Information Commissioner's Office
ICO consults on how organisations can continue to protect people’s personal data when it’s transferred outside of the UK
The Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.
When organisations send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. An IDTA is a contract that organisations can use when transferring data to countries not covered by adequacy decisions.
The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’. The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.
The consultation is split into three sections, offering a selection of proposals and options to consider.
- Proposal and plans for updates to guidance on international transfers.
- Transfer risk assessments.
- The international data transfer agreement.
The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications. Responses will help the regulator understand the practical impact of proposed approaches on organisations.
The new IDTA will support the UK’s digital economy by continuing to enable the global flow of people’s information with the safeguards of high standards of data protection.
Steve Wood, ICO Executive Director of Regulatory Strategy, said:
“The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.
“We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements will help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.
“This consultation is important. We know how important it is for transfer tools to work in practice, and the ICO wants to support businesses in this area. The responses we receive will inform our final work and I encourage all organisations that undertake international transfers to engage with the consultation and provide feedback”.
The ICO’s work around IDTAs, and its consultation, are a requirement under s119a of the Data Protection Act 2018. The consultation will inform the final documents the ICO will lay before Parliament. The consultation will remain open until 5pm on 7 October 2021.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Statement in response to use of ICO corporate charge card28/09/2021 15:20:00
An ICO spokesperson released a statement in response to use of ICO corporate charge card
Statement in response to use of ICO corporate charge card27/09/2021 16:43:00
Statement given in response to use of ICO corporate charge card.
International progress for domestic benefit: why the ICO convened a G7 meeting on data flows20/09/2021 16:15:00
A blog by Elizabeth Denham, UK Information Commissioner
We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages.15/09/2021 13:20:00
The ICO has today announced fines totalling £495,000 to well-known companies that between them sent more than 354 million nuisance messages.
Blog: Sharing personal data in an emergency – a guide for universities and colleges15/09/2021 09:15:00
A blog by Viv Adams, Principal Policy Adviser in the ICO Parliament and Government Affairs team
G7 data protection and privacy authorities’ meeting: communiqué13/09/2021 09:10:00
The UK Information Commissioner’s Office (ICO) brought together data protection and privacy authorities from G7 countries, as well as guests from the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), for a discussion this week on shared emerging challenges that need closer international collaboration.
Statement in response to DCMS consultation into proposed data protection reform10/09/2021 14:10:00
Statement given yesterday in response to DCMS consultation into proposed data protection reform.
ICO to call on G7 countries to tackle cookie pop-ups challenge07/09/2021 14:10:00
The UK Information Commissioner’s Office (ICO) will today call on fellow G7 data protection and privacy authorities to work together to overhaul cookie consent pop-ups, so people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.