While many privacy pros were either in Brussels attending the IAPP’s #DPC22 or at the Excel Centre at GRC World Forums’ #RISK conference, the Information Commissioner’s Office’s Director of Legal Services (Regulatory and Commercial), Emma Bate, published a blog introducing new guidance presenting an additional approach to assessing the risk associated with a restricted international data transfer based on appropriate safeguards under Article 46 UK GDPR.

Following the decision of the Court of Justice of the European Union in the so-called Schrems II case, and the issue by the European Commission of the modernised standard contractual clauses (SCCs), when conducting a restricted international data transfer based on appropriate safeguards under Article 46(2)(c) GDPR data exporters have been required to conduct an international data transfer risk assessment to assess whether the law and practice of the third country provides essentially equivalent protection to the GDPR. Such an assessment is also required when utilizing other transfer mechanisms under Article 46, such as Binding Corporate Rules (BCRs). The European Data Protection Board issued ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, providing guidance on the conduct of that risk assessment as well as on the supplementary measures that might be adopted to remediate any gaps in protection identified by it.

Following the end of the Brexit transition period, and the UK GDPR taking effect, the Information Commissioner’s Office introduced its own safeguards for conducting ex-UK restricted international data transfers: the International Data Transfer Agreement (IDTA) or the modernised EU SCCs coupled with the International Data Transfer Addendum, which since 22 September 2022 have been mandatory for new ex-UK transfers. These still required a risk assessment to be conducted and in the absence of any alternate guidance these have had to be conducted in accordance with the EDPB’s guidance.

In the new transfer risk assessments (TRA) section of its updated guidance on international transfers, which diverges from the approach advocated by the EDPB, the Information Commissioner authorises the use of an alternate method of assessing risk, to consider whether data subjects would experience any significant increased risk to their privacy and other human rights as a consequence of the transfer compared with the risk if the information remained in the UK. Essentially, the Information Commissioner is advocating a risk-based approach to risk assessment, an approach which has been disavowed by its fellow supervisory authorities, most notably in the context of considering the lawfulness of using Google Analytics.

The ICO’s transfer risk assessment tool requires the exporter to address 6 questions:

1. The specific circumstances of the transfer, including: the nature of the importer and its processing activities; the categories of affected data subjects; the volume of data to be transferred; the duration and frequency of transfers; the type of personal data to be transferred; and, the safeguards in place.  

2. The risk inherent in each type of personal data, which the ICO has determined and set out in the Annex to the TRA, and whether any aggravating (confidentiality, children or vulnerable individuals affected, large volume of data and/or ability to infer special category data) or mitigating (data in public domain and/or encryption/pseudonymisation or other measures implemented prior to transfer) features apply which would serve to increase/decrease the risk upon transfer compared to the UK.

3. Depending on the risk identified to that point (low, moderate or high), and the size of the organisation, the extent of the due diligence required to be carried out (with suggested resources at each level).

4. Whether the transfer increases the risk of a human rights breach in the country of import, having regard to the due diligence required to be conducted, to determine whether there is a significantly increased risk compared to the personal data being processed in the UK.

5. Whether it will be possible to enforce the obligations set out in the transfer mechanism in the UK and in the destination country.

6. If a high risk is identified, whether any other lawful bases for the transfer apply, so as to create an exception to the requirements as set out in Article 49 UK GDPR, such as that the data subject has provided explicit consent, or that the transfer is necessary for the purposes of a contract entered into with the data subject.

If a high risk remains and no exception is identified, then the transfer is not permitted to be conducted pursuant to Article 46.

This contrasts with the EDPB’s requirements, which require a greater focus on the analysis of local law and practice, particularly in relation to third party access by public authorities.

The ICO’s approach presents the risk that what may be considered compliant for an SME will not be considered compliant for a large organisation, and therefore each data exporter will need to conduct its own assessment.

The list of categories of personal data at the Annex are not exhaustive; for example, neither email addresses nor IP addresses are identified in the guidance. Location data, is however, identified as potentially presenting a high risk.

Nevertheless, we anticipate that conducting risk assessments under the approach advocated by the ICO under its TRA, rather than in accordance with the EDPB’s guidance, could result in a different outcome for organisations of all sizes, and this could in particular benefit ex-UK transfers to the US pending regulations being made by the Secretary of State pursuant to President Biden’s adoption on 07 October 2022 of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.

Following the Government’s announcement of its intention to utilise the Data Protection and Digital Information Bill to implement “a bespoke British system of data protection”, the ICO’s guidance represents a yet further departure from the GDPR. With Dominic Raab’s re-appointment as Justice Secretary and the potential resurrection of the Bill of Rights, which would result in the UK departing from “adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights”, which was explicitly identified as a requirement in the European Commission’s adequacy decision in respect of the UK, this could therefore serve to further jeopardise the retention of adequacy beyond its current validity until 27 June 2025 or perhaps even sooner as a consequence of the Commission’s commitment under Article 3(1) of the adequacy decision to “continuously monitor the application of the legal framework upon which this Decision is based”.

Regardless of the potential long-term consequences of the move, the alternate approach to assessing the risk of restricted ex-UK international data transfers presents an immediate opportunity to data exporters to revisit data transfers that might previously have been rejected, to consider whether they might now be considered compliant.

Handley Gill’s consultants provide advice to data controllers and data processors who wish to export personal data from the UK to third countries, as well as for data importers in third countries that wish to establish compliant mechanisms for clients to export data from the UK. We conduct international data transfer risk assessments on behalf of clients, under both the EDPB and ICO mechanisms, and draft and implement appropriate safeguards in the form of International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs) and the combined International Data Transfer Addendum and SCCs. Should you require assistance, don’t hesitate to contact us.

Find out more about our data protection and data privacy services.