We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.
An International Data Transfer Agreement (IDTA) was prepared for the client using the Information Commissioner’s Office (ICO) standard form agreement, which came into force on 21 March 2022 (as well as a Data Transfer Addendum which can be used with the EC Standard Contractual Clauses). Any contract signed after 21 September 2022 is required to use the IDTA or the Addendum for a ‘restricted’ transfer of personal data from the UK – i.e. one to a jurisdiction not covered by UK adequacy regulations and where none of the exceptions set out in the UK GDPR apply.
The United States is not covered by the adequacy regulations and none of the exceptions were applicable, so an IDTA was required as this is a so-called Article 46 transfer mechanism providing ‘appropriate safeguards’ for the transfer where there is no adequacy finding or applicable exceptions.
The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA). The reason for this is that, taking into account factors such as the nature of the personal data being transferred and the legal regime in the recipient jurisdiction, the IDTA on its own may not be sufficient to provide the required protections under the UK data protection regime for the data subjects whose personal data is being transferred. The TRA allows a structured and methodical analysis to be carried out on this sufficiency issue, and the outcome may be that additional protections are needed, be they organisational, technical and so on.
In this case, we prepared a detailed TRA following guidance published by the ICO as to content and structure. This required us to examine the nature of the personal data being transferred, the contractual and other safeguards in place with the recipient in the United States and relevant aspects of the US legal regime, such as the ability of third parties (e.g. government bodies) to access personal data held by commercial organisations, and any applicable constraints and safeguards. Current US law and recent developments in this area were considered. For example, on 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for US Signals Intelligence Activities, which is aimed at addressing concerns raised by the European Court of Justice about the risk of US government surveillance to the privacy rights of Europeans (with the ultimate aim of allowing reinstatement of the EU-US Privacy Shield). Although the Order has a specific EU angle, it seems likely that its ambit will be extended to UK data subjects given the close alignment between EU and UK data protection laws, and so this was a relevant potential risk mitigant.
The TRA must be thorough and forensic, and not a case of simply ‘going through the motions’. If an appropriate safeguard used by an organisation transferring restricted data to another jurisdiction is subsequently challenged, the TRA will be vital in demonstrating that correct processes were followed.
In this case, we concluded on the basis of the TRA exercise, that the IDTA provided an appropriate safeguard for the restricted transfer.
If you need any advice on an International Data Transfer Agreement, please do not hesitate to contact a member of our data protection team, who will be happy to assist.