ICO (UK): “TRA Tool” – new tool for Trans­fer Impact Assess­ments (TIAs)

The Eng­lish regu­la­to­ry aut­ho­ri­ty ICO pro­vi­des on its web­site. Notes on the trans­fer of per­so­nal data abroad rea­dy. The cor­re­spon­ding infor­ma­ti­on has now been updated on Novem­ber 17, 2022. They now con­tain a Sec­tion on risk assess­ments in such trans­fers (“Trans­fer Risk Assess­ments”, “TRAs”, equi­va­lent to the TIA) and also a new TRA Tool.

The con­cern of the ICO was to accor­ding to the own datato pre­sent an alter­na­ti­ve approach to that of the Euro­pean Data Pro­tec­tion Board (EDPB), which is inten­ded to be some­what more realistic:

Our TRA gui­dance cla­ri­fi­es an alter­na­ti­ve approach to the one put for­ward by the Euro­pean Data Pro­tec­tion Board. Our aim is to find an alter­na­ti­ve, achie­va­ble approach deli­ve­ring the right pro­tec­tion for the peo­p­le the data is about, whilst ensu­ring that the assess­ment is rea­sonable and pro­por­tio­na­te.

The ICO does not compa­re the legal system of the reci­pi­ent sta­te with that in the UK (i.e. in par­ti­cu­lar the GDPR, which the UK has incor­po­ra­ted into natio­nal law as the UK GDPR), but com­pa­res the risks for data sub­jects with and wit­hout the transfer:

Opti­on 1: This is the ICO’s approach in our TRA tool.

An assess­ment com­pa­ring the posi­ti­on of the peo­p­le that the data is about, in the spe­ci­fic cir­cum­stances of the transfer:

a) if the infor­ma­ti­on remains in the UK; and

b) if the pro­po­sed trans­fer goes ahead.

This assess­ment looks at the risks to people’s rights.

The key que­sti­on is whe­ther, as a result of the trans­fer, the­re is any increa­se in the risk to people’s pri­va­cy and other human rightscom­pared with the risk if the infor­ma­ti­on remains in the UK.

In other words, once their infor­ma­ti­on is in the receiver’s hands, are peo­p­le in a suf­fi­ci­ent­ly simi­lar posi­ti­on about any risks to their data pri­va­cy and human rights? If the­re is no signi­fi­cant addi­tio­nal risk, then the trans­fer may go ahead.

As the recei­ver is con­trac­tual­ly bound to com­ply with the data pro­tec­tion rights in the Artic­le 46 trans­fer mecha­nism, the main focus of this assess­ment is on the pro­tec­tion of human rights more gene­ral­ly in the desti­na­ti­on coun­try. Any risks about the enforcea­bi­li­ty of the Artic­le 46 trans­fer mecha­nism are also considered.

This approach is taken in our TRA tool. This sets out one way to car­ry out a TRA, with que­sti­ons, gui­dance and a tem­p­la­te to complete.

In addi­ti­on, the ICO also allo­ws the EDPB to proceed:

Opti­on 2: This is the approach taken by EDPB.

An assess­ment whe­re the laws and prac­ti­ces of the UK (inclu­ding the UK GDPR) are com­pared to the laws and prac­ti­ces of the import­ing coun­try in order to assess the risks out­lined above.

This invol­ves loo­king at the safe­guards in place about third par­ty access to the infor­ma­ti­on, in par­ti­cu­lar by govern­ments. Tho­se safe­guards do not need to be iden­ti­cal to tho­se in the UK, but must be suf­fi­ci­ent­ly simi­lar.

The TRA tool accor­ding to the first opti­on of the ICO its­elf a Word docu­ment, which is is available here (and here as PDF). As a result, it exami­nes whe­ther the trans­fer would signi­fi­cant­ly worsen the fun­da­men­tal rights situa­ti­on of the data sub­jects, irre­spec­ti­ve of a spe­ci­fic juris­dic­tion (i.e. not just in rela­ti­on to the USA, for exam­p­le) – if not, the ICO accepts the trans­fer on the basis of the stan­dard con­trac­tu­al clau­ses. The ICO thus takes a deci­dedly risk-based approach, but does not do so blind­ly by any means, but on the basis of a rela­tively simp­le pro­ce­du­re that focu­ses on the known risk fac­tors and on the fun­da­men­tal rights of the ECHR.

The tool pro­ce­eds accor­ding to the fol­lo­wing six questions:

Que­sti­on 1What are the spe­ci­fic cir­cum­stances of the rest­ric­ted transfer?

Here, infor­ma­ti­on is first reque­sted on the par­ties to the trans­fer, the cate­go­ries of data sub­jects, the amount and type of data trans­fer­red, the type and dura­ti­on of the trans­fer, and the pro­tec­tion mea­su­res taken by both parties.

Que­sti­on 2What is the level of risk to peo­p­le in the per­so­nal infor­ma­ti­on you are transferring?

Based on the infor­ma­ti­on from step 1, the risks from the data to be trans­mit­ted are queried, assum­ing a basic risk, which is then increa­sed or redu­ced depen­ding on the cir­cum­stances. The result is a clas­si­fi­ca­ti­on per data cate­go­ry as low risk, mode­ra­te risk and high risk. Here, the risk refers to pos­si­ble nega­ti­ve effects on the per­son con­cer­ned. Risk fac­tors include spe­cial con­fi­den­tia­li­ty or whe­ther per­so­nal data wort­hy of spe­cial pro­tec­tion is con­tai­ned. The risk clas­si­fi­ca­ti­on by type of data in the appen­dix of the TRA tool is very hel­pful here.

Que­sti­on 3What is a rea­sonable and pro­por­tio­na­te level of inve­sti­ga­ti­on, given the over­all risk level in the per­so­nal infor­ma­ti­on and the natu­re of your organization?

Here, the ICO is taking an exci­ting approach:

  • When all data low risk SMEs do not have to make any fur­ther checks – trans­mis­si­on on the basis of the stan­dard clau­ses – the UK vari­ant the­reof – is per­mis­si­ble. At mode­ra­te risk SMEs also have to make a clo­ser exami­na­ti­on, but a limi­t­ed one, which the ICO cha­rac­te­ri­zes as a “Level 1 inve­sti­ga­ti­on”. In doing so, the SME may be con­tent with infor­ma­ti­on known to it and cer­tain addi­tio­nal infor­ma­ti­on, in par­ti­cu­lar about the human rights situa­ti­on in the tar­get sta­te. If the data high risk a more in-depth exami­na­ti­on is requi­red (“Level 2”), and if the trans­fer also invol­ves exten­si­ve data, even more in-depth (“Level 3”).
  • In the case of lar­ger com­pa­nies, it is alre­a­dy low risk a Level 1 exam is requi­red, with mode­ra­te risk Level 2, and at high risk always level 3.

Que­sti­on 4Is the trans­fer signi­fi­cant­ly incre­a­sing the risk for peo­p­le of a human rights breach in the desti­na­ti­on country?

In this step, it is exami­ned whe­ther this gene­ral risk pro­fi­le would be signi­fi­cant­ly increa­sed by the plan­ned trans­fer. Here, the basic human rights requi­re­ments under the ECHR are review­ed. Two que­sti­ons have to be answered:

  • Are the­re gene­ral con­cerns with the trans­fer rela­ted to the respect of fun­da­men­tal rights?
  • Does the trans­fer signi­fi­cant­ly increa­se the risks to data sub­jects by incre­a­sing the likeli­hood of a fun­da­men­tal rights vio­la­ti­on or by making a vio­la­ti­on more serious?

Que­sti­on 5:

(a) Are you satis­fied that both you and the peo­p­le the infor­ma­ti­on is about will be able to enforce the Artic­le 46 trans­fer mecha­nism against the importer in the UK?

(b) If enforce­ment action out­side the UK may be nee­ded: Are you satis­fied that you and the peo­p­le the infor­ma­ti­on is about will be able to enforce the Artic­le 46 trans­fer mecha­nism? in the desti­na­ti­on coun­try (or elsewhere)?

This step invol­ves checking whe­ther the trans­fer mecha­nism – usual­ly the stan­dard con­trac­tu­al clau­ses – could be enforced in the reci­pi­ent sta­te by the importer and the affec­ted par­ties. For this pur­po­se, the tool asks struc­tu­red que­sti­ons. In prin­ci­ple, the trans­fer is per­mis­si­ble if

  • all data low riskData are;
  • if the reci­pi­ent sta­te is a func­tio­ning sta­te gover­ned by the rule of law;
  • if the reci­pi­ent sta­te were to enforce a judgment of a UK court or arbi­tral tribunal;
  • if, for cer­tain rea­sons, it is par­ti­cu­lar­ly unli­kely that the export­er or the par­ties con­cer­ned would have to bring an action in the coun­try of destination.

Basi­cal­ly inad­mis­si­ble is the trans­mis­si­on based on the stan­dard clau­ses in the fol­lo­wing cases:

  • When the­re is a rele­vant enforce­ment risk;
  • if the trans­fer signi­fi­cant­ly increa­ses fun­da­men­tal rights risks;
  • When an SME has exten­si­ve high risk-data or if a lar­ger com­pa­ny trans­mits any data at all. high riskdata, unless a detail­ed ana­ly­sis of the thre­at to fun­da­men­tal rights gives the all-clear.

Que­sti­on 6Do any of the excep­ti­ons to the rest­ric­ted trans­fer rules app­ly to the “signi­fi­cant risk data”?

The “signi­fi­cant risk data” is the data you iden­ti­fy in Que­sti­ons 4 and 5 as data which your Artic­le 46 trans­fer mecha­nism does not pro­vi­de all the appro­pria­te safe­guards for.

If step 5 show­ed that the trans­fer of all or some of the data is fun­da­men­tal­ly imper­mis­si­ble, excep­ti­ons must be exami­ned, i.e. the excep­ti­ons under Art. 49 GDPR (ana­log­ous to Art. 6 (2) GDPR).




Rela­ted articles