The UK’s draft international data transfer agreement
On 12th August, the Information Commissioner’s Office (ICO), launched a consultation on the draft international data transfer agreement (IDTA) and guidance, which replace Standard Contractual Clauses (SCCs) as the tool to maintain high standards of data protection while transferring data internationally. The IDTA and associated documents form part of a wider package from the ICO to assist international transfers, including supporting a new approach from the UK Government on data adequacy assessments of third countries.
The consultation, which is open until 7 October, is made up of three sections. These include:
- An update to guidance on international transfers.
- A new Transfer risk assessment to help companies comply with the Schrems II ruling
- The international data transfer agreement.
Additionally, the ICO is seeking views on any relevant privacy rights, legal, economic or policy considerations that the proposed new approach will have on UK organisations.
- Draft International data transfer agreement
The IDTA is a contract for restricted transfers of personal data outside the UK (ie. personal data under by UK GDPR transferred to a country not covered by UK adequacy regulations). The agreement seeks to ensure that the “relevant protections for Data Subjects of the Transferred Data are sufficiently similar to UK protections.”
The current draft IDTA contains:
- tables which should be used to set out specific information about the Exporter, the Importer and the restricted transfer;
- the option to include extra protection clauses if one decides that the IDTA needs extra steps in order to provide the right level of protection;
- the option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA; and
- a set of Mandatory Clauses which must always be included.
Aside from outlining how the IDTA works, the draft IDTA document is packed with guidance templates and information on how to complete the IDTA, including a Legal Glossary and frequently asked questions.
- Draft International transfer risk assessment and tool
Part of the IDTA includes completing a transfer risk assessment (TRA) to make sure that the IDTA works as intended in the country where the receiver of the Personal Data is located. The TRA checks that local laws and practices do not override the protections that the IDTA contains. This ensures that the relevant protections for Data Subjects of the Transferred Data are sufficiently similar to the UK’s protections.
The three main factors that must be taken into account under the TRA include:
- Particular facts of the restricted transfer, including the type of personal data transferred;
- Particular facts about the destination country; and
- The potential impact on the data subjects of the transfer, and any risk of harm to data subjects.
The aim of the TRA is to identify whether the IDTA on its own provides appropriate safeguards for the restricted transfer, or whether you will need to take extra steps and protections. The ICO warns that there may be some situations where, even with extra steps and protections, the IDTA is unlikely to provide appropriate safeguards. In that case you may need to consider another Article 46 transfer tool or one of the exceptions.
- UK Addendum to model Standard Contractual Clauses
The ICO has provided an addendum to help incorporate the UK IDTA into other model data transfer agreements from other jurisdictions. For example, model data transfer agreements have been issued by the European Commission, New Zealand and ASEAN (the Association of Southeast Asian Nations).
The ICO is consulting on the suitability of the addendum which it believes will add legal clarity and support the incorporation of the IDTA into businesses existing data transfer arrangements.
techUK will be submitting a response to this consultation via the Data Protection Working Group. If you would like to contribute or seek more information, please email [email protected]
Audre Verseckaite
Audre joined techUK in July 2023 as a Policy Manager for Data. Previously, she was a Policy Advisor in the Civil Service, where she worked on the Digital Markets, Competition and Consumers Bill at the Department for Science, Innovation and Technology, and at HM Treasury on designing COVID-19 support schemes and delivering the Financial Services and Markets Bill. Before that, Audre worked at a public relations consultancy, advising public and private sector clients on their communications, public relations, and government affairs strategy.
Dani Dhiman
Dani is Policy Manager for Artificial Intelligence & Digital Regulation at techUK, and previously worked on files related to data and privacy. She formerly worked in Vodafone Group's Public Policy & Public Affairs team supporting the organisation’s response to the EU Recovery & Resilience facility, covering the allocation of funds and connectivity policy reforms. Dani has also previously worked as a researcher for Digital Catapult, looking at the AR/VR and creative industry.
Jake Wall
Jake has been the Policy Manager for Skills and Future of Work since May 2022, supporting techUK's work to empower the UK to skill, attract and retain the brightest global talent, and prepare for the digital transformations of the future workplace.
Sue Daley
Sue leads techUK's Technology and Innovation work.
Neil Ross
As Associate Director for Policy Neil leads on techUK's public policy work in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments aiming to make the UK the best place to start, scale and develop a tech business.