A Step but Not Quite a Leap – the ICO’s New Approach to Restricted Transfers

It has been just over two years since the UK officially exited the EU and we are beginning to see how the UK and the UK Information Commissioner’s Office (ICO) intend to differentiate themselves from the EU approach to restricted transfers (i.e., transfers of personal information to countries that are not recognized as “adequate” for data protection purposes). The changes do not indicate a giant leap away from the EU approach (at least not yet), but the changes are significant enough for companies operating in the UK to take note. 

The ICO recently revised its guidance on international transfers and published a Transfer Risk Assessment tool (TRA Tool) (which is the UK’s equivalent to a Transfer Impact Assessment (TIA)). TRAs (or TIAs) need to be carried out to determine if residual risks remain despite the use of a transfer mechanism (such as the UK’s International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses (EU SCCs)).

In brief:

• The ICO is recognizing both its new approach to TRAs and the approach of the European Data Protection Board (EDPB) to TIAs as valid under UK law.
• In some ways, the ICO’s approach is more risk-based than the EU’s, as it gives more control to the company making the transfer to be satisfied that residual risks have been sufficiently reduced.
• The ICO’s revised international transfer guidance has shifted the focus to the contracting relationship and who initiates the transfer when determining whether a restricted transfer has taken place.
• These updates have been published while key developments to finalize the EU-US Privacy Framework are ongoing. On December 13, 2022, the European Commission has published a draft adequacy decision for the EU-US Privacy Framework, and we have seen a position paper from the UK indicating that it will likely recognize the United States as adequate, so we expect movement on this issue in early 2023.

How does the ICO’s TRA Tool work?

Where companies rely on a transfer mechanism (such as the UK Addendum to the EU SCCs) to make a restricted transfer, they should carry out a TRA to help ensure that, in the specific circumstances of that transfer, there are appropriate safeguards against any residual risks to individuals’ rights that may arise in the destination country and that are not adequately covered by the transfer mechanism. For example, in light of the CJEU’s Schrems II case (see our Client Alert), particular regard is paid to government access and mass surveillance, and, more generally, difficulty in enforcing UK GDPR rights.

The ICO’s TRA guidance includes two options for undertaking a TRA in respect of transfers from the UK:

• The ICO’s approach, which requires companies to focus on the practical risk to individuals’ privacy and other human rights if the transfer goes ahead, as compared to the level of risk to those rights if the personal information remained in the UK (the TRA Tool follows this approach).
• The EDPB’s approach, where companies must compare the laws and practices of the importing country and the EEA (or here, the UK), to assess the risks to the protection of the personal information transferred.

Although in principle both approaches focus on risk to individuals, the ICO’s approach does not require a company to carry out a review of the destination country’s laws. In any event, for UK transfers, companies can choose which approach suits their purposes best.

The TRA Tool includes a significant amount of information and six separate steps to complete, which require listing out the categories of personal information to be transferred, assigning a risk score to each category, and carrying out an investigation (in varying degrees of detail depending on the categories and volume of personal information in scope for transfer) on the human rights protections in the destination country. The TRA Tool requires a level of investigation commensurate to the size of the organization, with smaller businesses permitted to undertake lower levels of investigation in some circumstances. The ICO states that if the personal information that is being transferred is already low risk by virtue of the nature of the information, no additional investigations are necessary.

Where the assessment is that the transfer mechanism alone does not provide the required level of protection, before making the transfer, organizations must take extra steps and protections (known as “mitigation measures”) so that they provide the right level of protection. In the words of the ICO, this is “undoubtedly complex in many situations.”  Examples of mitigation measures are set out in the Appendix to the TRA Tool and include (among other measures):

• Providing access controls;
• Using encryption (including encryption key management);
• Employing pseudonymization;
• Enhancing the rights of individuals to enforce breaches of the transfer mechanism against the importer and its affiliates; and
• Seeking to limit the importer’s ability to comply with information requests from governmental authorities.

The last two examples listed above may prove challenging or impractical for importers.

The TRA Tool comes out at 41 pages, including sub-questions, tables to populate as well as cross-referenced annexes, calling into question its practical use for companies that routinely carry out restricted transfers, despite the helpful information that it does include. We expect that some companies that routinely carry out restricted transfers subject to both the UK and EU GDPR may choose to continue following the EDPB’s approach for now, given that its approach to TIAs will be valid in both jurisdictions.       

Where the TRA has shown that risks exist which are not capable of being remedied by mitigation measures – and therefore a transfer cannot be based on a transfer mechanism – the next step in the TRA Tool is for companies to assess whether any of the derogations under Article 49 of the UK GDPR, such as an individual’s explicit consent, can be used to facilitate the transfer. Derogations will need to continue to be interpreted narrowly and consider the results of the TRA already carried out (i.e., that risks exist that are not capable of being remedied).

How does this differ from the EU approach?

Both the EDPB’s guidance and the TRA Tool refer to a largely similar non-exhaustive list of mitigating measures, such as encryption and pseudonymization, as well as other potential risk mitigation measures, such as:

• Minimizing the personal information that is being transferred; and
• Implementing training and checks to ensure that the importer has processes in place to prevent personal information from being shared with third parties or public authorities.

However, the EDPB’s guidance refers to two use cases where it cannot envisage effective mitigation measures to facilitate the transfer:

• Where a transfer of personal information to a cloud service provider will require access to information in the clear (i.e., that is not pseudonymized or encrypted) (Use Case 6); and
• Where a transfer of personal information is required for business purposes, and to meet those purposes must be transferred or accessed remotely in the clear (Use Case 7).

In contrast, the ICO has chosen not to take a binary approach on this issue, leaving the decision as to what mitigation measures the exporter puts in place to the company. While companies may welcome this more pragmatic approach, the subjective nature of this determination could result in different conclusions as to the risks of the same transfer, as well as the potential for their mitigation.

How is the ICO changing its position on what amounts to a restricted transfer?

The ICO has also revised its guidance on restricted transfers more generally to include more examples and detail, and we have summarized a few notable changes below:

• Reverse transfers from processors: A processor returning personal information from the UK to its controller outside the UK will not be considered a restricted transfer (provided the controller is the controller of the relevant information and it initially sent the personal information to the processor). Those paying close attention to the UK government’s proposals for data protection legislative reform will note that the UK government decided not to bring forward a broader proposal to exempt reverse transfers generally from the restricted transfer regime on the basis that the change will not necessarily lead to a reduction in complexity for companies.
• Exporter outside the UK: The ICO has confirmed that a company based outside the UK that is subject to the UK GDPR will still be making a restricted transfer if it sends personal information to a processor or controller to another non-adequate country, even if the personal information remains in the same country (e.g., a transfer within the United States between a company that is subject to the UK GDPR and another company).
• Responsibility for the transfer: Only the controller or processor who initiates the transfer is responsible for complying with the UK GDPR’s rules on restricted transfers. Therefore, where a processor subject to the UK GDPR makes a restricted transfer to a subprocessor located outside the UK, it is the processor that must comply with the transfer rules, not the controller (though the controller would need to carry out appropriate diligence on the processor, including the protections put in place, to comply with other UK GDPR obligations). Further, a processor is still considered to be initiating the transfer if the underlying contract is concluded between a UK controller and a UK processor, even if in practice the personal information is sent by the UK controller directly to the processor’s subprocessor outside the UK (e.g., in the United States). In such cases, the UK processor will be responsible for the restricted transfer to the U.S. subprocessor, and the UK processor will need to comply with the transfer requirements. 
• Overseas branches: A transfer of personal information between a UK entity and its overseas branch (which is not a separate legal entity) is not a restricted transfer.
• Employment relationship: If a company sends personal information to an employee within the same legal entity, this is not a restricted transfer.

What about adequacy – will the UK keep up with the EU?

The ICO’s new TRA Tool and revised transfer guidance have been published in the backdrop of the EU-US Privacy Framework (see our Client Alert), which, following the Executive Order, “Enhancing Safeguards for United States Signals Intelligence Activities,” signed by President Biden in October 2022, is likely to result in the European Commission recognizing the United States as adequate in 2023. As noted above, the European Commission has already published its draft adequacy decision in respect of the EU-US Privacy Framework. The next step is for the European Commission to obtain a (non-binding) opinion from the European Data Protection Board, before the draft adequacy decision is reviewed by the European Council for formal approval. Now that the UK has formally finalized its adequacy agreement with the Republic of Korea, the UK and the EU now recognize the same countries as adequate. This makes it easier for companies operating in both jurisdictions to align their approach on restricted transfers. To ensure that UK companies do not face significant hurdles when transferring personal information to the United States as compared to EU companies, we expect that the UK government will respond quickly to the European Commission’s draft adequacy decision. In keeping with this trajectory, the UK government announced on October 7, 2022 that it intends to work quickly to conclude its assessment of the U.S. Executive Order, with the aim of issuing adequacy regulations in early 2023.

We are grateful to Harry Anderson, trainee solicitor, for his contribution to this alert.

Note: This client alert was first published on December 1, 2022 and was updated on January 31, 2023 to reflect recent developments.