International transfers of personal data: changes introduced by the ICO
The ICO (Information Commissioner’s Office) has recently introduced a new procedure, with new forms, to govern international transfers of personal data to some destinations. These are transfers to destinations not considered to provide “adequate” data protection standards. These are usually countries, but can also be international organisations.
In this blog we briefly outline these changes, which are relevant to many University activities, and address some of the questions staff may have.
What’s new?
Following a consultation exercise, the ICO recently introduced an International Data Transfer Agreement (IDTA) as a replacement for the older Standard Contractual Clauses in use. It also introduced an Addendum which, alternatively, can be appended to contracts where these Standard Contractual Clauses are used to ensure compliance with data protection law.
These documents have been approved by the UK Parliament, and must be used from 22 September 2022 for all new contracts governing the sharing of personal data with these aforementioned destinations.
Why have the rules changed?
These changes were necessary following the decision by the Court of Justice of the European Union in the case of Schrems II (CJEU Case C-311/18), in July 2020. Because Schrems II was decided during the Brexit transition period, it forms part of retained EU law.
What does “adequate” mean here?
A destination is considered to be “adequate”, with respect to transfers of personal data, where there are safeguards that are “essentially equivalent” to those found in the UK under the UK GDPR.
The ICO provides a list of “adequate” destinations here (see “What countries or territories are covered by adequacy regulations?”), added under the UK Adequacy Regulations. Currently these include all of the destinations recognised by the EU Commission as “adequate” e.g. the European Economic Area (EEA) countries.
The UK is currently considered to have adequacy status by the EU Commission. This status, however, requires review and will expire on 27 June 2025 unless it is extended for another 4 years.
What dates do I need to know?
An important date to bear in mind is 21 March 2024. Any relevant contracts using the old Standard Contractual Clauses will need to be updated by then, either by using an IDTA or by supplementing an existing agreement with an Addendum. Otherwise, after this date, these agreements will no longer comply with data protection law.
Are there any other requirements?
Yes. Any use of the IDTA or Addendum must be accompanied by a Transfer Risk Assessment. There is also a requirement for regular review of contracts where the IDTA or Addendum has been used, and the transfer is not a one-off arrangement.
Doesn’t this just make everything more complicated?
Yes and no. Changes such as the Transfer Risk Assessment requirements are potentially quite onerous for organisations. It may be necessary, for example, to evaluate the legal regime of a destination country. The IDTA and Addendum forms, however, are helpfully streamlined and can be used irrespective of the controller/processor status of exporters/importers. Previously there were multiple versions of data sharing agreements.
I would like to send personal data to a destination without “adequacy” status – where can I find advice about this?
Please contact the dataprotection@napier.ac.uk for assistance. We will update the guidance on the data protection pages of our intranet as soon as possible to reflect these new requirements.