The « International Data Transfer Agreement » is in fact the UK version of the Standard Contractual Clauses (SCCs). The reason why the ICO chose to deviate from the wording of the UK GDPR, which refers to « standard data protection clauses » and the commonly used and well-understood term « standard contractual clauses », was not specified during the consultation, but it seems intended to make the term more understandable to those less familiar with the legislation. It remains to be seen whether adopting a different and for many unknown terminology will lead to more confusion. The consultation also includes the exemptions available under Article 49 of the UK GDPR and asks whether exporters should be required to attempt a transfer mechanism before availing themselves of the exemptions and whether the requirements for « necessary » exemptions should be interpreted as « absolutely necessary ». The responses received during the consultation period will influence the ICO`s position on these key issues in the guidelines. The ICO said this needs to be completed before the IDTA can be completed, as a requirement of the CJEU`s decision in Schrems II, which is now part of English law. In summary, the CJEU stated in Schrems II that while CLAs (such as IDTA) are still an appropriate safeguard mechanism for data transfers to countries without an adequacy decision, they can only be used if the data exporter and importer are satisfied that the laws and practices of the destination country are sufficient to protect the data. The points to consider regarding the platform project and the toolbox are listed in the box below: Certainly, the tool proposed by the ICO provides practical support to companies that goes far beyond anything contained in the recommendations published by the EUROPEAN COMMITTEE on measures to complement the transfer instrument (01/2020). It also differs from the EDPS recommendations and related guidelines in a number of other important aspects: unlike EU CLAs, IDTA is not modular but can be applied in a number of different transmission scenarios, including controller-to-controller, controller-to-processor, processor-to-processor and processor-to-sub-processor. The way the IDTA needs to be adapted is slightly different from the EU`s CTCs, and organisations subject to both the UK GDPR and the EU GDPR will need to get used to the different ways to fulfill these clauses, unless the ICO decides that EU CTCs can be used as an alternative. Unlike the EU CBAs, the IDTA does not contain any data processing clauses under Article 28, although it is possible to create links to information (e.g. B on the type of data transfer) contained in a separate data processing agreement so that they can be read and interpreted as a document related to the IDTA.
Note, however, that the IDTA prevails over any conflicting conditions in the related agreements. Before using tra, you need to evaluate whether it is appropriate. It is only appropriate to carry out a systematic transfer of personal data to an importer based in a country outside the UK when using the IDTA. It is not appropriate if the specific circumstances of the transmission mean that it is too high or too complex a risk for the tool. As part of its proposals for the International Data Transfer Agreement (IDTA), the ICO plans to publish an IDTA in the form of an addendum to the so-called « Model Data Transfer Agreements » of other jurisdictions. It is perhaps not surprising that it was the aspect of the ICO proposals that was most well received by companies, at least by companies that fall within the scope of the EU GDPR and the UK GDPR and therefore needed to familiarize themselves with the new EU CTCs. The ICO also refers to the Agreements of New Zealand and ASEAN (Association of Southeast Asian Nations) in this context, as well as the EU CBAs, but the first two appear to be included largely for presentation purposes. All interest will be in the possibility of using a simple addendum to the EU CTS to validate transfers from the UK. On 11 August 2021, the Office of the United Kingdom Information Commissioner (« ICO ») launched a consultation on its draft International Data Transfer Agreement (« IDTA ») and its Guidelines for Organisations on International Transfers (the « Guidelines »). Upon completion of the TRANSACTION, IDTA will replace the existing EU Standard Contractual Clauses (« SCCs ») in the United Kingdom. The consultation follows both the WITHDRAWAL of the United Kingdom from the EU and the Schrems II judgment of July 2020, in which the Court of Justice of the European Union (« CJEU ») (1) invalidated the EU-US Privacy Shield and (2) confirmed the validity of the SCCs, but asked the executing companies to carry out a case-by-case assessment to verify, whether the SCCs ensure an adequate level of protection for the personal data transferred – and take additional guarantees if this is not the case. The European Commission recently published updated CBAs under the EU`s General Data Protection Regulation (« GDPR »), but these will no longer apply to the UK after Brexit.
The ICO must therefore publish its own CCT under the UK GDPR (the GDPR as incorporated into UK law). And let`s not forget that everyone should do transfer risk assessments, regardless of which version of the CTCs are used. This is necessary in the case of former SCCs due to the Schrems II decision (discussed here), as outlined in the guidelines of the European Data Protection Board (discussed here). For U.S. companies, this means dealing with U.S. national security laws. The proposed IDTA and TRA toolkit seems to be a bit more practical than the published EDPS guidelines for use in relation to EU CTAs and other transfer instruments, and the ICO`s attempt to help organisations really weigh risks is useful. However, it is hard to escape the fact that they still take a lot of time and effort to research, consider and complete. There are also subtle differences, especially in how documents need to be completed, as filling these gaps side by side with the TRAs to be used with the EU CBAs takes a lot of time and resources. Oliver Dowden`s announcement of 26 August underlining the importance for the UK to adopt adequacy decisions with respect to third countries and to establish a list of priority countries for adequacy assessment, including the UNITED States, Australia and Singapore, is therefore useful.
Ultimately, adequacy decisions are the only way to allow data to flow freely to a third country. Please contact one of our data protection lawyers if you need help deciding whether you can make such a transfer and whether it complies with the law, or if you need advice on transferring personal data from the UK before the draft documents are finalised. Following the decision in the Schrems II case last year, the EU published an updated version of the CLAs in June 2021. However, after Brexit, these updated CTCs will not apply to the UK GDPR. The ICO is therefore keen to publish its own UK version of the CLAs to ensure that they comply with Schrems II, which is part of EU law retained under the Withdrawal Agreement. The ICO has published new plans for a framework to replace EU CBAs after Brexit. The proposals include significant changes to the CTAs, in particular in the context of the new draft International Data Transfer Agreement (IDTA). All organisations involved in the transfer of data outside the UK should read it carefully.
The Office of the United Kingdom Information Commissioner has launched a consultation phase on its draft international agreement on data transfer and its guidelines. The IDTA will replace the current standard contractual clauses. The ICO consultation is divided into three sections covering the proposal and plans for updating the data transfer guidelines, the risk assessments for the transfer and the international data transfer agreement. Submissions must be submitted by October. 7. In the meantime, companies may be able to take some comfort from the ICO`s statement regarding TRA that « if you can show that you have made every effort to complete an TRA, whether or not you use this TRA tool, if later it turns out that your decisions were not correct, We will take this into account in our likely approach to any breach of Chapter V of the UK GDPR. As always, the message is that the ICO is likely to take a sympathetic approach to companies that have made every effort to meet their international transfer obligations and can prove that this is the case, even if the ICO could ultimately arrive at a different point of view. So far, there is nothing to suggest that this pragmatism is likely to change under the leadership of John Edwards. .
