Now that the deadlines have passed for implementing:

  • EU Standard Contractual Clauses ("EU SCCs") into all new and existing contractual arrangements involving restricted transfers of data under the EU GDPR; and
  • the UK equivalent to the EU SCCs (the UK specific International Data Transfer Agreement ("IDTA") or the EU SCCs in combination with the UK International Data Transfer Addendum ("UK Addendum") into new contractual arrangements involving restricted transfers of data under the UK GDPR (the deadline for implementing the IDTA or UK Addendum into contractual arrangements entered into before 21 September 2022 is not until 21 March 2024),

organisations subject to the EU and UK GDPR must work to fulfil all of the obligations set out in the EU SCCs, IDTA and UK Addendum, including the requirement to conduct Transfer Impact Assessments ("TIAs").

By way of a recap, TIAs need to be conducted to assess the legal environment of the third country into which personal data is to be sent, taking into account the circumstances of the transfer. In order for a third country to be considered adequate to receive the personal data, the TIA must find that the legal environment into which the data that is the subject of the transfer is to be sent offers essentially equivalent protection to that of the EU under the EU GDPR and UK under the UK GDPR.

The EDPB approach

The EDPB has published guidance to help businesses conduct TIAs, recommending that a TIA should document a detailed assessment of the following:

  1. the details and circumstances of the transfer;
  2. enforceability of contractual safeguards in the third country;
  3. the third country's data protection legal framework;
  4. the level of risk associated with third party access (including surveillance); and
  5. supplementary measures to protect the data being transferred.

The ICO approach

The ICO has more recently published its own separate guidance on international transfers and has created its own Transfer Risk Assessment ("TRA") tool as an alternative to the approach for conducting TIAs recommended by the EDPB. The ICO has stated that its aim is "to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate."

Comparing the EDPB and ICO approaches

In comparison to the approach recommended by the EDPB, the ICO's TRA tool for conducting TIAs is relatively light touch, focussing on whether the circumstances of the data transfer significantly increase the risk to the privacy and other human rights of the individuals and whether the transfer mechanism will be enforceable against the third country importer. This contrasts with the EDPB approach which requires organisations to conduct an in-depth examination of the legal environment to which personal data will be sent.

In addition, the ICO's TRA tool allows organisations to proceed with carrying out what it refers to as low harm risk transfers without needing to conduct any local law assessment at all unlike the EDPB approach, which requires local law assessment to be conducted in all scenarios and only allows organisations to take the circumstances of a proposed transfer into account when identifying effective supplementary measures to protect the data being transferred.

The ICO's lighter touch approach is clearly intended to be more business friendly and is potentially a preview for what is to come in the UK following the implementation of the Data Protection and Digital Information Bill.

The ICO has indicated that it is happy for organisations exporting data from the UK to carry out an assessment using either the ICO's TRA tool or by following the (more rigorous) EDPB approach. However, it remains to be seen as to whether EU supervisory authorities will be as amenable to organisations using the ICO's TRA tool when exporting data out of the EU or whether they will insist that such organisations follow the EDPB guidance. If the latter proves to be the case, the ICO's TRA tool will be of most use to UK-centric organisations that only export data out of the UK as organisations exporting data from both the EU and UK will either need to apply a two-track approach or adhere to the EDPB guidance in relation to all transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.