Draft International Data Transfer Agreement

For those organisations that have to transfer data to third countries with no adequacy decision it can be a bumpy ride. With the Schrems 11 and the demise of Privacy Shield, it can be a burdensome journey. Although new SCCs are now in place it can still be a difficult area for many organisations.  

The ICO has now put out for consultation a draft International Data Transfer Agreement.

This is a suggested new framework for the international data flows to third countries.

The draft document package: Draft Int. TRA and tool, draft IDTA and draft addendum to the new EU Commission SCCs. It  is designed to assist Controllers and Processors of data ensuring high standards of protection for international data transfers.

Clearly new frameworks take time to implement and the new IDTA is looking at the following timescale.

24 months to implement a UK IDTA

  • August 11th 2021 public consultation launch
  • October 7th 2021 end of consultation
  • December 2021 IDTA laid before parliament
  • January 2022 Parliamentary objection timeframe
  • April 2022 Directive SCCs can be used in existing contracts only
  • January 2024 Directive SCCs can no longer be used

What is the Draft International Transfer Agreement (IDTA)

The IDTA is a contract for organisations to use when making a restricted transfer of personal data to a country outside the UK. This is referred to as the Transferred Data. The Information Commissioner decided that the IDTA contains appropriate safeguards for the Transferred Data, including effective and enforceable data subject rights. The IDTA ensures that the relevant protections for Data Subjects of the Transferred Data, are sufficiently similar to UK protections.

What is a Restricted Transfer?

Data transfers are referred to as restricted if:

  • the GDPR applies to the personal data you are transferring
  • you are sending personal data to or making it accessible to a receiver [to whom the UK GDPR does not apply] OR [located in a country outside the UK]
  • the receiver is a separate company or individual (including another company in the same corporate group).

Under the UK GDPR, you cannot make a restricted transfer unless:

  • it is to a country covered by UK adequacy regulations;
  • an exception covers the transfer; or you make it with appropriate safeguards. An IDTA is one of the UK GDPR’s appropriate safeguards.

What is a Transfer Risk Assessment?

It is also necessary to complete a transfer risk assessment (TRA) to make sure that the IDTA works as you intend in the country where the receiver of the Personal Data is located. The TRA checks that local laws and practices do not override the protections that the IDTA contains. This ensures that the relevant protections for Data Subjects of the Transferred Data are sufficiently similar to the UK’s protections. ICO’s guidance on TRAs may evolve over time relating to changes in legislation, caselaw and practical review of the operation of the guidance.

The onus for the TRA is still on the organisation and means that no matter the size of the organisation they are still going to have to research the local laws and regulations about the company. For many organisations this will be burdensome and in my opinion remains a risk.

How Does the IDTA Work?

The Exporter and the Importer both enter into the IDTA.

The IDTA contains:

  • tables which you should use to set out specific information about the Exporter, the Importer and the restricted transfer;
  • the option to include extra protection clauses. When you complete your TRA, you may decide that the IDTA needs extra steps in order to provide the right level of protection. These can be set out in this section but must be included in the IDTA or the Linked Agreement if the IDTA is to work as an appropriate safeguard;
  • the option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA; and
  • a set of Mandatory Clauses which must always be included. This includes the Legal Glossary.

How does the IDTA link to the other agreements I have with the Importer?

When you make a restricted transfer, you will often, but not always, also have a service, data sharing or processing agreement between you and the Importer. In particular, if the Importer is your Processor or Sub-Processor, the UK GDPR requires you to have an agreement in place.

The agreement must contain specific terms, as Article 28 UK GDPR requires. We call these ‘Linked Agreements’ in the IDTA, as they link to the restricted transfer you are making. They are useful as they often contain a lot of the information you need to complete the tables.

In those cases, you can refer to the relevant section of the Linked Agreement. It is very important that, if any of the terms contradict each other, the IDTA terms override the Linked Agreements. This is to make sure that the Transferred Data has the right level of protection set out in the IDTA.

Conclusion

Clearly this is still in the consulting phase and the jury is still out. If we can get this right then it could be an easier solution for some than using SCCs, however there are still some very valid questions EG is it really going to be possible for organisations to do a full TRA? Are they really going to be able to research the data protection laws of another country?

The full consultation document can viewed here and it is certainly worth a read.

Scroll to Top