The English regulatory authority ICO provides on its website. Notes on the transfer of personal data abroad ready. The corresponding information has now been updated on November 17, 2022. They now contain a Section on risk assessments in such transfers (“Transfer Risk Assessments”, “TRAs”, equivalent to the TIA) and also a new TRA Tool.
The concern of the ICO was to according to the own datato present an alternative approach to that of the European Data Protection Board (EDPB), which is intended to be somewhat more realistic:
Our TRA guidance clarifies an alternative approach to the one put forward by the European Data Protection Board. Our aim is to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.
The ICO does not compare the legal system of the recipient state with that in the UK (i.e. in particular the GDPR, which the UK has incorporated into national law as the UK GDPR), but compares the risks for data subjects with and without the transfer:
Option 1: This is the ICO’s approach in our TRA tool.
An assessment comparing the position of the people that the data is about, in the specific circumstances of the transfer:
a) if the information remains in the UK; and
b) if the proposed transfer goes ahead.
This assessment looks at the risks to people’s rights.
The key question is whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rightscompared with the risk if the information remains in the UK.
In other words, once their information is in the receiver’s hands, are people in a sufficiently similar position about any risks to their data privacy and human rights? If there is no significant additional risk, then the transfer may go ahead.
As the receiver is contractually bound to comply with the data protection rights in the Article 46 transfer mechanism, the main focus of this assessment is on the protection of human rights more generally in the destination country. Any risks about the enforceability of the Article 46 transfer mechanism are also considered.
This approach is taken in our TRA tool. This sets out one way to carry out a TRA, with questions, guidance and a template to complete.
In addition, the ICO also allows the EDPB to proceed:
Option 2: This is the approach taken by EDPB.
An assessment where the laws and practices of the UK (including the UK GDPR) are compared to the laws and practices of the importing country in order to assess the risks outlined above.
This involves looking at the safeguards in place about third party access to the information, in particular by governments. Those safeguards do not need to be identical to those in the UK, but must be sufficiently similar.
The TRA tool according to the first option of the ICO itself a Word document, which is is available here (and here as PDF). As a result, it examines whether the transfer would significantly worsen the fundamental rights situation of the data subjects, irrespective of a specific jurisdiction (i.e. not just in relation to the USA, for example) – if not, the ICO accepts the transfer on the basis of the standard contractual clauses. The ICO thus takes a decidedly risk-based approach, but does not do so blindly by any means, but on the basis of a relatively simple procedure that focuses on the known risk factors and on the fundamental rights of the ECHR.
The tool proceeds according to the following six questions:
Question 1What are the specific circumstances of the restricted transfer?
Here, information is first requested on the parties to the transfer, the categories of data subjects, the amount and type of data transferred, the type and duration of the transfer, and the protection measures taken by both parties.
Question 2What is the level of risk to people in the personal information you are transferring?
Based on the information from step 1, the risks from the data to be transmitted are queried, assuming a basic risk, which is then increased or reduced depending on the circumstances. The result is a classification per data category as low risk, moderate risk and high risk. Here, the risk refers to possible negative effects on the person concerned. Risk factors include special confidentiality or whether personal data worthy of special protection is contained. The risk classification by type of data in the appendix of the TRA tool is very helpful here.
Question 3What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organization?
Here, the ICO is taking an exciting approach:
- When all data low risk SMEs do not have to make any further checks – transmission on the basis of the standard clauses – the UK variant thereof – is permissible. At moderate risk SMEs also have to make a closer examination, but a limited one, which the ICO characterizes as a “Level 1 investigation”. In doing so, the SME may be content with information known to it and certain additional information, in particular about the human rights situation in the target state. If the data high risk a more in-depth examination is required (“Level 2”), and if the transfer also involves extensive data, even more in-depth (“Level 3”).
- In the case of larger companies, it is already low risk a Level 1 exam is required, with moderate risk Level 2, and at high risk always level 3.
Question 4Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
In this step, it is examined whether this general risk profile would be significantly increased by the planned transfer. Here, the basic human rights requirements under the ECHR are reviewed. Two questions have to be answered:
- Are there general concerns with the transfer related to the respect of fundamental rights?
- Does the transfer significantly increase the risks to data subjects by increasing the likelihood of a fundamental rights violation or by making a violation more serious?
(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism? in the destination country (or elsewhere)?
This step involves checking whether the transfer mechanism – usually the standard contractual clauses – could be enforced in the recipient state by the importer and the affected parties. For this purpose, the tool asks structured questions. In principle, the transfer is permissible if
- all data low riskData are;
- if the recipient state is a functioning state governed by the rule of law;
- if the recipient state were to enforce a judgment of a UK court or arbitral tribunal;
- if, for certain reasons, it is particularly unlikely that the exporter or the parties concerned would have to bring an action in the country of destination.
Basically inadmissible is the transmission based on the standard clauses in the following cases:
- When there is a relevant enforcement risk;
- if the transfer significantly increases fundamental rights risks;
- When an SME has extensive high risk-data or if a larger company transmits any data at all. high riskdata, unless a detailed analysis of the threat to fundamental rights gives the all-clear.
Question 6Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?
The “significant risk data” is the data you identify in Questions 4 and 5 as data which your Article 46 transfer mechanism does not provide all the appropriate safeguards for.
If step 5 showed that the transfer of all or some of the data is fundamentally impermissible, exceptions must be examined, i.e. the exceptions under Art. 49 GDPR (analogous to Art. 6 (2) GDPR).