Last week, on 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on ‘International transfers’, accompanied by a blog post written by Emma Bate (Director of Legal Services (Regulatory Advice & Commercial) at the ICO).
The update primarily focuses on transfer risk assessments (TRA) and creates a new dedicated section in relation to TRAs.
Organisations are required to carry out a TRA if they wish to undertake a restricted transfer – this involves the transfer of data to a recipient located outside of the UK, in a country that is not covered by UK ‘adequacy regulations’ and consequently, requires the use of an Article 46 transfer mechanism.
The ICO has described the carrying out of a TRA as ‘undoubtedly complex in many situations’. The new update intends to eliminate some of this complexity and ‘provide certainty, for all involved, that the right level of protection is in place’.
Specifically, the guidance clarifies an alternative UK approach to TRAs, different to the one put forward by the European Data Protection Board. The guidance explains the differences between each approach and emphasises that ICO is equally comfortable with the use of either approach. The guidance also clarifies who will be responsible for carrying out a TRA and in which circumstances multiple TRAs will be necessary.
If an organisation chooses to use the new UK approach, the ICO has provided a new TRA tool, which comprises of six questions, including guidance and tables to aid with its completion. Ultimately, the tool helps organisations to assess the key issue of whether ‘as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK’.
The guidance stresses that, as a general rule, should an organisation conclude that their chosen Article 46 transfer mechanism fails to provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, the restricted transfer should not be made. However, the guidance goes on to explain that there are eight exceptions to this general rule, as set out in Article 49 of the UK General Data Protection Regulation.
The guidance will be a welcome arrival, with many businesses currently looking for greater clarity on how to undertake their TRAs and of particular note is the more flexible risk based approach put forward by the ICO. Although it may be of less use to those businesses looking to take a unified approach to its TRAs and transfer impact assessments, it will be embraced by many to ensure the continuity of their international transfers.
As a next step, the ICO has also promised detailed, clause by clause guidance on its international data transfer agreement and addendum which we are told to expect in short order, which will hopefully answer the questions we know many businesses have about rolling out these documents.