The ICO's new approach to Transfer Risk Assessments
Locations
An accompanying blog headlines the new TRA guidance and tool as "an alternative approach" to that put forward by the European Data Protection Board (EDPB) – one that is intended to deliver the right protection for data subjects "whilst ensuring that the assessment is reasonable and proportionate". The ICO's focus on the TRAs being "achievable" will be welcome by organisations grappling with compliance obligations related to international data transfers. It should help exporters of UK data determine when to carry out a TRA and how to do it.
When are the new TRA guidance and tool relevant?
The new TRA guidance is relevant to restricted transfers of UK personal data (i.e. transfers to non-adequate third countries) based on one of the transfer mechanisms allowed for under Article 46 of the UK GDPR, e.g. the International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses (EU SCCs) or Binding Corporate Rules.
Regardless of the transfer mechanism used, exporters of UK data can choose between the ICO's new TRA approach and the transfer impact assessment (TIA) methodologies based on the EDPB guidance (see our earlier blog). For organisations that opt for the new UK approach, the ICO has provided a TRA tool. The tool has been designed for straightforward transfers, i.e. transfers where data is going only to one importer located in one destination country. This somehow limits its use, as the ICO expects organisations to adapt the TRA tool if they want to use it for more complex data flows (in reality more common than the straightforward transfers addressed by the ICO). The ICO accepts that, even for those simplest transfers, the TRA tool is just one possible method of carrying out the required assessments.
The ICO's TRA approach
The ICO's TRA approach focuses on assessing whether the specific transfer increases the risk to people’s privacy and other rights, compared with the risk if the personal data remained in the UK. If there is no significant additional risk, the transfer may go ahead. Given that the importer will be bound to comply with the data protection rights under the Article 46 transfer mechanism, the TRA tool focuses mainly on the more general risks to human rights in the destination country. Two broad types of risk considered are (i) risks arising from access to data by third parties, in particular government and public bodies; and (ii) risks arising from difficulties in enforcing the Article 46 transfer mechanism.
The TRA tool consists of six main questions (which break down into detailed questions and mini assessments), with tables and guidance that takes users through a number of steps and decision points. It also includes (in an annex), an initial risk level for various categories of data and a non-exhaustive example list of extra measures that can be used to reduce the risks to people's rights (categorised according to their levels of protection – as basic, enhanced and significant).
- Question 1 of the TRA tool requires detailed information on the specific circumstances of the restricted transfer (which can be provided by cross-references to the relevant transfer mechanism).
This is in effect the same as the EDPB's guidance.
- Question 2 assesses the personal data risk level. If the assessment in Question 2 concludes that all categories of transferred data are a low harm risk, the transfer can go ahead without the need for further assessment, as regardless of the responses to the next questions, the nature of the personal data and the circumstances of the transfer mean that the risk of harm to people is low. In all other cases, the assessment must continue.
This is the first notable departure from the EDPB approach, which (as interpreted in any case by some if not all European regulators), disapproves from any argument that the nature of the data is irrelevant to the risk of foreign government access.
- Question 3 aims to determine what is a reasonable and proportionate level of the TRA investigation, given the data risk level and, interestingly, also the nature of the exporter (its size and resources available to it – assessed by reference to the data protection fee tiers (in effect, the size of the exporter)). It uses an investigation matrix (an approach that takes into account the level of risk associated with the transferred data, its volume and the size of the exporter) to decide which of the three levels of investigation is required when addressing Questions 4 and 5 (and describes resources expected to be used at each level).
SMEs are only ever expected to apply the level of investigation 1 or 2, which means relying on publically available reports (such as eg. the latest Foreign Commonwealth and Development Office Human Rights and Democracy Report or Amnesty International Report: The state of the world's human rights (at level one) and further internet-based research, e.g. human rights reports from other governments or charitable organisations (at level 2)). The requirement for a detailed analysis about the treatment of human rights in the destination country (which, as expressly referenced by the ICO, may require professional advice) has been reserved for large businesses only.
This is markedly different from the EDPB's approach. The EDPB of course makes no distinction in its expectation of what an exporter has to do, a micro-business has to undertake the same analysis as a global giant.
- Question 4 examines, based on a human rights risk analysis (to be carried out at the level of investigation determined in Question 3), whether the transfer significantly increases the risk of a human rights breach.
The word 'significant' suggests divergence from the EDPB's stricter interpretation of risk and the near zero risk approach demonstrated by some European regulators in their enforcement activities.
- Question 5 establishes (via a detailed enforcement questionnaire) whether the transfer mechanism is enforceable against the importer in the UK or, if needed, in the destination country.
Again, it takes a risk-based approach further than the EDPB, acknowledging low likelihood of enforcement being needed for data that poses a low or moderate harm risk.
- Organisations may proceed with the transfer only if the assessments in Questions 4 and 5 do not identify any human rights risk data or enforceability risk data.
- If such data is identified, organisations must consider – in Question 6 – whether any of the exceptions to the restricted transfer rules apply to such data. The transfer may go ahead only if one or more of the exceptions apply to the significant risk data. If the exceptions do not apply, organisations may not proceed with the transfer.
EDPB's TIA or the ICO's TRA - which approach to take?
The TRA approach proposed by the ICO appears more pragmatic, risk-based and business friendly than that based on the EDPB guidance. It will be a useful tool (with some adaptations for more complex data flows) for UK centric organisations, especially SMEs and those whose data flows do not involve EU data.
As for larger organisations transferring data internationally, the majority of exporters whose data flows comprise both EU and UK personal data, are using the UK Addendum with the EU SCCs. To maintain a unified approach to their contracting, they are likely to continue using the EDPB's TIA approach, especially given that the ICO is equally comfortable with organisations using either of the two alternative approaches. Even for those organisations, it may nevertheless be useful to consider whether any aspects of the new TRA tool could be weaved into their internal TIA template, as part of their general efforts to maintain a compliant yet streamlined TIA process.
A sign of UK's divergence from the European approach?
The ICO's approach to the TRA may be seen as an example of the UK regulator taking a somewhat different (and lighter touch) approach than that developed by its European counterparts. Even if the uptake of the TRA tool in practice is limited to smaller organisations that do not also export EU data, it is still likely to be a welcome news for all exporters of UK data. Regardless of the transfer assessment tool that they decide to use, the TRA tool may signal the ICO's broader approach to international data transfer rules (including to enforcement in this notoriously challenging area).
More guidance to come
Organisations considering if or how to use the TRA tool, will welcome the ICO's plans to publish worked examples of the tool. This, as well as the upcoming guidance on how to use the IDTA and the UK Addendum to the EU SCCs, should bring more certainty to organisations that transfer UK data internationally.
Finally …
A reminder that the deadline for replacing all historic EU data transfer arrangements with the new EU SCCs is fast approaching: 27 December 2022.