cherezoff - stock.adobe.com

ICO consults on new international data transfer agreement

Information Commissioner’s Office to consult on its draft international data transfer agreement and guidance, which will replace standard contractual clauses to protect personal data during overseas transfers

The UK Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and accompanying guidance, which aims to help organisations to protect people’s personal data when sending it overseas.

The draft ITAD, published on 11 August 2021 alongside the consultation announcement, is intended to replace standard contractual clauses (SCCs) as the method for safeguarding data when it is transferred internationally.

“We recognise the importance of international data flows to the UK’s digital economy and are committed to maintaining high standards of data protection for people’s personal information when being transferred outside of the UK,” said the ICO.

“Our IDTA and associated documents also form part of a wider UK package to assist international transfers, including independently supporting the government’s approach to adequacy assessments of third countries. We aim to provide greater regulatory certainty and assist organisations to comply with the law.”

The ICO said the consultation would be split into three sections: proposals and plans for updates to guidance on international transfers; transfer risk assessments; and the IDTA.

“We are also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications,” it said. “Your responses will help us understand the practical impact of our proposed approaches on your organisations.”

The ICO added that it would seek input from a range of interested parties, including data protection practitioners, legal professionals, multinational corporations and civil society groups.

“Input at this early stage can make a significant difference as we will use the responses we receive to inform our work in developing the final documents,” it said. “To respond to this consultation, please download and complete the consultation paper and questions document by 5pm on Thursday 7 October 2021.”

The ICO originally announced its plan to create a replacement for SCCs in May 2021 following the UK’s departure from the European Union (EU), which itself published updated SCCs on 4 June.

The EU’s revised SCCs include more robust protections to ensure that personal data transferred overseas is not disclosed to foreign governments and intelligence services, specifically incorporating the requirements of the General Data Protection Regulation.

The revision of SCCs was prompted by the Schrems II ruling in July 2020, when the European Court of Justice (ECJ) struck down the EU-US data-sharing agreement Privacy Shield on the basis that US surveillance laws meant the US did not offer privacy protections equivalent to those under EU law.

Specifically, the court found that the US laws were not proportionate and went beyond what was strictly necessary.

The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the ECJ, also cast doubt on the legality of using SCCs as the basis for international data transfers, finding that although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.

Read more about international transfers

As a result of the ruling, it is now a requirement under UK data protection law to carry out a risk assessment before transferring data internationally.

“The IDTA cannot provide safeguards for all risks in all counties,” said the ICO in its TRA guidance. “Therefore, before you can rely on an IDTA, you must also do a transfer risk assessment [TRA] that considers all the circumstances of the restricted transfer and checks if the IDTA provides appropriate safeguards for your restricted transfer.”

In its draft IDTA, the ICO said the TRA checks that local laws and practices do not override the protections of the IDTA. “This ensures that the relevant protections for data subjects of the transferred data are sufficiently similar to the UK’s protections,” it said. “ICO’s guidance on TRAs may evolve over time relating to changes in legislation, case law and practical review of the operation of the guidance.”

Both the IDTA and TRA draft documents contain templates and guidance that organisations can use to complete these processes and protect people’s personal data, but these could change as a result of feedback during the consultation.

Questions about these documents, as well as the ICO’s interpretation of various aspects of data protection law, are included on the announcement webpage for interested parties to respond to. “We will publish all responses we receive unless you request otherwise,” said the ICO.

In September 2020, a survey conducted by legal experts at Fieldfisher found that more than half of enterprises had no intention of ceasing or reducing their reliance on US-based or non-European Economic Area (EEA) data processors, despite the Schrems II ruling.

For example, while about 75% of responding enterprises indicated that half or more of their data processors were based in the US or non-EEA territories, just 12% said they would reduce their reliance on US-based or non-EEA processors, and only 5% said they intended to halt their data exports completely.

In response to questions about whether a risk assessment would be conducted for each transfer, only 15% said yes, and 40% indicated they would do so only for “larger or more sensitive transfers”.

Asked what they would do if the impact assessment did determine there was a risk in the transfer, just 4% of respondents said they would prohibit it completely.

The ICO’s direction of travel has also been called into question in recent months. In April 2021, a cross-party group of MPs warned that the government was seeking a new information commissioner to support its own policy agenda, rather than a regulator that would enforce data protection laws as written by Parliament.

The MPs said that “no mention is made of experience in regulating data protection” in the job description published on 28 February 2021, which instead advertised for a new commissioner with “commercial and business acumen”, as well as experience of “using data to drive innovation and growth”.

The MPs wrote in an open letter to digital secretary Oliver Dowden: “The impression has been made that DCMS seeks an information commissioner that will work to remove protections within current laws, to reduce the risks of enforcement action, and rather than guarantee the rights of individuals, will seek to ‘balance’ rights against concerns such as ‘regulatory certainty’ and economic growth.”

Read more on Privacy and data protection