The ICO's updated guidance on international data transfers frames a different approach to carrying out transfer risk assessments than the EDPB's and is arguably the more straightforward. While the ICO will recognise either the UK or the EU approach, it remains to be seen what the EU thinks about this development and whether it will raise concerns around onward transfers of EU data from the UK. Businesses operating across the EU and UK may prefer to stick with the EDPB's approach to transfer risk (or impact) assessments.
ICO updates guidance on international data transfers
The UK's ICO has published updated guidance on international data transfers. This includes a new section on transfer risk assessments (TRAs), known as Transfer Impact Assessments or TIAs in the EU, as well as a new TRA tool. These are required when using Article 46 transfer mechanisms, as a result of the CJEU judgment in Schrems II.
The ICO stresses that its guidance provides an alternative to the EDPB's guidance on supplementary measures for international transfers. The ICO's own approach to TRAs is different but it says that it is "happy for organisations exporting data from the UK to carry out an assessment" that meets either the UK or the EU approach, which it summarises as follows:
- Option 1, UK approach in TRA tool – the assessment compares the position of the data subjects in the specific circumstances of the transfer in terms of whether there would be any increase in the risk to the individual if the transfer goes ahead, compared with the position were the data to remain in the UK. The focus is on protection of human rights in the destination country, given that the recipient of the data is already obliged to comply with the data protection requirements under the relevant Article 46 transfer mechanism. Enforceability of the Article 46 mechanism is also a factor.
- Option 2, EDPB approach– the assessment compares the laws and practices of the UK (including the UK GDPR) with those of the importing country in order to evaluate the risks outlined above. This involves looking at the safeguards in place about third party access to the information, in particular by governments. The safeguards do not need to be identical to those in the UK, but they must be sufficiently similar.
The ICO's new TRA tool is designed to help organisations assess the initial risk level of the relevant categories of data by asking a series of six questions, each of which is accompanied by supporting documentation tables guiding what to consider. The questions are:
- What are the specific circumstances of the restricted transfer?
- What is the level of risk to the people in the personal information you are transferring?
- What is a reasonable and proportionate level of investigation, given the risk level in the personal information and the nature of your organisation?
- Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 mechanism against the importer in the UK; and if enforcement action is needed outside UK, are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country or elsewhere?
- Do any of the exceptions to the restricted transfer rules apply to the significant risk data you have identified?
The ICO's option 1 approach does put a different emphasis on this exercise to the EDPB's and it should be easier for businesses to complete (despites the length of the TRA tool), however, it could create tension with the EU in relation to onward data transfers and the level of protection afforded to EU data which is ultimately exported to third countries from the UK. For this reason, cross-border businesses may prefer to stick with the EDPB's approach.
EDPS Opinion on the draft Cyber Resilience Act
The European Data Protection Supervisor has published an Opinion on the EU's draft Cyber Resilience Act, which covers harmonised security requirements for IoT and other products with digital elements. The EDPS broadly welcomes the initiative while emphasising that the GDPR already contains cybersecurity requirements. He urges the Commission to include data protection by design and default as an essential element, in addition to security and data minimisation. As is often the way when commenting on proposed data-related legislation, the EDPS also stresses the need for any incoming legislation to work with the GDPR.
Meta seeks to reverse Instagram fine
Meta is reportedly seeking to overturn the €405m Euro fine imposed on it by the Irish Data Protection Commissioner in September. The fine related to historic practices which resulted in default publication of children's personal data on the Instagram platform. Meta said it would appeal the fine and is now reportedly seeking a number of High Court declarations including one that parts of the Irish Data Protection Act 2018 are invalid under the Irish constitution, and are incompatible with the European Convention on Human Rights. In addition, Meta intends to apply to the CJEU to annul an EDPB instruction to the Irish Courts on the level of the fine imposed.
EDPB adopts recommendations on applying for controller BCRs
The European Data Protection Board has adopted draft recommendations on applying for controller Binding Corporate Rules to underpin data transfers to third countries. The recommendations will update the current guidance and bring it in line with the Schrems II requirements, replacing the current Article 29 Working Party Recommendations. They also update the application form and set out what must be included on the form and with the application. The draft is open to comments until 10 January 2023. The EDPB is also working on guidelines for processor BCRs.
India publishes draft Digital Personal Data Protection Act
India has published a draft Digital Personal Data Protection Bill to update its data protection regime. A previous attempt to pass a new data protection act ended in failure. The Bill provides for protection of individual rights. It appears to have stepped back from data localisation requirements, allowing for cross-border transfers with notified countries and territories. It also provides for a Data Protection Board to oversee compliance and impose penalties up to a maximum of INR 5bn.
High Court grants permanent injunction on material harvested in ransomware attack
The High Court has granted summary judgment in respect of a permanent injunction in a breach of confidence claim arising out of a ransomware attack. It also preserved the anonymity of the Claimant. The Claimant had previously got a without notice interim injunction restraining the unknown Defendants from using or distributing the Claimant's confidential information which was harvested in a ransomware attack. The Claimant then commenced proceedings for breach of confidence and the Court continued the injunction on expanded terms. The Court granted summary judgment because the large amount of data stolen fell into categories requiring extra protection (including security sensitive information), and because the information was obtained by hacking.
The Claimant's anonymity was preserved largely due to the nature of their work and the fact that much of it is covered by the Official Secrets Act.