On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance). This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively).
In its blog post accompanying the updated Transfers Guidance, the ICO makes clear that its TRA Guidance “clarifies an alternative approach to the one put forward by the European Data Protection Board” and notes that its aim is to “find an alternative, achievable approach” to the transfer impact assessments exporters are required to undertake, which is “reasonable and proportionate”.
We’ve summarised key elements of the updated ICO position on TRAs below.
When is a TRA required?
The TRA Guidance and TRA Tool are relevant whenever an organisation that is subject to the UK GDPR transfers personal data to a non-adequate jurisdiction based on one of the transfer mechanisms in Article 46 of the UK GDPR (i.e. the ICO’s International Data Transfer Agreement, the EU Standard Contractual Clauses (together with the UK Addendum) or Binding Corporate Rules).
TRAs are essentially the UK’s equivalent of the “transfer impact assessments” required by the European Data Protection Board in the EU and set out in the EDPB guidance on accountability in data transfers and supplementary measures (the EDPB Approach). The ICO is clear that their TRA Tool is just one approach to conducting the required assessments and that organisations located in the UK can still use the EDPB Approach should they wish to do so. Organisations seem likely to do this where the EDPB Approach is already embedded in their organisation and/or where the personal data that they export is subject to both the UK and EU GDPR (as it remains to be seen whether the EDPB will consider the ICO’s approach sufficient from an EU law perspective). However, for straightforward transfers of UK personal data (especially by SMEs), the ICO’s TRA tool may be attractive.
Who is responsible for undertaking a TRA?
One of the many issues that UK and EU controllers have grappled with since the Schrems II decision and the publication of the above EDPB guidance is whether controllers have to undertake TRAs all the way down their subcontracting chain. The EDPB’s guidance stated that assessments should “take into consideration all the actors participating in the transfer” and that “the more controllers, processors or importers involved, the more complex your assessment will be”. This suggested that they expect controllers to conduct the required assessments all the way down the subcontracting chain. The ICO provides helpful clarification about their expectation in this regard, in particular that:
- where the UK/EU processor of a UK controller makes a restricted transfer to a sub-processor in a non-adequate country, it is for the processor, as opposed to the controller, to undertake the TRA in connection with the transfer to the sub-processor (although the controller must still check that the processor’s transfers are compliant, likely through contractual commitments and audit rights); and
- Where a data recipient in a non-adequate country receives personal data from a UK exporter under an Article 46 transfer mechanism and then makes an onward transfer, it is the responsibility of either the UK exporting entity or the data recipient making the onward transfer to undertake the TRA in respect of the onward transfer. In practice, this would mean that UK exporters do not need to undertake TRAs all the way down their subcontracting chain (provided that they receive “sufficient reassurance” that the transfer impact assessment of the entity making the onward transfer is compliant, once again likely through contractual commitments and audit rights).
The TRA Guidance also clarifies that where a series of connected and/or repeated transfers are made, these can be assessed separately or covered by one single TRA.
The TRA Tool
The TRA tool is a template document with questions and guidance that leads users to assess whether the risks to people’s privacy and other human rights are significantly increased as a result of the proposed restricted transfer going ahead when compared to the situation wherethe data stayed in the UK. In particular, it requires the companies conducting the TRA to:
- Assess the level of risk the personal data being transferred potentially represents to the data subjects. The TRA Tool includes a list of different categories of personal data and the risk level (low, moderate, high) that the ICO attributes to them. Companies are then required to consider whether any mitigating or exacerbating factors apply, with a non-exhaustive list of factors (including security measures (such as encryption)) being provided. In contrast to the EDPB Approach, the TRA Tool clearly states that if a “low risk” finding can be made, no further action or assessment is required and the transfer can go ahead;
- Assess which of three identified levels of investigation are required. Where the risk level of any of the transferred data is moderate or high, the assessor must determine what is a reasonable and proportionate investigation into the human rights risks, taking into account the risk represented by the personal data (as identified at the previous step), the volume of data being transferred and the size of the organisation. This is in contrast to the EDPB’s approach, which does not make any allowances for SMEs, who are expected to undertake the same level of assessment as a global multinational.
The investigation in question here relates to human rights risk (the rationale being that the data protection risk is covered off in the relevant Art 46 transfer mechanism). In all cases, this investigation requires a subjective assessment of the human risk, taking into account a number of publically available reports relating to human rights standards within the receiving jurisdiction. Where the data represents a high harm risk and the organisation is not an SME, additional sources and a “detailed analysis” of the human rights position in the importing jurisdiction is required. The TRA Tool notes that this may require professional advice;
- Consider (1) whether the transfer significantly increases the risk of a human rights breach in the destination country for the relevant data subjects and (2) whether the Art. 46 transfer mechanism will likely be enforceable in the UK and any other relevant jurisdiction. Tables of indicative human rights and enforcement risks are provided for this purpose, however a good understanding of the human rights practices in the receiving jurisdiction and what factors will be relevant in weighing up the various risks is still needed; and
- If necessary in respect of any remaining high risk data, consider whether any exception applies that would permit the transfer. The identified exceptions align with Article 49 UK GDPR. The Transfer Guidance provides some indication as to the scope of the various exceptions from a UK perspective.
If the assessment concludes that the personal data does not represent a substantial human rights or enforceability risk (or an exception applies) the Restricted Transfer can be made.
The intention of the ICO in updating the guidance and publishing the TRA Tool was to ensure ease of use whilst maintaining a reasonable and proportionate approach to assessing exports of personal data. This suggests that the ICO considers that the TRA process is simpler and/or less strict than the EDPB Approach. Whilst UK organisations making Restricted Transfers that obviously represent a low risk will welcome the ICO’s simplified procedure, other organisations may struggle to undertake the proposed assessment with any degree of certainty, given its subjective nature and the focus on human rights law. In particular, the assessor (who, under the EDPB Approach, would have previously been focussing on the privacy and surveillance laws in the destination country) may not have any specific expertise in human rights law or in assessing human rights practices. Also, given that the human rights position would likely need to be considered in the context of the destination country’s privacy and surveillance laws, for non SMEs the ICO’s approach may actually require a wider assessment than that required by the EDPB Approach.
The ICO is considering extending the TRA Guidance to include worked examples of how the TRA Tool should be used in practice. This, coupled with the output from the feedback sessions they intend to conduct early next year, will hopefully clarify their expectations around the human rights-focussed investigation and confirm whether or not the ICO’s approach really is simpler for organisations who, like most of our clients, transfer higher risk data and are not SMEs.
Until then, the ICO’s TRA Tool is no silver bullet and ensuring compliant exports of personal data will unfortunately remain a resource intensive and uncertain process for many organisations.