The Information Commissioner has published its finalised guidance on transfer risk assessments and international data transfers following the European Court of Justice's decision in Schrems II. The final guidance contains a number of changes from the consultation draft and confirms that the ICO's approach under UK GDPR will differ from that taken by the European Data Protection Board under GDPR.

Background

The ICO published draft guidance on international transfers and transfer risk assessments (TRAs) in February 2022. For more on Schrems II and the background to the new guidance, read our Schrems II summary.

The draft guidance followed publication of the ICO's new UK International Data Transfer Agreement (IDTA) and UK Addendum to the (new) EU Standard Contractual Clauses (SCCs). Despite the IDTA and UK Addendum coming into force in March 2022, and being mandatory from 21 September 2022, the guidance has remained in draft for some time.

What does the new guidance say?

The new guidance has three components:

  • updated guidance on international transfers
  • guidance on carrying out a transfer risk assessment
  • a transfer risk assessment tool

The ICO plans to publish clause by clause guidance on the IDTA and UK Addendum.

The ICO presents its guidance as offering an "alternative approach" to that put forward by the European Data Protection Board (EDPB). While organisations can still follow the EDPB approach if they wish, the ICO considers that the approach set out in its guidance gives the "right protection" for data subjects, while still being "reasonably proportionate."

At the heart of the ICO's approach is focussing on whether the transfer significantly impacts on the risk of a privacy or other human rights breach. This is different to the EDPB approach, which is much more binary. 

Who is responsible for ensuring compliance?

It is the controller or processor that initiates and agrees the transfer that is responsible for complying with the restricted transfer rules. For example:

  • where the transfer is directed or instructed by the controller (for example, to transfer from one processor to another processor of the controller or to a third party controller), then it is the controller that is responsible for ensuring compliance with the restricted transfer rules
  • where a UK processor appoints a sub-processor outside the UK, it is the processor (not the controller) that is responsible for complying with the restricted transfer rules. This is the case even though the controller gave the processor authority to appoint sub-processors and even if data flows directly from the controller to the sub-processor. 

    The ICO's new guidance provides processors with greater flexibility in relation to the location of data processing activities within their supply chains. However, with that flexibility comes greater accountability as the processor (not the controller) will be responsible for conducting a satisfactory TRA and ensuring that the transfer is lawful.

    Controllers will still have obligations under Article 28 of UK GDPR to carry out appropriate diligence on their processors, reasonable and proportionate to the risks that the data sharing offers. As part of this diligence, controllers should therefore still ask questions about international transfers within the processor's supply chain and ensure appropriate oversight of that. 

    Reverse transfers

    The ICO says that if a processor sends or returns personal data to a controller outside the UK then that is not a restricted transfer, as the transfer is initiated by the controller. 

    If, however, the transfer from a processor to a controller is initiated by the processor, then that will be subject to the rules on restricted transfers.

    Conducting a transfer risk assessment

    A TRA should be conducted when carrying out any restricted transfer using any Article 46 transfer tool. Article 46 transfer tools include the ICO's International Data Transfer Agreement, the EU SCCs and UK Addendum, Binding Corporate Rules, or a transfer pursuant to an approved code of conduct or certification mechanism.

    The ICO's new guidance sets out two approaches to conducting a TRA:

    • Assess risk to data subjects: an assessment of risk from a human rights and privacy perspective - if the transfer went ahead, are there significant, additional, risks to the privacy and human rights of the individual data subjects whose data is being transferred? This is the approach set out in the ICO's TRA tool
    • Assess the laws in the destination country: a comparison of laws and practices in the recipient country. This is the approach set out in the EDPB guidance.

    In either case, the ICO says that TRAs should be subject to regular reviews to ensure that the assessment remains valid and that the protections put in place remain effective.

    Assessing risk using the ICO's TRA Tool

    The TRA tool sets out a series of questions designed to assess the actual risks that may arise from the proposed transfer. These questions consider:

    • the circumstances of the restricted transfer (including details of the importer, destination country, role of the importer, what personal data is being transferred and why)
    • the level of risk to the data subjects 
    • what level of investigation is reasonable and proportionate given the level of risk
    • whether the transfer significantly increases the risk for data subjects of a human rights breach in the destination country
    • whether the Article 46 transfer tool (eg the IDTA) will be enforceable in the UKL and by the exporter and data subjects locally in the destination country (or elsewhere)
    • are any exceptions to the restricted transfer rules apply?

    The TRA tool contains detailed guidance at each stage to help assess risk. For example, the TRA tool classifies different categories of  personal data as being low, medium or high risk, and sets out aggravating and mitigating factors when assessing risk to data subjects.

    Where all personal data being transferred is low harm risk the ICO says that no further investigation is necessary. Where an investigation is necessary, the TRA tool sets out a three level approach. Which approach applies will be determined by the risk identified, whether the exporter is an SME or large organisation, and the volume of data being transferred. 

    A level 1 investigation may take the form of a desktop review of publicly available information from sources such as the Foreign, Commonwealth and Development Office, whereas a level 3 investigation requires a detailed analysis of the treatment of human rights in the destination country.

    Notably, and consistent with the ICO's risk-based approach, exporters can take into account practical factors such as whether the data subjects in question are ever likely to visit the destination territory when assessing the actual level of risk for the data subjects in question.  

    Where the TRA tool concludes that a level 3 investigation is necessary, the ICO guidance also offers exports the option of not transferring the high risk data other than by exception, which can then be assessed on a case by case basis.

    Divergence from EU guidance

    The ICO's approach marks a clear divergence from the approach set out in the EDPB's guidance under GDPR. For organisations that are subject only to UK data protection law, the new guidance and the ability to take a risk based approach will be welcomed. 

    While the EDPB's latest guidance permits exporters to assess whether problematic laws in the destination territory are likely to apply to the transfer in question, that still leads to a binary assessment of whether the importer is subject to those laws, rather than considering what, if any, harm may arise.

    Organisations that are subject to both UK and EU data protection law will still need to comply with the EDPB guidance. Organisations will therefore need to carry out an initial assessment to determine which regime applies to a restricted transfer - is it UK law, EU law or both? 

    For example EU law will apply to the following:

    • a UK business that is established in the EU/EEA for the purposes of GDPR, for example, through a branch or similar
    • a UK controller or processor that is subject to the extra-territorial rules in GDPR where the processing relates to the provision of goods or services offered to individuals in the EU/EEA, or the processing relates to monitoring their behaviour
    • transfers by group companies from the UK and EU/EEA to a service provider or parent company outside the UK and EU/EEA.

    There are also particular complexities in relation to reverse transfers. While the ICO says that a transfer back to a non-UK controller is not a restricted transfer, the EDPB says it is. 

    This divergence means that IT service providers and other organisations that process data for controllers in both the UK and EU will need to think carefully about their approach to restricted transfers and how they deal with areas of divergence and conflict between the two sets of guidance.

    What are the timescales for carrying out transfer risk assessments and remediating old EU SCCs?

    The ICO's new guidance is effective now.

    Organisations have until 27 December 2022 to replace old EU SCCs with the EU's new SCCs where that transfer is subject to GDPR. 

    Where the transfer is subject to UK GDPR, organisations have until 21 March 2024 to replace the old EU SCCs with the new IDTA or the new EU SCCs and the UK Addendum.


    More information

    If you would like to discuss the ICO's new guidance, or your organisation's approach to restricted transfers, please contact Martin SloanGrant Campbell, or Rachel Lawson.

    Contributors

    Martin Sloan

    Partner

    Grant Campbell

    Partner

    Rachel Lawson

    Associate