On February 2, 2022, the Secretary of State placed the UK Information Commissioner’s Office's (“ICO's ”) final international data transfer agreement (“IDTA”) and international data transfer addendum to the European Commission’s standard contractual clauses (“SCCs”) for international data transfers (“Addendum”) before the European Parliament. The IDTA and Addendum are set to come into force on March 21, 2022, but the ICO advises that they are of use to organizations immediately. The ICO also has stated that it intends to publish additional guidance on use of the IDTA and Addendum.
View the ICO’s final drafts of the IDTA and Addendum.
We previously reported on the ICO's consultation of the IDTA:
On August 11, 2021, the ICO launched a consultation on its draft IDTA and guidance for organizations on international transfers (the “Guidance”). Once finalized, the IDTA will replace the existing SCCs in the UK. The consultation follows both the UK’s exit from the EU, and the July 2020 Schrems II judgment, in which the Court of Justice of the European Union (“CJEU”) (1) invalidated the EU-US Privacy Shield, and (2) confirmed the validity of the SCCs but required exporting entities to carry out an assessment on a case-by-case basis to verify whether the SCCs provide an adequate level of protection for the personal data transferred, and to implement additional safeguards where that is not the case. The European Commission recently published updated SCCs under the EU General Data Protection Regulation (“GDPR”), however, these do not apply in the UK following Brexit. The ICO must therefore publish its own set of SCCs under the UK GDPR (the GDPR as incorporated into the law of the UK).
The consultation is split into three separate sections, covering proposals for the Guidance, transfer risk assessments (“TRAs”), and the IDTA. The ICO also provides a template Addendum to the EU SCCs, allowing organizations to adapt those SCCs to work in the context of UK transfers. The consultation is open until October 7, 2021, and responses can be submitted by completing the consultation paper and questions and sending them to IDTA.consultation@ico.org.uk. Hunton will prepare a response in conjunction with our Centre for Information Policy Leadership.
The Guidance
For the Guidance, the consultation seeks input on questions around the transfer of personal data, but also includes broader questions relating to the scope of the UK GDPR, such as when Articles 3(1) and 3(2) of the UK GDPR apply to overseas processors of UK personal data. Questions are posed regarding when a relevant transfer is deemed to have taken place, for example providing one interpretation under which the return of data by a UK processor to an overseas controller would not be considered a restricted transfer. In some instances, the consultation invites respondents to select different options depending on their interpretation of the UK GDPR. One of the most notable options provided in the consultation is maintenance of the ICO’s position that a transfer to an entity already directly subject to the UK GDPR by virtue of Article 3(2) does not constitute a restricted transfer. However, the ICO indicates in the consultation that its current intention is not to select this approach.
The consultation further covers the derogations available under Article 49 of the UK GDPR, querying whether exporters should be required to attempt a transfer mechanism before relying on the derogations, and whether the requirements for the derogations to be “necessary” should be interpreted as “strictly necessary.” The responses received during the consultation period will influence the position the ICO takes with respect to these key questions in the Guidance.
TRA
The ICO has produced a draft TRA tool to assist organizations when making routine transfers, though organizations are also free to use their own methods to assess risk. The tool involves a three-stage process for assessing risk.
The organization must first establish that the tool is suitable for its transfer (e.g., the transfer is routine rather than high risk). As part of this assessment the organization must consider a number of factors, such as the nature of the importer, any onward transfers, the purpose and method of transfer, and its regularity.
Second, the organization must assess whether the IDTA would be enforceable in the destination country. If there is doubt, the organization should carry out a supplementary risk assessment to assess the potential for harm to data subjects and identify extra protections that may reduce the risk. The ICO provides guidance as to when the risk of harm will be assessed as low, moderate or high, for example deeming basic employment or contact information to be low risk. It also provides guidance as to factors that may reduce or increase the risk of harm to data subjects, with automated decision-making by the importer constituting one risk factor, as well as guidance on measures that may be implemented to supplement the IDTA.
The final step is to assess the destination country’s regime for regulating third-party access to personal data, including an assessment of surveillance laws. Again, the ICO provides guidance as to factors that are likely to safeguard the rights of data subjects and factors that are likely to undermine them, as well as guidance on assessing the likelihood of third-party access. The draft tool specifies that the transfer should only go ahead where the destination’s regime is sufficiently similar to the UK’s, the risk of third-party access is minimal, or the risk of harm to data subjects is low even in the event of third-party access. Specifically, the TRA tool states: “If you decide… the risk of harm to data subjects is low even if there is concerning third party access, you may proceed with the restricted transfer using the IDTA together with the extra steps and protections you identify.”
IDTA
The draft template IDTA does not follow the same structure as the EU SCCs, instead providing separate sections for details of the parties, the transfer (including whether the importer is permitted to make further transfers and the frequency with which the IDTA will be reviewed), the data transferred and the purpose of the transfer, as well as the security measures that will be implemented at each stage of the transfer. The IDTA also includes “Mandatory Clauses” which set out the exporter’s and importer’s obligations with respect to the transfer. The Mandatory Clauses include provisions regarding how the exporter and importer will ensure that there are appropriate safeguards in place with respect to the transfer, compliance with ICO requests, the actions to be taken in the event of a personal data breach, onward transfers and sub-processing and data subject rights.
The ICO invites feedback on its draft IDTA, including whether it is clear to organizations how the IDTA should be used in conjunction with the TRA tool, whether organizations are likely to use it, whether a modular approach (such as that taken by the European Commission in its new SCCs) would be preferable, and whether the ICO should provide a separate multi-party IDTA.
The ICO also proposes including additional guidance templates, covering, for example, optional TRA extra protection clauses, commercial clauses, and examples of a completed TRA and IDTA.
The ICO also queries whether it should issue an IDTA in the form of an addendum to existing model transfer agreements, such as the EU SCCs, and provides a template Addendum that amends the EU SCCs to work in the context of UK data transfers. This Addendum would potentially provide a practical compliance solution for many companies transferring personal data from the EU and the UK, which would otherwise be required to put in place separate data transfer agreements.
The full consultation can be viewed here.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code