Does the ICO's new transfer risk assessment tool offer a pragmatic solution to the Schrems II dilemma?

As Noyb and Max Schrems are contemplating a challenge to the latest EU-US Data Privacy Framework, it appears Schrems III may be on the horizon. However, with any such challenge months and years away, the fallout and response to the Schrems II case continues.  

On 17 November 2022, the ICO published an update to its international transfers guidance, including new guidance on Transfer Risk Assessments (TRA) and a template TRA tool. In this extended A&O blog, Nathan Charnock, recent ICO secondee and Steve Wood, former Deputy Information Commissioner at the ICO, analyse the ICO’s approach to TRAs and what this means for organisations already in the midst of post-Schrems II implementation activity.

So how did we end up here?

Those of you who follow EU and UK data protection developments closely will be acutely aware of the tumultuous period we continue to experience when it comes to international data transfer rules. We could dedicate an entire book to detailing those developments but a quick snapshot of key events is set out at the end of this blog as an aide-memoire.

In the UK, Brexit and recent ministerial changes at the heart of Government has played its part in adding further uncertainty for business in the area of data protection. The UK Government has issued its first adequacy decision post-Brexit with more on the way and its draft Data Protection and Digital Information Bill (DPDI Bill) is moving through its legislative process (although this process has been delayed for the past four months). The DPDI Bill seeks to walk the tightrope of capitalising on “Brexit freedoms” to de-regulate whilst maintaining the UK’s own status as an adequate country for exports of personal data from the EU.

This is the backdrop against which the ICO is navigating the complexity of dealing with Schrems II whilst no longer a member of the European Data Protection Board (EDPB). In February 2022, the ICO published the final version of its UK International Data Transfer Agreement (IDTA) and, as an alternative, the UK Addendum to the new EU standard contractual clauses (SCCs). These two new transfer tools can be used by organisations as valid mechanisms to govern restricted transfers of personal data from the UK under the UK GDPR (i.e. transfers to countries that have not yet been deemed “adequate” by the UK Government).

The Schrems II decision is still binding in the UK post-Brexit, which means that, regardless of the transfer mechanism used to carry out a restricted transfer, UK exporters must also carry out an assessment to ensure data subjects are afforded a level of protection essentially equivalent to that guaranteed in the UK. Enter the ICO with its guidance on transfer risk assessments and a template TRA tool to help organisation to carry out those assessments.

Is a TRA essentially equivalent to a TIA?

Yes and no. The EDPB’s transfer impact assessment (TIA) and the ICO’s TRA approach both seek to address the same concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II case. However, the practical way in which they try to do this is quite different and, it appears to be no accident that the ICO guidance describes the use of transfer risk assessments, rather than simply adopting the EDPB’s terminology of transfer impact assessments (TIAs).

The EDPB approach requires a detailed assessment where the laws and practices of the UK are compared to the laws and practices of the importing country in order to assess the impact on data subjects. By contrast, the ICO’s TRA approach (described in detail below) makes it clear that data exporters should carry out a reasonable and proportionate assessment that focuses on:

• Two types of risk (i) risks to people’s rights arising in the destination country from third parties accessing the information that are not bound by the transfer mechanism; and (ii) risks to people’s rights arising from difficulties enforcing the transfer mechanism in the destination country.
• The key question of whether, as a result of the transfer, there is any significant increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK.

Therefore, on the face of it, the ICO’s TRA approach provides a more pragmatic and streamlined solution to the Schrems II dilemma in the UK, whilst seeking to remaining within the parameters of that decision (and therefore seeking to help preserve the UK’s own adequacy status). In particular, the need for a “significant” increase in the risk to people’s human rights in order to halt a transfer presents a clear distinction from the more conservative and fulsome TIA approach of the EDPB.

However, the ICO was quick to make it clear in its guidance that its TRA approach provides only one of a number of possible solutions. Importantly, the ICO has recognised that the EDPB’s TIA approach remains a valid mechanism for carrying out a risk assessment contemplated by Schrems II. This is important for multinational organisations who export personal data from the EU and the UK to third countries.

We have seen many of these organisations adopt the UK Addendum to the SCCs as their preferred contracting model for exports from the UK. In line with this approach, we expect that the majority of these organisations will continue to follow the EDPB’s TIA approach for the time being.

However, for organisations who have no or limited presence in the EU, the ICO’s TRA approach will likely be the preferred approach for assessing their exports of personal data from the UK, particularly for simple transfers where the ICO’s approach will likely save significant time and resources for businesses.

The ICO’s template TRA tool: A detailed analysis

A UK tool with legal certainty and proportionality at its core?

Legal certainty and proportionality are two of the core principles of EU law - the law must be clear and precise with its legal implications foreseeable and the measures imposed should be appropriate and necessary to achieve a legitimate aim.

Arguably, it could be difficult to fully reconcile both the CJEU’s interpretation of the GDPR in Schrems II and the EDPB’s guidance with these concepts. In particular, the complex analysis required by organisations in order to complete a TIA means that there is a risk that some organisations, particular SMEs, will struggle to find the means and resources to enable them to comply in full.

The ICO’s template TRA Tool attempts to address that risk by creating a more user friendly solution that ensure the level of assessment required reasonable and proportionate in the context of the transfer in question – higher risk transfers require more detailed analysis; some low risk transfers require little or no assessment. The tool is only suitable for “straightforward transfers” and would need to be adapted for more complex personal data flows where data is sent to multiple destinations.

A pragmatic solution to an enormous challenge?

Notwithstanding the overall complexity of the topic of international transfers, the ICO’s template tool is a welcome alternative to the approach advocated by the EDPB. The template tool provides a readymade form that organisations can pick up and immediately start to populate, and despite its length (41 pages!), feels relatively user friendly. The tool comprises six key questions, and the template breaks these down into smaller subsets of questions, with tables for exporters to complete and guidance to assist at each stage.

Question 1: What are the specific circumstances of the restricted transfer?

The first question requires exporters to populate the template with information about the transfer in question. This information is similar to that included in the annexes to the SCCs or the UK IDTA or Addendum; it includes details about the importer and exporter, the personal data being transferred, the processing activities of the importer and the volume, frequency and duration of the transfer.

Question 2: What is the level of risk to people in the personal information you are transferring?

The second question requires exporters to assign a risk level to the personal data they are transferring based upon the level of harm (low, moderate or high) that may result from the misuse or loss of that data following the transfer. The ICO’s template tool helpfully provides an initial risk score for over 50 different categories of personal data and a table in which you can record the risk scores associated with your transfer. However, you also need to consider, based upon the circumstances of the transfer, whether or not there are factors that may increase or decrease that risk. For example, the ICO notes that, if information is confidential, relates to a child or vulnerable adult, can infer special category data or is transferred in large volumes, this would tend to increase the initial risk score. By contrast, if personal data is already in the public domain, or if it is encrypted or pseudonymised prior to transfer, this would tend to reduce the risk level.

Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?

The third question will be very important for many organisations as it determines the level of further assessment (if any) that is required based upon what is reasonable and proportionate in the circumstances. This depends upon (i) the risk level of the personal data (from Question 2); (ii) the size of organisation calculated based upon the level of data protection fee payable to the ICO; and (iii) the volume of personal data being transferred. Importantly, if you conclude in Question 2 that:

• All the personal data you are transferring poses a “low harm risk”, you can continue with the transfer without further investigation or analysis. This means that in most cases you can transfer names, contact information, age details, employment history and recruitment information, training and security records (and various other low risk categories of data) without carrying out a more detailed assessment. Good news for many businesses!

• All the personal data you are transferring poses a “moderate harm risk” or “low harm risk”:

• SMEs are required to carry out a level 1 investigation into the destination country to answer the remaining questions – this light-touch investigation only requires an organisation to refer to its own knowledge of the destination country and certain human rights reports prepared by government departments and charitable organisations referred to in the ICO’s guidance.

• Larger organisations are required to carry out a level 2 investigation into the destination country that, in addition to the resources consulted at level 1, requires an organisation to conduct further internet-based research about the destination country referring to additional resources and human rights reports.

• All or some of the personal data you are transferring poses a “high harm risk”, such as special category data, a level 3 investigation is required (except where a SME is transferring a low volume of “high harm risk” data, in which case a level 2 investigation is sufficient). A level 3 investigation requires, in addition to completing levels 1 and 2, that you carry out a more detailed analysis of the treatment of human rights in the destination country. This may require you to seek professional advice.

As a result of Question 3, more detailed assessments would only be required where personal data that poses a high risk of harm is transferred – this proportionate approach should be welcomed.

Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?

Once you have identified the level of investigation required, based upon that investigation and the specific circumstances of your transfer, you need to determine whether the transfer will make the “human rights risk” worse for the people the information is about – compared with leaving the data in the UK.

The ICO clarifies that the increase in risk must be “clear and meaningful and linked to the transfer” and any personal data that falls into this category is marked as “significant risk data” in your assessment.

A clear example that comes to mind here is a situation where you are sending information about individual’s sexual orientation to a country that has a poor human rights record – this would likely result in a clear and meaningful increase in the risk to the individual.

Question 5: Are you satisfied that both you and the people the information is about will be able to enforce the transfer mechanism against the importer in the UK? If enforcement action outside the UK may be needed, are you satisfied that you and the people the information is about will be able to enforce the transfer mechanism in the destination country (or elsewhere)?

The fifth stage of the assessment requires you to consider whether or not, based upon your investigation and the nature of the transfer, the transfer mechanism can be enforced in the UK or destination country against the importer. For example, if your investigation highlights any concerns about the rule of law or the independence of courts or judge, this could raise some concern. By contrast, if there is a high likelihood that the importer will accept a decision of a UK court or arbitration award (the ICO provides a list of factors to consider here) then this would indicate there is unlikely to be an enforceability risk with the transfer.

If you identify an enforceability risk in the destination country, the high risk data you are processing will be considered “significant risk data” for the remainder of the assessment.

Following completion of this analysis, the ICO tool then requires you to tot up your responses to various different questions at Decision Point E. This part of the form is perhaps the most difficult to follow but it essentially helps you to identify, based upon your answers to Questions 4 and 5, what categories of data are your “significant risk data” – i.e. what categories of personal data does the transfer mechanism not appropriately safeguard from a human rights or enforceability perspective?

Question 4 and 5 also give you the opportunity to consider implementing “Extra Steps and Protections” (the ICO’s equivalent of supplementary measures) to try to reduce the risk associated with the transfer. The ICO provides some useful examples of the measures you can consider implementing in an appendix to the template TRA tool.

Question 6: Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?

The final question requires you use the ICO’s guidance to determine whether any of the various exceptions or derogations to the transfer rules (under Article 49 GDPR) apply to enable you to transfer that significant risk data, despite the risks identified. The ICO provides a helpful table to enable you to consider each exception in turn.

Finally, the tool requires you to record the outcome of your assessment. If you have been unable to implement extra protections and measures to reduce the risk associated with the transfer and no exception applies, you are unable to transfer any “significant risk data” you have identified.

What next? – TRAction speaks louder than words

Many multinationals who operate in the EU and the UK have already spent lots of time and resources seeking to implement the EDPB recommendations on supplementary measures and the UK Addendum to EU SCCs. The ICO’s guidance helpfully supports use of the EDPB approach and therefore this will, we expect, remain the preferred approach for multinationals in the foreseeable future.

However, on paper, the ICO’s TRA tool feels like a positive step in the right direction and a pragmatic solution to a complex challenge. The true test of the success of this tool will be how it stands up to scrutiny once used in practice across a range of different transfer types and destination countries. This will determine whether the solution really can, as the ICO suggests, empower innovation and growth whilst protecting people’s personal information.

The subject matter means that certain parts of the tool will continue to be challenging to implement but helpfully:

• The content appears largely consistent with the proposed transfer provisions in the draft DPDI Bill.
• The ICO is also considering extending its guidance to include worked examples to show how the TRA tool can be used practice. This is in addition to the promised clause-by-clause guidance showing organisations how to use the IDTA and Addendum to the SCCs.
• The UK Government is also likely to approve a data privacy framework with the US, similar to that announced recently with the EU, which will likely reduce the need for a TRA for certain transfers to the US.

Watch this space!

A snapshot reminder of recent EU/UK international transfer developments

• October 2015: Schrems I – In a case brought by privacy rights campaigner Max Schrems against the Irish Data Protection Commissioner, the CJEU declared that the Safe Harbor framework of privacy principles, that had enabled the transfer of personal data from the EU to the US since 2000, was invalid.
• June 2016: The EU–US Privacy Shield Framework came into force – a new mechanism to enable transfer of personal data from the EU to the US following the invalidation of Safe Harbor.
• May 2018: The EU GDPR and its Chapter V restrictions on international transfers came into force.
• July 2020: Schrems II  - Max Schrems was back again with a case against Facebook and the CJEU decision held that (i) the EU-US Privacy Shield Framework was invalid; and (ii) data exporters must ensure that data subjects whose personal data is transferred to a third county are afforded a level of protection essentially equivalent to that guaranteed in the EU. This meant that exporters could only rely on a transfer mechanism, such as SCCs or binding corporate rules, where they have carried out an assessment of the destination country and concluded that the personal data would be would afforded an essentially equivalent level of protection.
• June 2021: The EU Commission issued new SCCs to be used as a transfer mechanism under the GDPR for exporting personal data from the EU. As a reminder, 27 December 2022 is the deadline for re-papering your contracts and replacing the old SCCs with these new ones.
• June 2021: Following Schrems II, the EDPB adopted its recommendations on the supplementary measures to ensure transfer tools, such as SCCs, ensure compliance with the EU level of protection of personal data – this guidance sets out how an organisation should carry out an assessment we now call a Transfer Impact Assessment or TIA.
• June 2021: Following Brexit, the EU Commission adopted an adequacy decision for the United Kingdom under the EU GDPR.
• February 2022: Following Brexit, and publication of the new SCCs, the ICO published its own (i) UK International Data Transfer Agreement (IDTA) as a new transfer tool to be used for international transfers from the UK; and (ii) as an alternative, the UK Addendum to the new EU SCCs.
• July 2022: The UK DPDI Bill, which contained provisions on transfers, was published and introduced into Parliament.
• November 2022: The ICO published an update to its international transfers guidance, including new guidance on Transfer Risk Assessments (TRA) and a template TRA tool which is the topic of this blog.
• December 2022: The EU Commission published a draft adequacy decision on a new EU-US Data Privacy Framework.