UK: ICO guidance on third-country transfers - Part two: International data transfer agreements
The Information Commissioner's Office ('ICO') has issued guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses ('SCCs') which are currently in use for such transfers. In Part 2 of this series, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the ICO's recommendations for what to include in international data transfer agreements ('IDTAs').
The guidance has three documents:
- Guidance on conducting Schrems transfer impact assessment (which the ICO is calling a transfer risk assessment ('the TRA Guidance'));
- Guidance on International Data Transfer Agreements ('the IDTA Guidance')1; and
- Addendum to new SCCs
Part 1 of this series discussed the key takeaways from the TRA Guidance. In Part 2, we discuss the key points from the IDTA Guidance and the guidance on the new SCCs.
- The template IDTA suggests a table format to tabulate the details of the transfers (applicable law, status of the parties as processors or sub-processors, relevant individuals, purpose, security requirements, supplemental clauses, commercial clauses etc.). The use of these tables is optional, but you need to make sure you include all the required information in the document.
- The document has four parts:
- Part 1: Tables including: Table 1: Parties and signature; Table 2: Transfer Details; Table 3: Transferred Data; and Table 4: Security Requirements;
- Part 2: Extra Protection Clauses;
- Part 3: Commercial Clauses; and
- Part 4: Mandatory clauses.
- The mandatory clauses which cannot be changed other than: (i) to ensure correct cross referencing; (ii) to remove sections which are expressly stated not to apply (e.g. due to the status of the parties); or (iii) so the IDTA operates as a multi-party agreement.
- The document is drafted in a very detailed but user-friendly manner intended to walk individuals, particularly small and medium-sized enterprises ('SMEs'), through the process more easily.
- The exporter is the organisation (or person) that is subject to the UK General Data Protection Regulation ('UK GDPR') and is sending the transferred data to a separate legal entity that is not in the UK.
- The importer is the organisation (or person) receiving or accessing the transferred data that is outside of the UK.
- The transfer agreement is necessary for restricted transfers which occur when the UK GDPR applies to the personal data and you are sending data to or when making it accessible by a receiver to whom the UK GDPR does not apply or who is located in a country outside the UK. This opens up the possibility of an importer who is subject to the UK GDPR under Article 3.2 on extraterritorial application and seems to be in contradiction to the language of Recital 7 of the new EU SCCs promulgated by the European Commission ('the Commission').
- It is not a restricted transfer (and so the IDTA does not cover this) where you are a processor, and your processing is subject to the UK GDPR, but your controller is not subject to the UK GDPR. The only exception is if you are sending data to your sub-processor to which the UK GDPR does not apply or who is located in a country outside the UK; this is a restricted transfer, and so is covered by the IDTA.
Signing the IDTA
- There are other ways to enter into a contract, but signing is the simplest way to evidence that the parties agree to be bound by the IDTA. You can use other methods if you choose, provided that the IDTA is binding on the parties.
- The signature may be a normal signature (or 'wet ink' signature), an electronic signature using a secure electronic signature, or a typed digital signature if you intend this to be a signature.
- It is possible that the IDTA may be binding if you do not sign the document but you make it clear that you have agreed to its terms, for example by sending an email which states this. However it is more certain and clear if both Parties sign.
- You can choose to:
- both sign one IDTA (and each keep a copy);
- both sign two identical IDTAs (and each keep one); or
- each sign one IDTA and then swap, so you each have an identical copy with the other's signature.
- You may not need to add any commercial clauses if you have a linked agreement. If you are not using any commercial clauses, the simplest thing to do is to state 'commercial clauses are not used'.
- You must be cautious when adding in commercial clauses. Your restricted transfer may breach the UK GDPR if you inadvertently reduce the level of protection in the IDTA.
- Nothing in the IDTA (including the commercial clauses or the linked agreement) limits either party's liability to relevant individuals or to the ICO under this IDTA or under UK data protection laws.
- If any wording in parts one, two or three contradicts the mandatory clauses, and/or seeks to limit any liability to relevant individuals or to the ICO, then that wording will not apply
- Prior to entering into the IDTA, the importer must have provided the exporter with all relevant information regarding local laws and practices and the protections and risks which apply to the transferred data when it is processed by the importer, including for the exporter to carry out any TRA.
- This information must be complete and accurate.
- They must not be aware of any local laws which contradict its obligations in this IDTA and they must have taken reasonable steps to verify this.
- They will co-operate with the exporter to ensure compliance with the exporter's obligations under UK data protection law.
Both parties represent that that the security requirements and extra protection clauses provide a level of security which is appropriate to the risk of a personal data breach occurring and the impact on relevant individuals of such a personal data breach.
- Keeping a written record of its processing of the transferred data, which demonstrates its compliance with this IDTA, and provide this written record if asked to do so by the exporter.
- If the linked agreement includes rights for the exporter to obtain information or carry out an audit, they must provide the exporter with the same rights in relation to this IDTA.
- Obligations with respect to an importer personal data breach.
- Obligations regarding onward transfer.
The IDTA also includes provisions regarding data subject rights and how to exercise them, including in connection with a processor or sub-processor, breaches of the IDTA, ending the IDTA, bringing a legal claim under the IDTA, and a legal glossary.
Regarding the new SCCs
The ICO endorses use of the new SCCs2 issued by the Commission subject to the use of an addendum which applies the clauses to UK-third country transfers, subjecting them to ICO/UK court jurisdiction.
Odia Kagan Partner and Chair of GDPR Compliance and International Privacy
Fox Rothschild LLP, Philadelphia
1. See: https://ico.org.uk/media/about-the-ico/consultations/2620396/intl-data-transfer-agreement-202100804.pdf
2. See: https://ico.org.uk/media/about-the-ico/consultations/2620398/draft-ico-addendum-to-com-scc-20210805.pdf