In late November 2022, the Information Commissioner’s Office (ICO) announced in a blog post that it had published a significant update to its guidance on international transfers of personal data, including the anticipated final guidance piece on transfer risk assessments (TRAs), as well as a new TRA tool. This comes as the result of a consultation that the ICO ran in the summer of 2021.
In the post announcing the publication, Emma Bate (ICO Director of Legal Services), sets out that the guidance aims to provide an alternative approach to that of the European Data Protection Board (EDPB) – one that is “achievable” whilst ensuring that the assessment is “reasonable and proportionate”. However, the post did also confirm that organisations subject to the UK GDPR will now have a choice between the UK or EDPB approaches to conducting TRAs, with the latter of course remaining valid.
Organisations are required to carry out TRAs when they wish to rely on a transfer mechanism contained in Article 46 of the UK General Data Protection Regulation (GDPR). The Article 46 transfer mechanisms apply when the proposed data transfer will take place from the UK to a destination that has not been deemed by the UK Government to provide an “adequate” level of protection to data subjects. Specifically, these mechanisms include the European Commission’s standard contractual clauses (SCCs) with the UK addendum; the UK’s international data transfer agreement (IDTA); or binding corporate rules (BCRs).
The updated guidance
In essence, the new guidance follows a risk-based approach, setting out that the transferring organisation should examine risk factors relating to privacy and human rights more generally, in order to make an assessment of whether there is a greater likelihood of a breach of these rights occurring in the destination country. If the destination country’s regime is assessed to be “similar enough” to the UK’s with regard to regulating third party access to data, then the transfer may take place.
This departs from the EDPB exercise which focuses specifically on examining the laws of the importing destination and determining the suitability of the legal landscape. However, it remains to be seen whether the approaches will prove to be meaningfully different in practice, given that the ICO’s method will still conceivably require evaluating some legislation, court decisions and so on.
Whilst it is clear that this is a credible attempt to make the process more pragmatic and less onerous than the European alternative, the change in emphasis is also interesting for other reasons. As other legal commentators have posited, the shift away from specific problematic legislation and towards the evaluation of a country’s human rights record would appear to have the aim of increasing the likelihood that the United States will pass the tests. Historically, the US is not a country that others in the West have generally been comfortable to consider as having a poor record on human rights. Keeping this in mind, it is interesting to note that the 2021 draft version of the TRA tool specifically instructs the user to consider surveillance when assessing an importing country’s regulation of third-party access to data. The final published version however, has omitted references to surveillance entirely.
Another significant addition in the ICO’s new guidance suite is the attempt to tackle the challenging exercise of understanding which party is responsible for carrying out TRAs, and the work and cost this entails. The guidance attempts to describe who should be carrying out restricted transfers and makes it clear that this may not always be the controller, introducing a test stating that the party which “initiates and agrees” the transfer will be responsible for it and the associated TRA. On further consideration of the test, what seems less clear is whether the same party will generally initiate a transfer and then agree to that initiation, but again it remains to be seen how tricky this wording will be to untangle in practice.
The TRA tool
The TRA tool is (more accurately) a new framework document which sets out the six questions that the ICO has developed, along with detailed guidance on how best to answer each one, as well as examples of the level of detail that is expected. At more than 40 pages long and with likely at least as much cross-referenced material to consider, the process will unsurprisingly still require some considerable time and effort to undertake.
Potentially the most questionable departure from the EDPB approach is contained in the Appendix to the ICO’s tool, which introduces a system to assign risk levels to the data being transferred. The EDPB requires an assessment of the destination country’s legislation in any case, which will involve considering laws relating to surveillance and any other powers of access held by national bodies. However, the ICO introduces a new approach to categorise the data itself as inherently carrying either a lower, moderate, or higher risk of harm. A transfer is considered to have a low harm risk if it is “Unlikely to cause more than inconsequential financial harm, physical harm, mental harm or distress”, were there to be a data breach or other misuse. The result is that, if all the data categories being transferred are low risk, then the ICO states that the restricted transfer may proceed without undertaking the additional process of evaluating the destination country’s record on privacy and human rights.
Again, this can be seen as an attempt to make the process of wholesale data transfer more straightforward – which fits in with the Government’s stated aims of simplifying the UK’s data protection regime to foster innovation and freer data flows. However, some criticism has been levelled at this aspect of the new guidance which does seem valid; primarily this viewpoint suggests that there is an over-simplification of the risk categories as set out in the Appendix. For example, data regarding current marriage and partnerships is categorised as moderate risk, when this could infer sensitive information such as sexual orientation. Similarly, memberships of charitable organisations is deemed low risk data, when this could also indicate protected characteristics such as religious beliefs or political opinions. The point is that there is little room for the consideration of contextual factors, and not that these categories will always infer sensitive data. This could prove to be problematic, particularly in light of a decision issued by the Court of Justice of the EU in August last year. In Case 184/20, the Court confirmed that where an organisation is able to draw inferences about sensitive or “special category” data by means of an “intellectual operation involving comparison or deduction”, then this will constitute processing special category data.
It is not clear how well the ICO’s approach will mesh with the established concepts and principles of special category data, and it could be argued that the new risk level allocations may even undermine these principles.
There are undoubtedly some specific areas where questions can be asked of the new approach. However, overall the ICO’s update will surely be welcomed by UK organisations for providing a more pragmatic alternative to the strict TRA requirements introduced in the wake of the Schrems II ruling. The European Commission will undoubtedly consider the new guidance when it is time to review the UK’s adequacy status, but it seems highly unlikely that this update alone will pose any risk of endangering the UK’s position.