On 17.11.2022 the UK data protection and privacy official – the Information Commissioner's Office (ICO) – issued a new Transfer Risk Assessment (TRA) tool and corresponding guidance. This comes as a part of ICO’s update concerning the international transfers section of its Guide to UK GDPR.
The new TRA tool is an alternative to the already established European Data Protection Board’s (“EDPB”) Transfer Impact Assessment (TIA) approach and is relevant to restricted transfers of UK personal data (i.e. transfers to non-adequate third countries) based on one of the transfer mechanisms allowed for under Article 46 of the UK GDPR.
What is TIA?
In order to clarify TRA, we will first briefly touch upon TIA.
TIA is essentially a data protection tool used to assess the lawfulness and risks of personal data transfers to third countries. The need to perform this assessment stems from EDPB’s Recommendations 1/2020 and Guidelines 5/2021, which in turn were a consequence of the notorious Schrems II decision (C311/18), which invalidated the USA-EU Privacy Shield arrangement and mandated case-by-case examination of third country legislation.
In the wake of Schrems II decision an exporter of data cannot simply rely on the approved transfer mechanisms such as SCCs anymore. Instead, they must also consider on case-by-case basis whether the laws or practices of the third country ensure the protection of the data to the EU standards through the TIA procedure. If the company finds that the countries do not ensure the necessary level of protection, the company must provide additional safeguards or suspend transfers.
As a consequence, the transfers of personal data to third countries have become more difficult whereas transfers to USA have become legally questionable to say the least. In fact, some experts have even argued that the transfers are effectively banned due to the uncompromising stipulations of the EU officials.
The ICO's TRA approach
The TRA tool introduced by the ICO can be seen as an effort to alleviate the resulted USA-situation and simplify third country transfers with regulation that constitutes ‘a lighter touch’ by the UK regulators. Essentially the UK based exporters of UK data can choose between the new TRA approach or the EU mandated TIA. On the other hand, EU based exporters do not have as free a choice between TRA and TIA.
There are, however, some crucial limitations to TRA: Firstly, the tool has been designed for simple transfers, i.e. transfers where data is going only to one importer located in one destination country. Secondly, it is important to bear in mind that the tool is applicable only to ‘pure’ UK data – the TRA is not recognised by EU and therefore does not guarantee the fulfilment of the requirements of EU GDPR and EDPB guidance.
TRA vs. TIA
While TRA is not necessarily applicable to EU data, it is still beneficial to inspect the UK tool to determine if the EU might adapt its approach in the future.
The TRA tool consists of six (6) steps and takes the form of a questionnaire.
1. Question 1 requires detailed information of specific transfer and is essentially equivalent to TIA’s “know your transfers” requirement.
2. The 2nd question pertains to the level risk to people in the personal information. If there is a low risk of harm, when the personal information is misused or lost, the transfer may proceed without further assessment. This marks departure from TIA, which treats all data equally strictly.
3. The 3rd question determines the reasonable and proportionate level of investigation for the organisation. If a company is an SME, the TRA does not expect them to perform as rigorous an investigation as the large businesses. Instead, the SME’s may rely on publicly available information. This is noticeably different from the TIA approach, which does not differentiate between companies.
4. Question 4 requires the companies to examine, whether there is a risk of human rights violations arising from the transfer. Where the risk is less than significant, no markable obligations arise in this step, contrary to TIA approach which has been interpreted to require near zero risk.
5. Question 5 pertains to the enforceability of transfer mechanism against the importer. No further obligations arise in this step if there is only a low likelihood that the mechanism would not be enforceable. This leeway is absent from TIA approach.
6. The 6th question concerns the result of the question 4 and 5, as organisations may proceed with the transfer only where no human rights or enforceability risk was identified. The question 6, however, also contains a list of exceptions to the restricted transfer rules. If the exceptions apply, the transfer may proceed.
Will EU follow suit?
The ICO’s TRA appears to be more risk-based than its TIA counterpart and is therefore arguably more business friendly and pragmatic. However, the price of practicality seems to come at the expense of personal data’s safety. In addition, in response to criticism and claims of impracticality of its guidance, the EDPB has replied that it is constrained by the law (GDPR and the European treaties) as interpreted by the CJEU. Therefore, it is unlikely that the EDPB will change its guidance in wake of ICO’s TRA tool.
Nonetheless, it is important to annotate that the EDPB recommendations and guidance are only recommendations and not binding law. Therefore, some experts argue that theoretically, it would be possible to take a more risk-based approach. This, however, is a hazardous approach and might lead to undesired consequences in form of penalties and fines. Therefore, it is highly unlikely that EU-based exporters would switch to the TRA tool or other risk-based approach. In addition, many of the UK-based exporters might still opt for using TIA approach as it is likely that a large proportion of their data flow consist both of UK and EU data.
The biggest issue with the EDPB’s TIA approach has been the USA stance, which has left a lot of businesses wishing for a more reasonable approach.
Recently, however, there have been definite steps towards resolving this situation. On 25.3.2022 the European Commission and the US issued a joint statement confirming that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. In addition, on 7.10.2022 President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', implementing the agreement in principle into US law. On this basis, the European Commission will now start the adequacy decision procedure.
It seems therefore, that EU is choosing to exercise diplomacy and build frameworks with third countries rather than to make TIA more practical. Therefore, it seems unlikely that EU would adjust its stance on TIA, at least before the decision on adequacy of USA’s data protection is made.
Our Associate Trainee Savva Kuparinen took part in writing this article.