The ICO is consulting about the protection of personal data transferred outside of the UK.
The ICO has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.
It points out that when organisations send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. Its proposed IDTA is a contract that organisations can use when transferring data to countries not covered by adequacy decisions.
The IDTA will replace the current standard contractual clauses (SCCs) to take into account the 2020 judgment of the European Court of Justice in Schrems II. The ruling said that SCCs were valid, but required organisations to carry out further diligence when making a transfer of personal data to countries without an adequacy decision.
The consultation has three sections:
The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications to help it to understand the practical impact of proposed approaches on organisations.
The new IDTA aims to support the UK’s digital economy by continuing to enable the global flow of people’s information with the safeguards of high standards of data protection.
The ICO’s work around IDTAs, and its consultation, are a requirement under s119a of the Data Protection Act 2018. The consultation will inform the final documents the ICO will lay before Parliament. It ends on 7 October 2021.