ICO Issues Updated Guidance on International Data Transfers

On 17 November 2022, the Information Commissioner's Office (“ICO”) announced that it has updated its guidance on international data transfers. In its announcement, the ICO outlined its intention to “clarify an alternative approach to the one put forward by the European Data Protection Board” (“EDPB”). It appears that the ICO has shifted its focus towards identifying whether the transfer “significantly increases the risk of either a privacy or other human rights breach” as opposed to a general comparison of the laws and practices between the exporting and importing country (as suggested by the EDPB). The alternative approach adopted by the ICO perhaps signals the start of a gradual shift in the UK’s data protection regime, away from the EU model, towards a more flexible, risk-based model.

What’s new?

• Transfer Risk Assessment (“TRA”) guidance
  
  The updates include a new section on how to approach a TRA. In particular, the ICO offers a new more risk-based approach for organisations to adopt when considering international data transfers.
  
  As noted above, the new approach focuses on the key question of whether the transfer significantly increases the risk to the individual’s human or data privacy rights. In essence, the main point for consideration is, from a risk perspective, will the individual be in a sufficiently similar position once the transfer is made? If yes, the transfer can proceed.
  
  How does this differ from the EDPB’s guidance? Under the ICO’s approach, the focus of the assessment is on the potential human rights risks faced by the individual rather than a general comparison of the laws between the importing and exporting jurisdiction. This gives organisations the flexibility to adopt a more risk-based approach.
  
  Can organisations still follow the EDPB’s recommended approach? Yes, the ICO makes clear that organisations can continue to follow the EDPB’s approach or, if preferred, adopt the ICO’s alternative approach. Both approaches will be sufficient from the ICO’s perspective.
• TRA Tool
  
  The ICO has introduced a new TRA tool which provides useful practical tips to guide organisations through the TRA process. The tool consists of six questions that should be answered when assessing the risks associated with the proposed transfer together with some useful supplementary guidance. The questions raised in the TRA tool are as follows:

1. What are the specific circumstances of the restricted transfer?
2. What is the level of risk to people in the personal information you are transferring?
3. What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
4. Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
5. 1. Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
   2. If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
6. Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?
   
   

The ICO’s new, more flexible risk-based approach to TRAs and additional guidance will most likely be welcomed by organisations still trying to navigate through the complexities of international data transfers. In its announcement, the ICO also noted that further clarifying updates including worked examples to show how the TRA tool works in practice and guidance on how to use the new International Data Transfer Agreement (“IDTA”) and Addendum to the Standard Contractual Clauses (“SCCs”), will be published in the coming months.