UK: ICO opens consultation on its updated international data transfer guidance and tools

On 11 August 2021, the Information Commissioner’s Office (ICO) launched a public consultation on its  draft international data transfer agreement (IDTA) and guidance on data transfers. These updates have been expected for some time to address the UK regulatory position, following exit from the EU, in relation to the Schrems II decision of the CJEU last year and the need to refresh the Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries.

The ICO’s consultation is split into three sections:

  • Proposal and plans for the ICO to update its guidance on international transfers;
  • Transfer risk assessments; and
  • ICO model international data transfer agreements.

Key takeaways

  • The ICO has published a draft IDTA which, once approved, will replace the SCCs. This is necessary as the current SCCs are over ten years old and out of date, given the terms don’t take account of the GDPR or Brexit (they were simply grandfathered into the UK law under the EU-UK Withdrawal Agreement). The European Commission recently published its own Implementing Decision on standard contractual clauses  (“EU SCCs”) refreshing the SCCs for the post-GDPR era, making the UK an outlier in relying on the legacy SCCs.

  • As with the EC SCCs, the IDTA consolidates the full range of SCCs that may be required into one document (i.e. controller / processor, controller/controller, processor/processor, processor/controller), with certain sections expressly stated not to apply depending on the type of transfer taking place.

  • Other key features of the IDTA include:

    • tables at the front of the IDTA that capture specific information about the parties and the transfer, including the relationship of the parties (e.g. controller/processor etc.);
    • the option to include extra protection clauses depending on the outcome of the transfer risk assessment, such as additional technical security protections, organisational protections or contractual protections;

    • the option to include commercial clauses agreed by the parties, provided that these do not contradict the IDTA; and

    • a set of Mandatory Clauses which must be included in full and without any changes (with some exceptions in relation to changes to cross referencing etc.) in every IDTA.

      It is possible to make changes to the format of the IDTA, as long as the changes do not reduce the level of protection. As with the EC SCCs, it is also possible for more than two parties to enter into the IDTA.

  • Alongside the draft IDTA, the ICO has helpfully published a draft addendum to the EC SCCs. This can be used as an alternative to the IDTA, to essentially apply EC SCCs in the context of UK data transfers (e.g. replacing references to EU GDPR with UK GDPR etc.). This will be invaluable for organisations who are routinely making data transfers from both the EU and UK – as the addendum allows you to use just one set of SCCs (the EC SCCs along with the UK addendum) to cover both transfers, avoiding the need to use both the EC SCCs and the UK IDTA.

  • The ICO has also published a draft International Data Transfer Risk Assessment and Tool (TRA). The TRA provides step by step advice and guidance to organisations on how to carry out transfer risk assessments when transferring data to third countries, with clear examples of the criteria to take into account, relevant risk factors and worked examples, all presented in a logical step-by-step methodology.
  • The TRA anticipates a three step approach:

    • assessing the facts of the transfer;
    • assessing if the IDTA is likely to be enforceable in the destination country; and
    • assessing if there are appropriate protections in place for the data from third-party access.

Each steps is accompanied by guidance and decision trees to help the assessment in practice.

  • The overall principle adopted by the ICO is that the assessment should determine whether the laws in place are ‘sufficiently similar’ to that in the UK to support the transfer. In cases where a determination on this may not be clear, the TRA allows the assessor to look more widely at the potential risk of harm to the data subject, any wider safeguards that may be in place to protect the transfer, and the likelihood of harm or impact being suffered by the data subject. Taken together these criteria introduce a proportionality principle to the assessment model which will be widely welcomed as evidence of the ICO taking a more pragmatic approach to data transfers than the more prescriptive model adopted by the EDPB in their equivalent Recommendations.

The new IDTA and TRA guidance will be welcome by UK based controllers and processors, providing much needed certainty on the approach to data transfers from the UK after Brexit and supporting planning around refreshing SCCs. The ICO’s consultation runs until 5pm on Thursday, 7 October 2021.

The global data protection, privacy & security team at DLA Piper has developed a standardised data transfer methodology to assist clients carrying out an assessment consistent with the judgment, when relying on SCCs or other transfer mechanisms.  The methodology includes a five step assessment process which is broadly aligned to EDPB Recommendations.  For further information please see our global data transfer webpage