UK ICO Publishes New Guidance and a Tool for Transfer Risk Assessments
On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.
In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”
The TRA guidance states that if an organization is relying on an Article 46 transfer mechanism, it must carry out a TRA. The ICO notes that the TRA will help the organization to consider whether, in the circumstances of the transfer and with the chosen Article 46 transfer mechanism in place, the “relevant protections for people under the UK data protection regime will be undermined.” In referring to Schrems II, the guidance states clearly that the Court’s decision that a TRA must be conducted before relying on an Article 46 mechanism forms part of UK data protection laws.
The ICO considers there to be two approaches to conducting a TRA:
Option 1: The ICO’s approach in the TRA tool discussed further below; and
Option 2: The European Data Protection Board’s approach (i.e., an assessment where the laws and practices of the exporting country are compared to the laws and practices of the importing country in order to assess the risks). This involves looking at the safeguards in place about third-party access to the information, in particular by governments.
The ICO states that it “is happy for organisations exporting data from the UK to carry out an assessment that meets Option 1 or Option 2.”
The TRA tool is a template document with six questions and guidance on how to complete the TRA. It gives an initial risk level for categories of data and, according to the ICO, has moved the focus to “whether the transfer significantly increases the risk of either a privacy or other human rights breach” as it believes “this captures the key risk to the people the data is about, and is also achievable.”
What Is Next for the ICO?
The ICO has confirmed that it is currently working on guidance showing organizations how to use the International Data Transfer Agreement and the Addendum to the EU Standard Contractual Clauses, which will include clause-by-clause guidance. It is also “considering” extending the TRA guidance to include worked examples of the TRA tool in practice. The ICO also welcomes experiences of using the guidance and the TRA tool and intends to hold sessions in 2023 with the aim of learning from organizations and ultimately improving its products.