The Information Commissioner has published its finalised guidance on transfer risk assessments and international data transfers following the European Court of Justice’s decision in Schrems II. The final guidance contains a number of changes from the consultation draft and confirms that the ICO’s approach under UK GDPR will differ from that taken by the European Data Protection Board under GDPR.

The ICO published draft guidance on international transfers and transfer risk assessments (TRAs) in February 2022. For more on Schrems II and the background to the new guidance, read our Schrems II summary.

The draft guidance followed publication of the ICO’s new UK International Data Transfer Agreement (IDTA) and UK Addendum to the (new) EU Standard Contractual Clauses (SCCs). Despite the IDTA and UK Addendum coming into force in March 2022, and being mandatory from 21 September 2022, the guidance has remained in draft for some time.

What does the new guidance say?

The new guidance has three components:

The ICO plans to publish clause by clause guidance on the IDTA and UK Addendum.

The ICO presents its guidance as offering an “alternative approach” to that put forward by the European Data Protection Board (EDPB). While organisations can still follow the EDPB approach if they wish, the ICO considers that the approach set out in its guidance gives the “right protection” for data subjects, while still being “reasonably proportionate.”

At the heart of the ICO’s approach is focussing on whether the transfer significantly impacts on the risk of a privacy or other human rights breach. This is different to the EDPB approach, which is much more binary. 

Who is responsible for ensuring compliance?

It is the controller or processor that initiates and agrees the transfer that is responsible for complying with the restricted transfer rules. For example:

The ICO’s new guidance provides processors with greater flexibility in relation to the location of data processing activities within their supply chains. However, with that flexibility comes greater accountability as the processor (not the controller) will be responsible for conducting a satisfactory TRA and ensuring that the transfer is lawful.

Controllers will still have obligations under Article 28 of UK GDPR to carry out appropriate diligence on their processors, reasonable and proportionate to the risks that the data sharing offers. As part of this diligence, controllers should therefore still ask questions about international transfers within the processor’s supply chain and ensure appropriate oversight of that. 

Reverse transfers

The ICO says that if a processor sends or returns personal data to a controller outside the UK then that is not a restricted transfer, as the transfer is initiated by the controller. 

If, however, the transfer from a processor to a controller is initiated by the processor, then that will be subject to the rules on restricted transfers.

Conducting a transfer risk assessment

A TRA should be conducted when carrying out any restricted transfer using any Article 46 transfer tool. Article 46 transfer tools include the ICO’s International Data Transfer Agreement, the EU SCCs and UK Addendum, Binding Corporate Rules, or a transfer pursuant to an approved code of conduct or certification mechanism.

The ICO’s new guidance sets out two approaches to conducting a TRA:

In either case, the ICO says that TRAs should be subject to regular reviews to ensure that the assessment remains valid and that the protections put in place remain effective.

Assessing risk using the ICO’s TRA Tool

The TRA tool sets out a series of questions designed to assess the actual risks that may arise from the proposed transfer. These questions consider:

The TRA tool contains detailed guidance at each stage to help assess risk. For example, the TRA tool classifies different categories of  personal data as being low, medium or high risk, and sets out aggravating and mitigating factors when assessing risk to data subjects.

Where all personal data being transferred is low harm risk the ICO says that no further investigation is necessary. Where an investigation is necessary, the TRA tool sets out a three level approach. Which approach applies will be determined by the risk identified, whether the exporter is an SME or large organisation, and the volume of data being transferred. 

A level 1 investigation may take the form of a desktop review of publicly available information from sources such as the Foreign, Commonwealth and Development Office, whereas a level 3 investigation requires a detailed analysis of the treatment of human rights in the destination country.

Notably, and consistent with the ICO’s risk-based approach, exporters can take into account practical factors such as whether the data subjects in question are ever likely to visit the destination territory when assessing the actual level of risk for the data subjects in question.  

Where the TRA tool concludes that a level 3 investigation is necessary, the ICO guidance also offers exports the option of not transferring the high risk data other than by exception, which can then be assessed on a case by case basis.

Divergence from EU guidance

The ICO’s approach marks a clear divergence from the approach set out in the EDPB’s guidance under GDPR. For organisations that are subject only to UK data protection law, the new guidance and the ability to take a risk based approach will be welcomed. 

While the EDPB’s latest guidance permits exporters to assess whether problematic laws in the destination territory are likely to apply to the transfer in question, that still leads to a binary assessment of whether the importer is subject to those laws, rather than considering what, if any, harm may arise.

Organisations that are subject to both UK and EU data protection law will still need to comply with the EDPB guidance. Organisations will therefore need to carry out an initial assessment to determine which regime applies to a restricted transfer – is it UK law, EU law or both? 

For example EU law will apply to the following:

There are also particular complexities in relation to reverse transfers. While the ICO says that a transfer back to a non-UK controller is not a restricted transfer, the EDPB says it is. 

This divergence means that IT service providers and other organisations that process data for controllers in both the UK and EU will need to think carefully about their approach to restricted transfers and how they deal with areas of divergence and conflict between the two sets of guidance.

What are the timescales for carrying out transfer risk assessments and remediating old EU SCCs?

The ICO’s new guidance is effective now.

Organisations have until 27 December 2022 to replace old EU SCCs with the EU’s new SCCs where that transfer is subject to GDPR. 

Where the transfer is subject to UK GDPR, organisations have until 21 March 2024 to replace the old EU SCCs with the new IDTA or the new EU SCCs and the UK Addendum.

More information

If you would like to discuss the ICO’s new guidance, or your organisation’s approach to restricted transfers, please contact Martin Sloan, Grant Campbell, or Rachel Lawson.