ICO publishes new guidance on international transfers

The question

What do businesses need to know about the Information Commissioner’s Office’s (ICO) new guidance on international transfers?

The key takeaway

The ICO has released new guidance regarding international transfers, including how to carry out Transfer Risk Assessments (TRAs). The guidance, according to the ICO, seeks to clarify “an alternative approach to the one put forward by the European Data Protection Board” (EDPB).

The background

Under the UK GDPR, personal data cannot be transferred to non-adequate jurisdictions unless a specific exemption applies or an Article 46 transfer mechanism is established. The Schrems II judgment confirmed that before a company can rely on an Article 46 transfer mechanism to make a restricted transfer, it must conduct a risk assessment.

The development

On 17 November 2022, the ICO published an update to its guidance on international transfers which includes further explanation on:

• when the UK GDPR applies to transfers of data
• what constitutes a restricted transfer
• the countries covered by UK adequacy regulations
• the safeguards in Article 46 of the UK GDPR
• the exceptions to putting in place these safeguards, and
• carrying out TRAs.

The guidance also incorporates worked examples reflecting a wider variety of scenarios, clearly taking on board the fact that many companies have complicated transfer arrangements.

The most significant addition to the guidance is the section on TRAs. The ICO has developed an alternative, more streamlined approach compared to that of the EDPB which applies in respect of transfers under the EU GDPR.

The EDPB approach requires data exporters to compare the laws and practices of the importing country with the laws and practices of the exporting country to assess the risks to data subject rights, including considering safeguards regarding third party access. The ICO’s approach, however, focuses on whether there is any increase in the risk to people’s privacy and other human rights compared with the risk if the information remains in the UK. The ICO has also developed a “TRA Tool” – a template document that provides guidance on how to carry out a TRA.

The ICO recognises that many businesses are subject to both the EU and UK regimes. Therefore, they have made clear that they are happy for organisations exporting data from the UK to carry out an assessment that meets either the ICO’s approach or the EDPB’s approach.

The ICO is going to release guidance on how to use the transfer clauses it has previously produced (ie the International Data Transfer Agreement and the Addendum). The ICO is also considering including worked examples into the TRA guidance to show how the TRA Tool can work in practice.

Why is this important?

The new guidance shows that the ICO wishes to be pragmatic and reduce the burden of the EU’s arguably complex risk assessment on businesses. The ICO’s own assessment is lighter and more risk-focused. However, it recognises that where companies need to comply with both, they should follow the EDPB’s stricter approach to ensure that they are covered.

Any practical tips?

Data transfers remain a hot topic for the regulators. Organisations that rely on data transfers within their business activities should consider if there are ways to restructure their transfers to minimise risk and to take advantage of the ICO’s pragmatic approach where, for the most part, compliance with the EU regime is likely to be sufficient in respect of the UK regime. The worked examples provided by the ICO should be particularly useful given how complicated transfer arrangements can become and it would be worth comparing these to your existing transfer framework. Above all, perhaps, the ICO’s guidance is a good reminder of the need to carry out TRAs. The ICO’s new TRA Tool is helpful in this respect, as it is a user-friendly template which takes you through a series of questions and connected guidance.

Spring 2023