3 minute read | November.28.2022
On 17 November 2022, the Information Commissioner's Office (“ICO”) announced that it has updated its guidance on international data transfers. In its announcement, the ICO outlined its intention to “clarify an alternative approach to the one put forward by the European Data Protection Board” (“EDPB”). It appears that the ICO has shifted its focus towards identifying whether the transfer “significantly increases the risk of either a privacy or other human rights breach” as opposed to a general comparison of the laws and practices between the exporting and importing country (as suggested by the EDPB). The alternative approach adopted by the ICO perhaps signals the start of a gradual shift in the UK’s data protection regime, away from the EU model, towards a more flexible, risk-based model.
The ICO’s new, more flexible risk-based approach to TRAs and additional guidance will most likely be welcomed by organisations still trying to navigate through the complexities of international data transfers. In its announcement, the ICO also noted that further clarifying updates including worked examples to show how the TRA tool works in practice and guidance on how to use the new International Data Transfer Agreement (“IDTA”) and Addendum to the Standard Contractual Clauses (“SCCs”), will be published in the coming months.