UK’s new International Data Transfer Agreement template comes into force

What happened

• The international data transfer agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum), and a document outlining transitional arrangements were all presented before Parliament on February 2.
• The ICO held a consultation in 2021, which led to this last step.
• Section 119A of the Data Protection Act of 2018 authorises the issuance of these documents.
• These documents took effect on March 21 as no objections were presented by Parliament.
• When making restricted transfers, exporters will be able to use the IDTA or the Addendum as a transfer mechanism to comply with Article 46 of the UK GDPR.
• The IDTA and Addendum are part of a larger UK package designed to make overseas transfers easier. This includes the ICO independently supporting the government’s approach to third-country adequacy assessments.
• For 6 months, i.e. until 21 September 2022, it will be possible to choose whether to use the old template for new data transfers or the new IDTA.
• Existing transfer arrangements which will remain valid in relation to deals already in place for a further 24 months, as long as the processing operations remain unchanged.
• In most cases, there will be a good argument for switching to the IDTA before 21 March 2024.
• The ICO has committed to publishing guidance documents explaining how businesses can apply the IDTA.

Why it matters

• The IDTA exists as a result of Brexit and the Schrems II decision in 2020 where the Court of Justice of the European Union found that contractual measures that are used to enable international data transfers should be supplemented with additional security provisions to ensure foreign government authorities do not disproportionately access personal data that is being transferred.
• The European Commission, in 2021, published its updated Standard Contractual Clauses to enable businesses affected by the EU GDPR to transfer data internationally.
• However, due to Brexit, these did not apply to businesses that are affected by the UK GDPR.
• The IDTA seeks to resolve this issue and create a mechanism for businesses in the UK to be able to safely transfer personal data to a third country,
  The IDTA is divided into four sections.
  • Part 1: This section contains four tables that must be completed and is for laying out specific transfer details.
  • Part 2: This section allows for the addition of supplementary measures, which are optional but should be included when a Transfer Risk Assessment specifies that they are required.
  • Part 3: This section allows the parties to incorporate extra commercial provisions.
  • Part 4 (Mandatory Terms): This section contains mandatory clauses that cannot be modified and must be included in every IDTA.
• The IDTA is likely to be linked to other agreements between the parties, such as service agreements or data sharing or processing agreements.

What happened

• The EU Commission and the US government stated on March 25 that they had reached an agreement in principle on a new ‘Trans-Atlantic Data Privacy Framework’ (TADPF) to promote trans-Atlantic data flows and address the issues identified by Schrems II.
• The TADPF will commit to the following provisions:
  • It will include legally binding measures that limit US intelligence services’ access to data to what is strictly required and proportional to protect national security;
  • EU data subjects will have access to a new redress system, which will include an independent Data Protection Review Court
  • US data importers will be required to self-certify to the Privacy Shield principles through the US Department of Commerce.
  • All of the above will be carried out by a presidential Executive Order (rather than by Congress), and the EU Commission will analyse and comment on it.

Why it matters

• Max Schrems and his non-profit organisation NOYB immediately expressed their scepticism of the TADPF and stated their intention to challenge the TADPF through civil litigation if it does not meet Schrems II requirements.
• The TADPF will only resolve transfers to the United States (if it works).
• Transfers to other jurisdictions that lack adequacy findings and have broad surveillance legislation will continue to be subject to the present Standard Contractual Clauses and transfer impact assessment process.

What happened

• A school’s director was continually monitoring online courses by attending and intervening in Zoom conversations where sessions were taking place, according to an online foreign language teacher in a private school who filed a complaint with the Greek data protection regulator.
• The teacher said that her employer’s presence in her online sessions via Zoom made it impossible for her to express herself and perform, and that she felt her right to free speech and standing as a teacher had been violated.
• Not only had the teacher claimed that she had not given her approval to the monitoring, but she also alleged that she had not given her consent to the monitoring.

Why it matters

• The Greek data protection found that the employer had failed to satisfy the employee’s right to object to their classes being monitored.
• Although the employer’s response to the objection was based on a legitimate interest (i.e. for management purposes), the Greek data protection regulator explained that the employer had not been able to establish that their actual attendance at the online courses was an appropriate and necessary means of exercising this legitimate interest.
• Furthermore, the Greek data protection regulator discovered that the employment contracts examined in this case did not reference lesson monitoring or the legal basis for this processing.