ICO's updated guidance on international personal data transfers offers an alternative approach to carrying out transfer risk assessments
Other Author Kiran Chita, Trainee Solicitor
The UK Information Commissioner's Office (the "ICO") published new guidance on transfer risk assessments ("TRAs") and a template for carrying out a TRA.
All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data which are subject to the UK General Data Protection Regulation (the "UK GDPR") outside the United Kingdom using:
- the international data transfer agreement (the "IDTA"),
- the European Commission's standard contractual clauses with the UK addendum (the "UK Addendum"), or
- the binding corporate rules.
The new TRA guidance is an alternative to the approach suggested by the European Data Protection Board (the "EDPB") in its Recommendations 01/2020 on supplementary measures. The ICO confirmed that organisations subject to the UK GDPR now have a choice between the ICO or EDPB approaches when conducting TRAs for international data transfers outside the United Kingdom.
The new guidance is reportedly designed to provide organisations subject to the UK GDPR with a more pragmatic, risk-based approach without requiring them to carry out new assessments if they already followed the methodology recommended by the EDPB. Significantly, the ICO suggested that if only low harm risk personal data (such as business contact details) are transferred outside the UK, businesses no longer have to consider the local laws in the recipient's jurisdiction.
International businesses that transfer personal data outside both the European Union and the United Kingdom may find the new guidance of limited use because the ICO approach may not fully address EDPB's recommendations. However, UK businesses only transferring personal data from the United Kingdom may find the new guidance and a template TRA helpful.
When do business have to carry out TRAs?
Following the end of the Brexit transition period, transfers of personal data subject to the UK GDPR outside the United Kingdom have to comply with the restrictions in the UK GDPR.
One of the ways to comply with the UK GDPR is to ensure that the transfer is to a country with an adequacy decision from the UK Government. For example, an adequacy decision is the current mechanism for international data transfers from the United Kingdom to the European Economic Area (the "EEA")1.
However, in the absence of an adequacy decision, businesses may ensure compliance with the UK GDPR by implementing one of the appropriate safeguards in Article 46 UK GDPR, for example, the IDTA or the UK Addendum (for more information on the IDTA and the UK Addendum see our previous client alerts here and here).
Companies that rely on one of the appropriate safeguards in Article 46 UK GDPR are under a legal obligation to carry out a TRA and to provide the completed TRA to the ICO on request.
TRA guidance
The ICO's guidance on TRAs follows a risk-based approach and involves considering the risks to people's rights and whether a proposed transfer increases the risk to people's privacy and other human rights2 in comparison to the risk to those rights if the personal data remained in the United Kingdom. If there is no significant additional risk, then the transfer may go ahead.
To carry out this assessment, the ICO set out six questions organisations must answer:
- What are the specific circumstances of the transfer?
- What is the level of risk to people in the personal information you are transferring?
- What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
- Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- (a) Are you satisfied that both you and the people the information is about will be able to ensure the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
- Do any of the exceptions to the restricted transfer rules apply to "significant risk data" (i.e. data that an Article 46 UK GDPR transfer mechanism does not provide appropriate safeguards for)?
TRA tool
The TRA tool is a new template document that sets out the ICO's six questions. The TRA tool is just one method that can be used to carry out a TRA and organisations have the option to record their answers to the ICO's questions in an alternative format. However, it provides businesses with an example of the level of granularity that the ICO expects from businesses in TRAs.
The TRA tool contains detailed guidance and a template format for answering each of the six questions. For example, with respect to the first question "What are the specific circumstances of the restricted transfer?", the TRA tool sets out guidance on how to address this question including the detail that is required to show 'specific circumstances'.
In relation to the fourth question "Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?", the ICO explained that as a part of this assessment businesses should consider the destination country's legal system, respect for the rule of law, and human rights record. The level of investigation required from businesses will depend on their size (with more onerous obligations for large businesses) and the level of risk associated with transferring the personal data. However, as set out in more detail below, the ICO stated that businesses do not need to carry out investigation of the country's laws and practices when transferring low harm risk personal data.
A new approach for low harm risk data
The ICO guidance introduces a significant alternative to the EDPB approach in relation to low harm risk transfers. A transfer of personal data is considered to be low harm risk if it is unlikely to cause more than inconsequential financial harm, physical harm, mental harm or distress if it is misused or lost, with only minimal actions (if any) required to rectify the situation.
The Appendix to the TRA tool sets out examples of an initial risk level for different categories of personal data. Examples of low risk data include: name, date of birth, address, contact details, goods or services supplied, or marketing preferences.
From this initial risk level, organisations must consider if there are factors which may either increase (e.g., if the information is about a child or vulnerable adult, if there is large volume of information about each person, or if the information allows inference of special category of data), or decrease (e.g., if the information is already in the public domain or if the information is encrypted before the transfer and the data importer does not have the key to decrypt the information) the risk level.
If the risk assessment results in all categories of personal data involved in the proposed transfer being low harm risk, then the ICO guidance states that the restricted transfer can proceed without addressing the remaining questions, i.e. without having to carry out a local law assessment. This is because the ICO considers responses to the rest of the questions to be unnecessary since the nature of the personal data and the circumstances of the transfer mean that the risk of harm to individuals is low in any event.
This approach represents a divergence from the EDPB approach, which requires local law assessment in any event. While the EDPB allows for consideration of the type of information involved in the proposed transfer, the assessment applies only at the stage of identifying effective supplementary measures to protect the data being transferred and not in relation to the transfer itself.
On the horizon
The ICO has said that it intends to publish guidance on how companies should use the IDTA and the UK Addendum, including clause by clause guidance, before the end of 2022.
The ICO has also stated that it is considering extending its TRA guidance to include worked examples however no timeframe has been provided for any additional TRA guidance.
1 A full list of UK adequacy decisions is available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#Q1
2 The ICO expects businesses to consider not only enforcement of data subjects' rights, but the protection of human rights in the destination country more generally.