Search

How can we help?

Icon

Clarkslegal act for a multi-national company on an International Data Transfer Agreement

We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.

An International Data Transfer Agreement (IDTA) was prepared for the client using the Information Commissioner’s Office (ICO) standard form agreement, which came into force on 21 March 2022 (as well as a Data Transfer Addendum which can be used with the EC Standard Contractual Clauses). Any contract signed after 21 September 2022 is required to use the IDTA or the Addendum for a restricted transfer of personal data from the UK – i.e. one to a jurisdiction not covered by UK adequacy regulations and where none of the exceptions set out in the UK GDPR apply. 

The United States is not covered by the adequacy regulations and none of the exceptions were applicable, so an IDTA was required as this is a so-called Article 46 transfer mechanism providing ‘appropriate safeguards for the transfer where there is no adequacy finding or applicable exceptions.

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA). The reason for this is that, taking into account factors such as the nature of the personal data being transferred and the legal regime in the recipient jurisdiction, the IDTA on its own may not be sufficient to provide the required protections under the UK data protection regime for the data subjects whose personal data is being transferred. The TRA allows a structured and methodical analysis to be carried out on this sufficiency issue, and the outcome may be that additional protections are needed, be they organisational, technical and so on. 

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA).

In this case, we prepared a detailed TRA following guidance published by the ICO as to content and structure. This required us to examine the nature of the personal data being transferred, the contractual and other safeguards in place with the recipient in the United States and relevant aspects of the US legal regime, such as the ability of third parties (e.g. government bodies) to access personal data held by commercial organisations, and any applicable constraints and safeguards. Current US law and recent developments in this area were considered. For example, on 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for US Signals Intelligence Activities, which is aimed at addressing concerns raised by the European Court of Justice about the risk of US government surveillance to the privacy rights of Europeans (with the ultimate aim of allowing reinstatement of the EU-US Privacy Shield). Although the Order has a specific EU angle, it seems likely that its ambit will be extended to UK data subjects given the close alignment between EU and UK data protection laws, and so this was a relevant potential risk mitigant. 

The TRA must be thorough and forensic, and not a case of simply going through the motions. If an appropriate safeguard used by an organisation transferring restricted data to another jurisdiction is subsequently challenged, the TRA will be vital in demonstrating that correct processes were followed. 

In this case, we concluded on the basis of the TRA exercise, that the IDTA provided an appropriate safeguard for the restricted transfer. 

If you need any advice on an International Data Transfer Agreement, please do not hesitate to contact a member of our data protection team, who will be happy to assist. 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

About this article

Read, listen and watch our latest insights

art
  • 10 July 2024
  • Employment

Redundancy : Back to Basics FAQs

Redundancy can be a scary and overwhelming time both for employees being made redundant, and for those that have to make the decision. It is important for both parties to know their rights and obligations in this time.

art
  • 09 July 2024
  • Public Procurement

Buyer Beware: Practical Guidance for Breach of Warranty in an SPA

Are you buying a business? Whether you are buying shares in a company or purchasing its assets… the general Latin common law principle “caveat emptor” applies.

art
  • 08 July 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series

This is the second article in a series exploring the changes brought by the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

art
  • 08 July 2024
  • Immigration

Right to Work Check Guidance – Key Changes for Employers

This updated guidance introduces several significant changes aimed at streamlining the right to work verification process for employers.

Pub
  • 02 July 2024
  • Privacy and Data Protection

Data protection unlocked for HR: Introduction to data protection

Lucy Densham Brown and Sana Nahas from the data protection team will discuss data protection issues encountered by HR professionals in the first episode of the ‘Data Protection Unlocked for HR’ podcast series.

Pub
  • 27 June 2024
  • Employment

TUPE Podcast Series: What Transfers

In this sixth podcast in our TUPE Podcast Series, Amanda Glover will delve into the automatic transfer principle and what transfers to the incoming employer under TUPE.