12 Aug 2021

The UK’s draft international data transfer agreement

The Information Commissioner’s Office has launched a consultation on the UK’s draft international data transfer agreement which replaces Standard Contractual Clauses (SCCs) to support the continued transfer of personal data outside of the UK.

On 12th August, the Information Commissioner’s Office (ICO), launched a consultation on the draft international data transfer agreement (IDTA) and guidance, which replace Standard Contractual Clauses (SCCs) as the tool to maintain high standards of data protection while transferring data internationally.  The IDTA and associated documents form part of a wider package from the ICO to assist international transfers, including supporting a new approach from the UK Government on data adequacy assessments of third countries. 

The consultation, which is open until 7 October, is made up of three sections. These include:

  1. An update to guidance on international transfers.
  2. A new Transfer risk assessment to help companies comply with the Schrems II ruling
  3. The international data transfer agreement.

Additionally, the ICO is seeking views on any relevant privacy rights, legal, economic or policy considerations that the proposed new approach will have on UK organisations.

  1. Draft International data transfer agreement

The IDTA is a contract for restricted transfers of personal data outside the UK (ie. personal data under by UK GDPR transferred to a country not covered by UK adequacy regulations). The agreement seeks to ensure that the “relevant protections for Data Subjects of the Transferred Data are sufficiently similar to UK protections.”

The current draft IDTA contains:

  • tables which should be used to set out specific information about the Exporter, the Importer and the restricted transfer;
  • the option to include extra protection clauses if one decides that the IDTA needs extra steps in order to provide the right level of protection;
  • the option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA; and
  • a set of Mandatory Clauses which must always be included.

Aside from outlining how the IDTA works, the draft IDTA document is packed with guidance templates and information on how to complete the IDTA, including a Legal Glossary and frequently asked questions.

  1. Draft International transfer risk assessment and tool

Part of the IDTA includes completing a transfer risk assessment (TRA) to make sure that the IDTA works as intended in the country where the receiver of the Personal Data is located. The TRA checks that local laws and practices do not override the protections that the IDTA contains. This ensures that the relevant protections for Data Subjects of the Transferred Data are sufficiently similar to the UK’s protections.

The three main factors that must be taken into account under the TRA include:

  • Particular facts of the restricted transfer, including the type of personal data transferred;
  • Particular facts about the destination country; and
  • The potential impact on the data subjects of the transfer, and any risk of harm to data subjects.

The aim of the TRA is to identify whether the IDTA on its own provides appropriate safeguards for the restricted transfer, or whether you will need to take extra steps and protections. The ICO warns that there may be some situations where, even with extra steps and protections, the IDTA is unlikely to provide appropriate safeguards. In that case you may need to consider another Article 46 transfer tool or one of the exceptions.

  1. UK Addendum to model Standard Contractual Clauses

The ICO has provided an addendum to help incorporate the UK IDTA into other model data transfer agreements from other jurisdictions. For example, model data transfer agreements have been issued by the European Commission, New Zealand and ASEAN (the Association of Southeast Asian Nations).

The ICO is consulting on the suitability of the addendum which it believes will add legal clarity and support the incorporation of the IDTA into businesses existing data transfer arrangements.

 

techUK will be submitting a response to this consultation via the Data Protection Working Group. If you would like to contribute or seek more information, please email [email protected]

Audre Verseckaite

Audre Verseckaite

Senior Policy Manager, Data & AI, techUK

Audre joined techUK in July 2023 as a Policy Manager for Data. Previously, she was a Policy Advisor in the Civil Service, where she worked on the Digital Markets, Competition and Consumers Bill at the Department for Science, Innovation and Technology, and at HM Treasury on designing COVID-19 support schemes and delivering the Financial Services and Markets Bill. Before that, Audre worked at a public relations consultancy, advising public and private sector clients on their communications, public relations, and government affairs strategy.

Prior to this, Audre completed an MSc in Public Policy at the Korea Development Institute and a Bachelor's in International Relations and History from SOAS, University of London. Outside of work, she enjoys spending time outdoors, learning about new cultures through travel and food, and going on adventures.

Email:
[email protected]
Website:
www.techUK.org,www.techUK.org
LinkedIn:
https://www.linkedin.com/in/audre-v-81b2b0a2/,https://www.linkedin.com/in/audre-v-81b2b0a2/

Read lessmore

Oliver Alderson

Oliver Alderson

Junior Policy Manager, techUK

Oliver is a Junior Policy Manager at techUK, working across Public Affairs and Digital Regulation policy. He supports the organisation’s engagement with government and parliament, contributes to shaping techUK’s regulatory agenda, and plays a key role in coordinating political outreach, policy projects, and flagship events.

He joined techUK in November 2023 as a Team Assistant to the Policy and Public Affairs team, before stepping into his current role. He has been closely involved in efforts to ensure the tech sector’s voice is heard in the policymaking process.

Oliver holds a Master’s in Policy Research from the University of Bristol and a BSc in Policy from Swansea University. During his studies, he contributed to mental health research as a Student Research Assistant for the SMaRteN network.

Outside of work, Oliver is a keen debater and remains active in the UK debating community, having previously led the Swansea University Debating Union. He enjoys exploring complex issues from multiple perspectives and values clear, thoughtful communication in policy discussions.

Email:
[email protected]
Phone:
07505 890 596
LinkedIn:
https://uk.linkedin.com/in/oliver-alderson-a51312180

Read lessmore

Daniella Bennett Remington

Daniella Bennett Remington

Policy Manager - Digital Regulation, techUK

Dani joined techUK in February 2025 as a Policy Manager in the Digital Regulation team.

Prior to this, Dani worked in political monitoring where she was a consultant for Digital, Culture, Media and Sport. In this role, she developed a strong understanding of parliamentary procedure, closely following all of the major developments in the tech centre and working with several key stakeholders and regulators.  

She has an undergraduate degree in History from the University of Bristol and an MPhil in Modern European History from the University of Cambridge.

Outside of tech, Dani has a strong interest in addiction policy, particularly towards drugs, having written her dissertation on the topic as well as several subsequent research projects. In her spare time, she enjoys cooking and following all things motoring, whether that be F1, MotoGP or Formula E.

Email:
[email protected]
Twitter:
@danibenrem
LinkedIn:
https://www.linkedin.com/in/daniella-bennett-remington/

Read lessmore

 

Return to listing