International Data Transfers: a new approach to transfer risk assessments

The ICO has recently produced an updated version of its guidance on international data transfers, which includes a new section on international data transfers and an accompanying transfer risk assessment (TRA) tool. This follows on from the approval by Parliament earlier this year of the ICO’s alternatives to the EU approved Article 46 mechanism for safeguarding international data transfers (the Standard Contractual Clauses), which the ICO termed as the International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum (known as the “UK Addendum”).

The ICO’s guidance mirrors the approach taken by the European Data Protection Board (“EDPB”) following the “Schrems II” case[1] to restricted transfers in that if a data exporter is relying on an Article 46 transfer mechanism it must carry out a Transfer Risk Assessment (“TRA”). However, the ICO’s new approach offers an alternative way in which organisations should approach carrying out the risk assessment.

Option 1: EDPB approach

Where there is a restricted transfer of data to a third country – i.e. the data recipient is situated outside of the UK and the importing country is not covered by the UK’s adequacy regulations – an Article 46 transfer mechanism should be used (where other safeguards are not available). Under UK GDPR, if an organisation is relying on an Article 46 transfer mechanism then that organisation must carry out a TRA prior to the transfer. The purpose of a TRA is to help ensure that the transfer mechanism will provide appropriate safeguards and enforceable rights for data subjects.

Until now there has only been one approach to undertaking a TRA – that set out by the EDPB.

In June 2021, the EDPB produced its recommendations on international transfers of data[2]. This includes a 6-step approach to carrying out a TRA. Here the focus is on the legislative and practical safeguards in place, in the importing country, to prevent third-party access to the data (in particular by governments). There is no accompanying tool or process to assist with this assessment. Other than the “6 steps”, data exporters are largely left to work out and determine for themselves what the risk assessment should look like and what the requisite level of assurance should be as to whether or not supplemental measures are required to safeguard the transfer.

Option 2: ICO’s new TRA guidance and tool

The ICO’s new guidance intends to find “an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.” It includes a new section on international transfers and a TRA tool. This sets out what may be considered a more pragmatic approach to that of the EDPB. The ICO’s assessment is framed differently. Whilst the EDPB approach concentrates on whether law enforcement agencies can access the transferred data, the ICO emphasis is on whether the transfer significantly increases the risk to people’s privacy and other human rights, compared with if the information remains in the UK.[3] 

The ICO’s user friendly TRA tool sets out 6 questions to answer, actions required to answer the question, guidance on how to complete the action and tables in which to record relevant information. The appendix gives an indicative initial risk rating for different types of personal data and examples of steps that may be taken to reduce the risk and increase protections.

The ICO makes clear that if you are a controller, and your processor is making the restricted transfer, only the processor must complete the TRA. The ICO’s guidance also highlights the need to ensure that any onward transfers by the receiver of personal data are similarly contractually protected, and that any ongoing flow of restricted transfers is regularly reassessed by the data controller to ensure that the level of protection provided by your safeguarding mechanism does not decrease over time.

How useful will this be in practice?

This new risk based approach will be welcome news for solely UK based countries. It is not mandated that the ICO template is used for TRAs, nor is it required that the ICO approach is used. The ICO is clear that it will accept either method of assessment – that of the ICO or the EDPB approach. However, the ICO’s tool is  likely to be less useful, for now at least, for companies exporting data to third countries from both the UK and Europe. The EDPB has not yet indicated whether it would be willing to accept this new approach to the TRA for EU GDPR transfers. Until a time comes when this approach is recognised by the EDPB, the EDPB approach will remain the default for internationally operating organisations.

What next?

The ICO has confirmed that it is currently working on clause-by-clause guidance on how organisations should use the International Data Transfer Agreement and the Addendum to the EU Standard Contractual Clauses. It is also considering extending the TRA guidance to include worked examples of the TRA tool in practice.

How can we help?

Safeguarding international transfers of personal data can be a complex area of data protection law incorporating multi-jurisdictional assessments of data protection legislation. Bevan Brittan can support your organisation to complete these assessments and help you achieve your business goals at the same time ensuring that global transfers of personal data are lawfully made.

This article was co-written by Laura Cook, Trainee Solicitor.

If you have any questions about the issues raised in this update, please contact a member of our Information Law team.

[1]               CURIA - List of results (europa.eu)

[2]               Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data | European Data Protection Board (europa.eu)

[3]               Transfer risk assessments | ICO