UK: ICO guidance on third-country transfers - Part one: Transfer risk assessments
The Information Commissioner's Office ('ICO') has issued a three-part guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses ('SCCs') which are currently in use for such transfers. In Part 1 of this series, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the ICO's recommended steps on carrying out a transfer risk assessment ('TRA').
The guidance has three documents:
- Guidance on conducting Schrems Transfer Impact Assessments (which the ICO is calling a TRA) ('the TRA Guidance');
- Guidance on International Data Transfer Agreements ('IDTAs') ('the IDTA Guidance'); and
- Addendum to new SCCs ('the SCCs Guidance')
Part 1 of this series discusses the key takeaways from the TRA Guidance1. In Part 2 of this series we will discuss the key points from the IDTA Guidance2 and the SCCs Guidance.
- Before you can rely on an IDTA, you must also do a TRA which considers all the circumstances of the restricted transfer and checks if the IDTA provides appropriate safeguards for your restricted transfer.
- In your risk assessment you will check whether for your restricted transfer, taking into account all the circumstances of that restricted transfer, the IDTA provides protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK.
- You do not need to look at the whole regime of the destination country, only those parts of the destination country's regime which are relevant to your restricted transfer.
Factors to consider
- The particular facts of the transfer (including: type and categories of data, sector, purpose of transfer, format of the data, method of transfer, security measures, location of storage, possibility of onward transfers).
- Particular facts of the destination country (including adequacy decision, human rights record, court systems, laws and practices regarding third party access).
- The potential impact on the data subjects of the transfer, and any risk of harm to data subjects you identify.
- Where your IDTA covers repeated transfers of personal data or an ongoing flow of data to your importer, you must regularly reassess the level of protection the IDTA provides (and any extra steps and protections you took alongside the IDTA). You must ensure that the level of protection does not decrease over time.
- You need to consider whether the level of protection is undermined by:
- changes to the processing by the importer;
- changes to the legal framework in the destination country; or
- technical developments facilitating the by-passing of security arrangements.
TRA needed for onward transfers
- If you know that the importer will be sending on the data to third parties you will need to look at how this complies with the IDTA.
- If the importer will put in place an agreement which maintains the level of protection of the IDTA or uses another Article 46 transfer tool, then either you or the importer must make sure there is a TRA which covers that onward transfer of data.
- The document contains a TRA tool which is meant to assist with routine transfers.
- You will need to do more detailed risk assessment for transfers which are complex (for example, the importer is based in more than one country) or involve a high risk (for example, where you need to complete a Data Protection Impact Assessment ('DPIA')).
- In certain cases, the TRA tool may indicate that it is unlikely you can proceed with your proposed transfer. In these cases, you may consider completing a more detailed risk assessment or relying on another appropriate safeguard or an exception.
- The TRA tool provides guidance to assist you in your decision making. It is, however, your responsibility to assess whether appropriate safeguards are in place to protect the rights of data subjects.
Assessment of the third country law
- You may be able to make an initial assessment of the legal and political landscape of the third country with information you can find from publicly available sources, including reports issued by the Foreign Commonwealth and Development Office and charitable organisations.
- You may be able to refine your assessment with information your importer provides on the local laws and practice.
- This may provide enough information for you to use this TRA tool for routine international transfers.
- If you are unable to form an assessment of the legal framework in the destination country, you may need to obtain expert advice. Alternatively, you may use this TRA tool on the assumption that the legal regime in the destination country does not provide similar protections to the UK. In these circumstances, you do not need to carry out a more detailed assessment of the legal regime in the destination country.
Step one - assess the transfer
You should not make the restricted transfer without ensuring that the processing in question meets the rest of the UK GDPR requirements.
- You must check things like data minimisation, security, lawful basis, processor obligations, and transparency.
- You cannot use the TRA tool if the transfer is too complex or too risky including:
- a number of countries' laws apply (because of multiple processor branches);
- use of new technologies or novel applications of existing technologies;
- transfer requires a DPIA; and
- transfer is to a destination country which has a human rights record with high risk to human rights; a partial UK adequacy decision is an indication that the country is considered to have satisfactory human rights record.
Specific circumstances of the transfer. Check:
- What type of company is the importer? Is it subject to professional rules?
- What is the GDPR role? (i.e. controller, processor).
- Location of importer?
- Onward transfer?
- Purpose of transfer?
- What will the importer be doing with it?
- Type of data, including any special category data or sensitive data like financial transaction data, communications data, travel related data or confidential records.
- Technical and organisational security measures.
- Format of the data.
- Method of transfer (secure file transfer protocol or remote access to data stored in the US).
- For how long can the importer access the data?
- Frequency of transfers.
- Quantity of data.
Step two - Is the IDTA likely to be enforceable in the destination country?
Where you have concerns about the IDTA's enforceability, you carry out a supplementary risk assessment to assess whether this gives rise to a risk of harm to data subjects and whether any extra steps or protections could reduce the risk.
- If you assess there to be no or a low risk of harm, you can proceed to step three.
- If you assess there to be an enhanced risk of harm, you should not continue using the TRA tool for your risk assessment
1 - Are the contractual safeguards enforceable in the destination country?
- Assess whether the legal regime in the destination country is likely to respect the contractual safeguards the IDTA sets out, in a way that is sufficiently similar to how it would be enforced in the UK
- Consider the factors listed in the TRA guide including: lack of respect for rule of law, not recognising foreign judgments, not being party to international conventions, limited access to justice, limited independence of judicial system.
2 - Supplementary risk assessment
- the level of risk of harm to data subjects as a result of the transfer in light of the concerns you have about the enforceability of the IDTA; and
- whether you can appropriately reduce such risk by applying any extra steps and protections
- To assess the risk of harm, you should look into the specific circumstances of the transfer. Refer to Table B provided in the guidance and see legal advice if necessary.
- Higher risk factors include: special category data, vulnerable data subject, large volume of data relating to an individual, automated decision making including profiling which produces legal or similar effects, etc.
- Reducing the risk are factors including: importer is bound by professional codes of conduct (e.g. solicitors); importer is bound by regulatory obligations (e.g. financial services sector); importer is a reputable global company (e.g. an international bank or major cloud hosting service); importer has signed up to an ICO-approved code of conduct.
- Table C of the guidance includes a list of extra steps. They include: access controls, changes to the data (e.g. pseudonymisation), contractual, etc.
- You should document your overall findings, showing both your assessment of the potential risk of harm to the data subjects and the impact of applying any extra steps and protections.
Step three - Is there appropriate protection for the data from third-party access?
- At the end of step three, you can go ahead with your transfer if:
- the destination country's regime for regulating third-party data access (including surveillance) is sufficiently similar to principles which underpin the UK regime;
- the possibility of third-party access (including surveillance) is minimal regardless of the destination country's regime; or
- the risk of harm to data subjects is low, even if third-party access (including surveillance) did take place
The ICO says: 'We recognise that this is a complicated exercise for organisations, particularly for those with limited resources; we don't expect you to become experts in international surveillance regimes. If you are not able to form a view of the risk in relation to the destination country's approach to third party access (including surveillance), you can go straight to the question "What is the likelihood of third party access to the data (including surveillance)?", on the basis that the third party access regime in the destination country may be concerning.'
- Consider the key indicators in Table D and consider getting assistance from the importer. The indicators include:
- Public authorities have wide powers to intercept communications.
- Requests for information by law enforcement and other public authorities from private sector companies are at an unexpected and disproportionate level.
- There is general and indiscriminate sharing of information between private companies, which is unregulated.
- Organisations can undertake workplace monitoring with no or minimal safeguards.
- Public and private authorities may freely use the data it access or receives from third parties.
- Individuals have no rights or limited rights, to access their personal data.
- Individuals have no or limited ability to seek judicial challenge of private or public authorities accessing their data, including surveillance measures.
- No or limited transparency reporting of surveillance measures by public authorities, and no other mechanisms for proper accountability.
- Poor record of respect for human rights (in particular the rights to privacy, freedom of expression and access to justice).
- Significant use of biometrics or facial recognition by public authorities, with only limited or no laws, regulations or other safeguards relating to it.
If you decide that the third-party access regime in the destination country provides appropriate legal protections. In this case, you may proceed with the restricted transfer using the IDTA. Otherwise, you should move on to the next question.
What is the likelihood of third-party access to the data (including surveillance)?
- Considering the specific circumstances of the transfer that you identify in step one, assess whether the circumstances of your proposed transfer are likely to be of interest to third parties such as surveillance authorities.
- Check the factors in Table E which include:
- Organisations similar to the importer in the destination country have evidence of receiving requests from public authorities or third parties to access data
- The data could be a key source of access to this information by public authorities or third parties
- There are reasonable grounds to believe that surveillance authorities in the destination country access large volumes of personal data.
- Technical measures are in place which make surveillance more likely such as mandated back door access and data in the clear.
If you decide that there is minimal risk of third-party access (including surveillance) to the data you may proceed with the restricted transfer using the IDTA
Otherwise you should move on to the next question.
What is the risk of harm?
- You should assess whether any risk of harm could be caused to data subjects if third party data access (including surveillance) occurs.
- Look into the specific circumstances of the transfer, as you may have done for Table B.
- Consider the factors in Table F. High risks include: special category data, payment or banking details, passwords, order history, the data is of interest to third party or public authorities;
If you decide that the risk of harm to data subjects is low, even if there is concerning third party access, you may proceed with the restricted transfer using the IDTA.
Otherwise you should move on to the next question.
Are you able to put in place extra steps and protections to reduce the risk of harm to low?
- Consider whether you could apply any extra steps and protections to safeguard the data.
- Consider the measures in Table G which include: encryption, splitting pseudonymised datasets between multiple entities; strict limitation of access to role based; notification re access from third party and pushing back against the request.
- You should document your overall findings.
- You might want to contact the data importer for further advice as to the availability and effectiveness of any suggested extra steps and protections in the destination country.
- It may not be possible to reduce some risks (such as routine and unregulated access by national security or law enforcement agencies to personal data) using only contractual or organisational solutions. You may need to deploy sophisticated technical measures (such as advanced encryption techniques) to protect personal data even if someone accesses it. You may also need specialist technical security advice as to appropriate additional measures. In some cases, the cost of those extra steps and protections may outweigh the benefits of the proposed transfer.
It is important to remember that there may not always be extra steps which reduce the risk. This may mean you cannot proceed with the transfer without changing your proposed transfer arrangements, for example by changing the type of data you want to transfer to be anonymised, pseudonymised, or minimised, to reduce risk.
Odia Kagan Partner and Chair of GDPR Compliance and International Privacy
Fox Rothschild LLP, Philadelphia