ICO Explains How To Do A Transfer Risk Assessment Under UK GDPR

The UK Information Commissioner's Office (ICO) has updated its guidance on international transfers of personal data from the UK to any country that does not benefit from an adequacy decision that its data protection regime is the same or better than the UK's ('restricted transfer'). If you need assistance, please let me know.

A ‘transfer risk assessment’ (TRAs) determines whether the effective and legally enforceable protection for data subjects and their personal data under the UK data protection regime will be undermined in the proposed receiving country, even if the transferring firm uses one of the ‘transfer tools’ for providing appropriate safeguards under Article 46 of the UK GDPR.

Those transfer tools include are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and ICO-approved Binding Corporate Rules (BCRs).

As explained previously, in backing the second successful challenge to the EU-US Privacy Shield, the ECJ decided that before a firm may rely on an Article 46 transfer tool to make a restricted transfer, it had to carry out a TRA to figure out if it also needs to take some other steps to fill in the gap. If there are gaps that cannot be filled, the transfer must not be made.

It's worth noting that the ICO states in its guidance:

You do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the exceptions [in Article 49].

This is supported by guidance from the European Data Protection Board (made up of all EU member state data protection regulators): 

27. If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with Step 3.

But, again, as explained previously (and in the EDPB's own guidance on Article 49), the way GDPR works is that (unless the country in question benefits from an adequacy finding), you would need to have decided on to rely on a transfer tool under article 46 before you can try to rely on an exception under article 49, so you need a risk assessment either way.  

The ICO's template TRA tool is a Word document that may be opened by clicking the link at the foot of the guidance page. It asks 6 questions (with guidance) to help firms get to an initial assessment. It will likely be quite efficient to use the tool, but it's not mandatory and you could work through the questions yourself:

Question 1: What are the specific circumstances of the restricted transfer? 

Question 2: What is the level of risk to people in the personal information you are transferring? 

Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation? 

Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country? 

Question 5: 

(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK? 

(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)? 

Question 6: Do any of the exceptions to the restricted transfer rules [in Article 49 of UK GDPR] apply to the “significant risk data” [which you identified in Questions 4 and 5 as data for which your Article 46 transfer tool does not provide all the appropriate safeguards]. 

If by using the TRA tool, you decide that your Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then you must not make the restricted transfer.

The ICO will soon issue guidance on how to use the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses.

If you need assistance with any aspect of international personal data transfers, please let me know.

Will It Be Practicable To Transfer Personal Data From the EEA to the UK After 2020?

From 1 January 2021, any EEA-based organisation wishing to transfer personal data from the EEA to the UK (or any other non-EEA country) will need to be able to show that the processing will have the same protection as under EU data protection law (GDPR). Many firms might consider that exercise impracticable from a cost and administration standpoint, particularly in light of certain new recommendations on which the EU authorities are now consulting. These are briefly explained below. The UK's Information Commissioner is "reviewing" the proposals, but of course has no influence. This will affect "thousands" of firms and could prove severely disruptive for cross-border services ranging from payroll and benefits, to e-commerce marketplaces to social media services. If you need assistance, either in the UK or in Ireland/EEA please let me know.

Options for transferring personal data from the EEA to the UK

An EEA-based business can only transfer personal data to a non-EEA country, if one of three situations apply: 

1. the European Commission has ruled that country's personal data protection laws to be ‘adequate’;
2. there are appropriate safeguards or 'transfer tools' in place to protect the rights of data subjects (including 'Standard Contractual Clauses'); or
3. certain 'derogations' or exemptions apply to allow the processing as of right.  

For many reasons it is best to assume there will not be an EU adequacy decision relating to the UK’s data protection regime by 1 January 2021, as that process is long and complex, and there are some features of the UK regime which do present problems, including: 

• the UK’s use of mass surveillance techniques;
  
• intelligence sharing with other countries such as the US;
  
• the questionable validity of the UK immigration control exemption;
  
• the lack of a ‘fundamental right’ to data protection under UK law; 
• UK adequacy findings for other countries’ personal data regimes that the EU does not deem adequate; and 
• the potential for future divergence from EU data protection standards if the UK GDPR is further modified post Brexit. 

As a result of the decision of the European Court of Justice in a case against Facebook (‘Schrems II’), a data exporter relying on Standard Contractual Clauses (or other contractual 'transfer tools') must first verify that the law of the third country ensures a level of protection for personal data that is equivalent to the EU's General Data Protection Regulation. If that level is considered sub-standard, the data exporter may be able to use certain measures to plug the gaps, but this process would need to be carefully documented and is the subject of the main recommendations from the EDPB. 

The extent to which you can usefully rely on the derogations, either before considering the other appropriate safeguards or 'transfer tools', or if those other options are not available is also somewhat doubtful, as I will explain.

Assessing whether personal data transfers outside the EEA are appropriate

To help data exporters evaluate whether the use of transfer tools will be appropriate, the forum of all the EEA data protection authorities (the European Data Protection Board or EDPB), is now consulting on recommendations for: 

• measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; and
  
• certain European Essential Guarantees for evaluating surveillance measures. 

The EDPB's first set of recommendations contain steps outlined below. The European Essential Guarantees enable data exporters to determine if the rights for public authorities to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data. Basically:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to  be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

The steps involved in assessing the appropriateness of transfer tools must be documented. These involve:

• mapping the proposed transfers;
• choosing the basis for transfer (adequacy decision, 'transfer tool' or derogation);
• unless an adequacy decision has been made by the EU, working with the data importer to assess whether the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer (legislation, especially where ambiguous or not publicly available; and/or certain reputable third party findings such as those in Annex 3), and not rely on subjective factors such as the perceived likelihood of public authorities’ access to your data in a manner not in line with EU standards;
• considering whether any supplementary tools might avoid any problems with the third country's laws (various use-cases and suggested tools are explained in the Annex 2 to the recommendations);
• taking any formal steps to implement the relevant tool;
• re-evaluate the assessment periodically or on certain triggers, such as changes in the law (which you should also oblige the data importer to keep you informed about).
  

Data exporters must thoroughly record their assessment process in the context of the transfer, the third country law and the transfer tool on which they propose to rely. But it may not be possible to implement sufficient supplementary measures in every case, meaning the transfer must not proceed. As the Commission points out, there are "no quick fixes, nor a one-size-fits-all solution for all transfers."

The problem with relying on 'derogations'

The EDPB's first set of recommendations state (at para 27) that "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with... ” assessing whether the proposed transfer tool is effective. However, that order of approach is not consistent with Article 49, which provides that:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

...

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

In addition, the EDPB's own guidance on article 49 itself points out (on pages 3-4) that: 

“Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached…Hence, data exporters should first endeavor [explore?] possibilities to frame the transfer with one of the mechanisms included in Articles 45 [adequacy] and 46 [transfer tools] GDPR, and only in their absence use the derogations provided in Article 49 (1)” [but even then the use of the derogations would imply the need for an assessment of the third country’s personal data protection regime by virtue of article 44].

Accordingly, there seems to be no alternative to running through the steps to assess whether the relevant 'transfer tools' will work (with or without supplementary measures) in the context of the transfer and the third country's law. Yet many firms will likely find that process impracticable from a cost and administration standpoint.