A return to safer waters? The ICO publishes the International Data Transfer Agreement: a welcome development for UK personal data exporters

Data transfers between the UK and the US have always been difficult, save for the relatively short-lived days of Safe Harbour and the EU-US Privacy Shield before their validity was eroded.

Schrems II (a CJEU judgment which adversely impacted an organisation’s ability to transfer personal data to the US) together with Brexit had raised question marks over an organisation’s ability to lawfully transfer personal data to the US. However, the Information Commissioner’s Office (“ICO”) has provided some much needed good news in this area  - until further negotiations with the US solve this conundrum, albeit potentially on a temporary basis.

In an attempt to address some of the issues raised by Schrems II and, post-Brexit, to continue the Standard Contractual Clauses (“SCCs”) model previously enjoyed within the EU when transferring personal data to a third country, the ICO (after extensive consultation) has introduced the International Data Transfer Agreement (“ITDA”) and Addendum as transfer tools to comply with Article 46 of the UK GDPR, when making restricted transfers.

The ITDA has been developed to assist a data exporter in ensuring that any relevant international personal data transfer from the UK is in compliance with the UK GDPR from a handling and safeguarding perspective. Under the UK GDPR, in a similar manner to the EU GDPR, restrictions are imposed upon the international transfer of personal data to address the non-uniformity of data protection globally; therefore, the intention of the ITDA is to ensure that exported personal data is governed in accordance with standards applied within the UK.

The ITDA is the UK equivalent of the new EU SCCs, which were published by the European Commission in 2021. This is an important development for UK data exporters, who had been unable to utilise the new EU SCCs and instead had to continue to rely upon the old EU SCCs, as US transfers had become problematic due to Schrems II.

In addition to the ITDA, the ICO has developed an Addendum which can be used by organisations alongside the EU SCCs, permitting compliance with UK data protection law. This will be of particular benefit to multinationals and organisations currently utilising the EU SCCs, as the Addendum adds clauses to the EU SCCs which are UK compliant.

Please note that, regardless of the method used to export personal data, you must still carry out a risk assessment to ensure, for example, that the protection provided by the ITDA or Addendum is sufficient for the purposes of the UK GDPR, given the specific circumstances of the transfer. Depending upon the data protection laws within the relevant territories, this may be an arduous task which is aided by use of the ITDA or Addendum.

Although it would be prudent to begin using the ITDA or the Addendum as soon as possible, and the ICO has recommended such use, the ICO has also confirmed that organisations may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. However, to have effective “appropriate safeguards” in place for the purposes of the UK GDPR, any transfers from 21 March 2024 should be on the basis of the ITDA or the Addendum, or another manner which complies with the UK GDPR.

Time is of the essence. Review your international data transfer mechanisms now to ensure that your organisation has enough time to carry out the required risk assessments and enter into the relevant documentation to achieve compliance with the UK GDPR.