 18 month grace period for updating agreements containing the old EU model clauses to the new EU SCCs, it may well be worth holding off on updating these for the time being until we have clarity on the ICO's draft addendum to the EU SCCs.

Conclusion

The proposed IDTA and TRA toolkit seem a little more practical than the EDPB guidance issued for use in relation to EU SCCs and other transfer tools, and the attempt by the ICO to help organisations to truly weigh up the risks is helpful. That said, it is difficult to escape the fact that they will still require a lot of time and effort to research, consider and complete. There are also subtle enough differences, especially in the way the paperwork needs to be filled out, that completing these side by side with TRAs for use with EU SCCs will take a lot of time and resource.

Oliver Dowden's announcement on 26th August, stressing the importance of the UK granting adequacy decisions to third countries, and setting out a list of priority countries for adequacy assessment, including the US, Australia and Singapore, is therefore helpful. At the end of the day, adequacy decisions are the only way in which data can flow truly freely to a third country.

Get in touch

Read Vivien Halstead 's Profile
Read Dan Reavill's Profile
Back to top