ICO launches consultation on international data transfers

In August of this year, the Information Commissioner’s Office (ICO) has this month launched a public consultation on transfers of personal data outside the UK.  The consultation asked for public feedback on the ICO’s proposal to draft an international data transfer agreement (IDTA) and guidance for organisations on international transfers.

The IDTA will be a contract that organisations can use when transferring data to countries not covered by adequacy decisions.  An adequacy decision is a formal decision made by the UK which recognises that another country provides an equivalent level of protection for personal data as the UK.  Individual EU member states are, for example, covered by an adequacy decision.  The aim of the new IDTA is to ensure that when organisations send personal data to a country outside the UK, individuals’ data protection rights continue to be adequately protected.

Once finalised, the IDTA will replace the EU Standard Contractual Clauses (SCCs) currently approved in the UK.  The ICO has stated that the new IDTA will take into account the provisions of the UK GDPR and the binding judgement of the European Court of Justice in July 2020 known as “Schrems II”.  This decision requires organisations to carry out further diligence when making a transfer of personal data outside the EU to countries without an adequacy decision. A transfer risk assessment tool, designed for use with the IDTA, is included as part of the proposals.  

The consultation is split into three sections, offering a selection of proposals and options to consider, namely:

  1. Proposal and plans for updates to guidance on international transfers;
  2. Transfer risk assessments; and
  3. Bespoke UK international data transfer agreement.

One of the key questions posed by the ICO in the consultation papers was whether the IDTA should be issued with a form of ‘UK Addendum’ to data transfer agreements issued by other countries.  This would allow, for example, for the new EU SCCs to be used for transfers of personal data from the UK.

The opening of the public consultation is a welcome move by the ICO as the European Commission has recently updated its SCCs.  However, these new SCCs are explicitly not applicable to the UK following Brexit.  This means that the UK must continue to rely on the previous EU SCCs until the new IDTA comes into force.  There has been a lot of commentary around the inadequacy of the old EU SCCs as they only allow for controller-controller and controller-processor transfers. The ICO proposed in the consultation that the new IDTA will cover more scenarios for example, transfers from a processor to a sub-processor, or to its controller outside the UK.  Furthermore, it was proposed that the new IDTA will provide more flexibility than the old EU SCCs for example, whilst retaining mandatory provisions, organisations will be able to delete sections that are not relevant to them and cross-reference any linked agreements.

The new IDTA and associated guidance was drafted with a view to support the UK’s digital economy by continuing to enable the global flow of people’s information with the safeguards of high standards of data protection.  In order to meet this objective, the ICO has encouraged all organisations that carry out international transfers of data and other interested parties such as data protection practitioners and legal professionals to engage with the consultation and provide their views on the proposals. The feedback received informed the ICO’s work in developing the documents and helped to ensure that the final version of the transfer tools work effectively in practice.

The consultation recently closed on 7 October 2021 and responses were submitted by completing the consultation paper and questions and were sent to IDTA.consultation@ico.org.uk.

This article was co-written by Trainee Solicitor, Clare Tuohy.

Latest updates from @MacRoberts