12 Aug 2021

The UK’s draft international data transfer agreement

The Information Commissioner’s Office has launched a consultation on the UK’s draft international data transfer agreement which replaces Standard Contractual Clauses (SCCs) to support the continued transfer of personal data outside of the UK.

On 12th August, the Information Commissioner’s Office (ICO), launched a consultation on the draft international data transfer agreement (IDTA) and guidance, which replace Standard Contractual Clauses (SCCs) as the tool to maintain high standards of data protection while transferring data internationally.  The IDTA and associated documents form part of a wider package from the ICO to assist international transfers, including supporting a new approach from the UK Government on data adequacy assessments of third countries. 

The consultation, which is open until 7 October, is made up of three sections. These include:

  1. An update to guidance on international transfers.
  2. A new Transfer risk assessment to help companies comply with the Schrems II ruling
  3. The international data transfer agreement.

Additionally, the ICO is seeking views on any relevant privacy rights, legal, economic or policy considerations that the proposed new approach will have on UK organisations.

  1. Draft International data transfer agreement

The IDTA is a contract for restricted transfers of personal data outside the UK (ie. personal data under by UK GDPR transferred to a country not covered by UK adequacy regulations). The agreement seeks to ensure that the “relevant protections for Data Subjects of the Transferred Data are sufficiently similar to UK protections.”

The current draft IDTA contains:

  • tables which should be used to set out specific information about the Exporter, the Importer and the restricted transfer;
  • the option to include extra protection clauses if one decides that the IDTA needs extra steps in order to provide the right level of protection;
  • the option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA; and
  • a set of Mandatory Clauses which must always be included.

Aside from outlining how the IDTA works, the draft IDTA document is packed with guidance templates and information on how to complete the IDTA, including a Legal Glossary and frequently asked questions.

  1. Draft International transfer risk assessment and tool

Part of the IDTA includes completing a transfer risk assessment (TRA) to make sure that the IDTA works as intended in the country where the receiver of the Personal Data is located. The TRA checks that local laws and practices do not override the protections that the IDTA contains. This ensures that the relevant protections for Data Subjects of the Transferred Data are sufficiently similar to the UK’s protections.

The three main factors that must be taken into account under the TRA include:

  • Particular facts of the restricted transfer, including the type of personal data transferred;
  • Particular facts about the destination country; and
  • The potential impact on the data subjects of the transfer, and any risk of harm to data subjects.

The aim of the TRA is to identify whether the IDTA on its own provides appropriate safeguards for the restricted transfer, or whether you will need to take extra steps and protections. The ICO warns that there may be some situations where, even with extra steps and protections, the IDTA is unlikely to provide appropriate safeguards. In that case you may need to consider another Article 46 transfer tool or one of the exceptions.

  1. UK Addendum to model Standard Contractual Clauses

The ICO has provided an addendum to help incorporate the UK IDTA into other model data transfer agreements from other jurisdictions. For example, model data transfer agreements have been issued by the European Commission, New Zealand and ASEAN (the Association of Southeast Asian Nations).

The ICO is consulting on the suitability of the addendum which it believes will add legal clarity and support the incorporation of the IDTA into businesses existing data transfer arrangements.

 

techUK will be submitting a response to this consultation via the Data Protection Working Group. If you would like to contribute or seek more information, please email [email protected]

Neil Ross

Neil Ross

Head of Policy, techUK

As Head of Policy Neil leads techUK's domestic policy development. He regularly engages with UK and Devolved Government Ministers, senior civil servants and Members of the UK’s Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies.

Neil joined techUK in 2019 to lead on techUK’s engagement in the UK-EU Brexit trade deal negotiations, as well as leading on economic policy.

He has a background in the UK Parliament and in social research. Neil holds a masters degree in Comparative Public Policy from the University of Edinburgh and an undergraduate degree in International Politics from City, University of London.

Email:
[email protected]
Phone:
078 4276 5470
Twitter:
@neil13r
Website:
www.techuk.org/
LinkedIn:
https://www.linkedin.com/in/neilross13/

Read lessmore

Sue Daley

Sue Daley

Director, Technology and Innovation

Sue leads techUK's Technology and Innovation work.

This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy. She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame. A key influencer in driving forward the data agenda in the UK Sue is co-chair of the UK government's National Data Strategy Forum. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.

Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.

Email:
[email protected]
Phone:
020 7331 2055
Twitter:
@ChannelSwimSue

Read lessmore

Jake Wall

Jake Wall

Programme Assistant, Policy, techUK

Jake is the Programme Assistant for Policy, assisting techUK's work across its Policy and Public Affairs; Skills, Talent and Diversity; and Data functions.

He joined techUK in March 2019 following his graduation from a master’s degree in International Relations at the University of Sussex, as well as a bachelor’s degree in International Politics at Aberystwyth University, and has also worked across the EU Exit, International Trade and Cloud, Data Analytics and AI programmes. Outside of work, he enjoys watching and playing sport, spending time with friends and family, and – when possible – travelling!

Email:
[email protected]
Twitter:
@jww_uk,@jww_uk
Website:
www.techuk.org/,https://www.techuk.org/
LinkedIn:
https://www.linkedin.com/in/jakewwall/,https://www.linkedin.com/in/jakewwall/

Read lessmore