64: ICO consultation on protecting personal data transferred outside of the UK

On 11 August 2021 the ICO launched its consultation on its draft international data transfer agreement (IDTA) and guidance setting out how organisations can continue to protect personal data when it is transferred outside of the UK.

Background

Under the UK GDPR, personal data transfers to a country outside the UK, or to an international organisation (restricted transfers) may only occur where adequacy regulations apply (which provide that an international organisation or third country provides an adequate level of protection), appropriate safeguards are in place, or certain derogations apply.

Currently UK exporters of personal data making restricted transfers where there is no adequacy regulation or a relevant exception need to put in place individual contractual agreements about the transfer of data and will rely on the old EU Standard Contractual Clauses (SCCs) (new SCCs were published in June 2021 but these were not adopted by the UK).

The IDTA

The IDTA is an updated template contract that UK organisations can use as an appropriate safeguard when making restricted transfers not covered by an adequacy regulation or a relevant exception. It can be used in more circumstances than the old SCCs and includes additional language to take into account the obligations of parties following the CJEU Schrems II decision (which requires a transfer impact assessment to be completed) and addresses new obligations under the UK GDPR not covered by the old SCCs.

The new EU SCCs will not be valid for data transfers from the UK under the UK GDPR, and the IDTA will not be valid for data transfers from the EEA under the EU GDPR. As such, the ICO has also published a separate addendum that makes changes to the new EU SCCs to enable their use by UK exporters as well, provided the addendum is incorporated and validly executed. In practice, organisations subject to both regimes or with pan-European operations are likely to rely on this route.

How might this impact trustees?

As data controllers, trustees are responsible for ensuring any member personal data that is transferred outside of the UK has appropriate safeguards in place where no adequacy regulation has been granted in respect of a country (note transfers to the EEA are covered by an adequacy regulation).

The IDTA requires significantly more transfer specific information to be included such as the status of the parties, the nature of the data transferred, detailed information about protections that will be implemented. There is also a requirement for parties to regularly review the agreement (at least every year).  This all means more diligence and regular review.

Trustees should check in with their processors and joint controllers about what safeguards they are using if they are making any such transfers and consider reviewing the transfer provisions in their policies and contracts to ensure they meet the requirements of the IDTA.

What’s next?

The consultation runs until 7 October 2021 and it is anticipated the final version of the IDTA will be available to use in late 2021.

In other news

On 9 September 2021, the government launched a consultation on reforms to the UK’s data protection regime to ‘to boost innovation, economic growth and protect the public’. Plans include tougher penalties for nuisance calls and text messages and the government wants the new data regime to be ‘based on common sense, not box ticking’. The consultation closes on 19 November 2021 and it will be interesting to see the outcome.

If you require any assistance with these issues or any pensions matter contact our legal experts here BDB Pitmans pensions team.