On February 2, 2020, the U.K.’s Information Commissioner’s Office (ICO) presented final versions of the following documents to Parliament: International Data Transfer Agreement (IDTA); an addendum (Addendum ) to the EU’s standard contractual clauses for international data transfers; and an additional document laying out transitional provisions. If there are no objections from Parliament, changes to international data transfers as described in these documents will take effect on March 21, 2022.
The need for the Agreement and Amendments originated with Brexit, and the IOC began soliciting public commentary last year.
What is the UK International Data Transfer tool?
Upon acceptance by Parliament, the IDTA allows the UK to adhere to the EU’s General Data Protection Regulation (GDPR) requirements, and its own Data Protection Act of 2018. Once in force, data transfers in and out of the U.K. will have protections and procedures equivalent to the EU’s standard contractual clauses (SCCs). In a blog post from the ICO, a spokesperson said:
The IDTA and Addendum are written with the aim of helping organizations ensure they have the correct protections in place when transferring people’s data outside of the UK to countries not covered by adequate decisions. Applying high standards of data protection to global data flows is essential in maintaining people’s trust in this ecosystem.
What Risk Management Needs to Know About IDTA
That may sound straightforward, but Linnea Solem (Solem Risk Partners), a retired Chief Privacy Officer and industry expert, offers a note of caution:
“Adopting the EU’s Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreements for new and existing data processor relationships is a much larger undertaking than simply updating contracts. The changes put a spotlight on both data governance and enforcement of data protection safeguards that impact the governance model and policies in a TPRM Program.”
Parts of the IDTA
Included in the IOC’s announcement are five PDFs that will be useful to organizations involved in the transfer of data outside the U.K., beginning with the IDTA, which is thirty-six pages long and comprised of four parts:
- Extra Protection Clauses
- Commercial Clauses
- Mandatory Clauses
Part 1 has four sections requiring (1) the names, signatures, and contact information for participating parties, (2) transfer details, (3) details about the data transferred, and (4) security requirements. Part 4, Mandatory Clauses, is the lengthiest section. It has information to help the reader understand the IDTA, how to complete it, and includes a five-page legal glossary about how words and phrases “must be interpreted in the IDTA.”
Solem notes that for TPRM practitioners managing GDPR compliance is complex for outsourcers and service providers that must adopt new contract provisions and ensure that due diligence processes align to the strengthened obligations for third party risk management. CPO magazine points out the IDTA began as “essentially a copy” of the EU’s GDPR but changed as it developed and departs from the EU’s SCCs in a number of ways, which Weil Gotshal points out on Lexology:
- The IDTA recognizes that the parties may have entered into a separate commercial agreement (referred to as the `Linked Agreement’ in the IDTA) and allows for the parties to incorporate the terms of the Linked Agreement into the IDTA.
- The IDTA allows parties to resolve disputes arising out of or in connection with the IDTA through arbitration whereas the New EU SCCs include mandatory jurisdiction and governing law provisions.
- The parties are able to agree on audit provisions in the Linked Agreement. The audit provisions in the IDTA will only apply where the Linked Agreement does not provide an audit mechanism.
- Unlike the New EU SCCs, the IDTA does not adopt a modular structure which can be complex to put in place. It also imposes reduced obligations on the importer in some circumstances. For example, where a data importer experiences a data breach, the New EU SCCs require the data importer to notify the supervisory authority. In contrast, the IDTA does not require this. This is likely to be welcomed by UK data exporters because it gives them greater control over the flow of information following a data breach.
Tom Garrubba, Vice President at Shared Assessments notes that besides including effective and enforceable data subject rights, the IDTA contains appropriate safeguards for the transferred data, adding, “Since these are enforceable, it’s extremely important that both the outsourcer and processor are able to achieve the agreeable conditions (e.g., the security and privacy controls) over data transfers.”
Solem points out data governance is front and center with the guidance on international data transfers from the UK ICO. “Organizations that need to comply with both GDPR and the UK’s requirements need to build out their operational plans and bring together a strong understanding of the relationship between contracts, vendor management and privacy” For additional background and perspective, read Solem’s post about Data Privacy Day last month on the Shared Assessments blog, which includes her thoughts on the EU/GDPR aspect of Standard Contractual Clauses.