- 30 November 2022
- Privacy and Data Protection
We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.
An International Data Transfer Agreement (IDTA) was prepared for the client using the Information Commissioner’s Office (ICO) standard form agreement, which came into force on 21 March 2022 (as well as a Data Transfer Addendum which can be used with the EC Standard Contractual Clauses). Any contract signed after 21 September 2022 is required to use the IDTA or the Addendum for a ‘restricted’ transfer of personal data from the UK – i.e. one to a jurisdiction not covered by UK adequacy regulations and where none of the exceptions set out in the UK GDPR apply.
The United States is not covered by the adequacy regulations and none of the exceptions were applicable, so an IDTA was required as this is a so-called Article 46 transfer mechanism providing ‘appropriate safeguards’ for the transfer where there is no adequacy finding or applicable exceptions.
The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA). The reason for this is that, taking into account factors such as the nature of the personal data being transferred and the legal regime in the recipient jurisdiction, the IDTA on its own may not be sufficient to provide the required protections under the UK data protection regime for the data subjects whose personal data is being transferred. The TRA allows a structured and methodical analysis to be carried out on this sufficiency issue, and the outcome may be that additional protections are needed, be they organisational, technical and so on.
The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA).
In this case, we prepared a detailed TRA following guidance published by the ICO as to content and structure. This required us to examine the nature of the personal data being transferred, the contractual and other safeguards in place with the recipient in the United States and relevant aspects of the US legal regime, such as the ability of third parties (e.g. government bodies) to access personal data held by commercial organisations, and any applicable constraints and safeguards. Current US law and recent developments in this area were considered. For example, on 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for US Signals Intelligence Activities, which is aimed at addressing concerns raised by the European Court of Justice about the risk of US government surveillance to the privacy rights of Europeans (with the ultimate aim of allowing reinstatement of the EU-US Privacy Shield). Although the Order has a specific EU angle, it seems likely that its ambit will be extended to UK data subjects given the close alignment between EU and UK data protection laws, and so this was a relevant potential risk mitigant.
The TRA must be thorough and forensic, and not a case of simply ‘going through the motions’. If an appropriate safeguard used by an organisation transferring restricted data to another jurisdiction is subsequently challenged, the TRA will be vital in demonstrating that correct processes were followed.
In this case, we concluded on the basis of the TRA exercise, that the IDTA provided an appropriate safeguard for the restricted transfer.
If you need any advice on an International Data Transfer Agreement, please do not hesitate to contact a member of our data protection team, who will be happy to assist.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
About this article
SubjectClarkslegal act for a multi-national company on an International Data Transfer Agreement
ExpertisePrivacy and Data Protection
Published30 November 2022
Read, listen and watch our latest insights
- 06 February 2023
Redundancy and settlement agreements – What you need to know
In this podcast Ciara Duggan and Sana Nahas members of the employment team at Clarkslegal will guide you through the tricky topic of redundancy and settlement agreements, covering what redundancy means for both employers and employees, as well as how settlement agreements work in practise.
- 01 February 2023
What to expect in construction in 2023
Recent years have brought a host of challenges for the construction industry but what we expect for 2023?
- 30 January 2023
Deborah Scales comments on ‘the proposed Mental Health First Aid Bill’
In People Management, Deborah Scales, Associate at Clarkslegal, discusses the reasons why people professionals would likely welcome a change in set law as a “relatively swift and cost-effective” way to help the workplace.
- 26 January 2023
- Privacy and Data Protection
UK Data Protection: Development round-up 2022 and 2023 trends
In this podcast Oscar Poku and Ciara Duggan members of the Data Protection team at Clarkslegal will be discussing the main developments in the UK Data Protection scene from 2022 and what trends to look out for in 2023.
- 25 January 2023
Government’s response to menopause recommendations in the workplace
The UK Government has recently rejected calls for the menopause to be made a ‘protected characteristic’ and for a large-scale pilot of menopause leave.
- 24 January 2023
Can I still apply to the EU Settlement Scheme after my divorce?
A family member of a ‘qualifying’ EEA national (including the EU, Switzerland, Norway, Iceland, and Liechtenstein) must apply for an EU Settlement Scheme (EUSS) Family Permit to join their EEA family member in the UK. The EUSS Family Permit is valid for 6 months, and once in the UK, the family member must apply for status under the EU Settlement Scheme.