International Data Transfers: When a Transfer Risk Assessment is required
A recent €350 million fine, issued to TikTok by the Irish Data Protection Commission (DPC) for failing to meet international data transfer rules, demonstrates why cross-border transfers of personal data must be effectively managed.
While in this case an EU fine, UK organisations are not immune to data transfer requirements, nor the potential fallout of non-compliance. Organisations need to be mindful that people risk losing their protection under UK data protection laws if their personal data is transferred outside the UK.
Unless one of the following four conditions can be met, organisations must make sure appropriate safeguards are in place to protect ‘restricted transfers’ overseas:
■ You have the specific consent of individuals for the international transfer
■ The transfer is absolutely necessary to perform contract with the individual
■ You can rely on an ‘Article 49 derogation’ – where the specific transfer is necessary for important reasons in the public interest, for litigation or for a public register
■ If there’s an approved Code of Conduct between members, e.g. members of a trade association
Often these conditions won’t be met, and appropriate safeguards will be necessary. In certain circumstances, there’s also a requirement to conduct a Transfer Risk Assessment (TRA). In the EU this is called a Transfer Impact Assessment (TIA) and this requirement was overlooked by TikTok.
A restricted transfer is where an organisation shares personal data with another organisation (i.e. a separate controller), or to a vendor/service provider/supplier (i.e. processor) and the processing will take place in another country. This includes where overseas data sharing takes place between companies which are part of the same group of companies. For example, one based in the UK and one in the USA. When data is anonymised, so that its no longer ‘personal’ data, its not classed as restricted transfer.
Both controllers and processors also need to consider any further transfers in the supply chain to ‘sub-processors’ located in other countries.
Crucially, we need to recognise a ‘transfer’ will take place if there’s ‘access to’ personal data. For example:
■ A UK based controller permitting a supplier based in India to access the personal data of its customers would represent a restricted transfer.
■ A UK based processor, permitting one of their suppliers (a ‘sub-processor’) based in France to access the personal data of its client (the controller).
■ An EU based controller sharing personal data with a separate controller based in San Francisco, USA.
For more detail on what constitutes a restricted transfer see our International Data Transfers Guide or the ICO Guidance.
Do we need to make a restricted transfer?
Before making a restricted transfer, organisations should consider whether they can achieve their requirements without sharing ‘personal’ data. If you share data in an anonymised form, so it’s never possible to identify individuals, it is no longer personal data, so the restrictions do not apply.
Why did TikTok get fined?
The DPC inquiry found the social media platform had infringed GDPR on the following three key points:
■ Equivalent protection: There was a failure to verify, guarantee and demonstrate that personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
■ Transfer Impact/Risk Assessment: The necessary assessments were not undertaken to address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter espionage and other laws, which were considered to materially diverge from EU standards.
■ Transparency: TikTok’s 2021 Privacy Policy (aka Privacy Notice) did not meet necessary transparency requirements to inform EEA users that personal data was stored in servers in the United States and Singapore and was remotely accessible by entities in a number of other countries including China, Malaysia and the Philippines. An updated 2022 Privacy Policy rectified this particular infringement.
When is a Transfer Risk Assessment (TRA) required?
A TRA is not always required, it depends on the appropriate safeguard mechanism an organisation is intending to rely on for a restricted transfer.
Adequacy decision (Article 45): No TRA required
Adequacy status is awarded to specific countries judged to have a similar level of data protection standards as those in the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and the other country. The UK Government refers to these as ‘data bridges’. When you rely on adequacy, a TRA is not required.
Currently there is reciprocal adequacy between the UK and the EEA. You can check which other countries have adequacy in the ICO data transfer guidance.
Other safeguard mechanisms (Article 46): TRA required
The requirement to conduct a risk assessment came into effect following the 2021 EU Schrems II ruling, and will apply, for example, if you intend to rely on the following safeguard mechanisms:
■ ICO’s International Data Transfer Agreement (IDTA)
■ EU Standard Contractual Clauses (SCCs) with the UK Addendum
■ Binding Corporate Rules (BCRs)
What’s the purpose of a Transfer Risk Assessment?
A TRA aims to help organisations to consider if the relevant protections for people under UK data protection law will be undermined when their personal data is transferred overseas. The ICO explains there are two broad types of risks to be considered:
■ Risks to people’s rights arising in the destination country from third parties accessing the information that are not bound by the Article 46 transfer mechanism, in particular government and public bodies.
■ Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
It’s worth bearing in mind if a processor is making a restricted transfer, for example to a sub-processor, it’s their responsibility to conduct the TRA. A controller should still carry out reasonable and proportionate checks to make sure these transfers are compliant with UK GDPR.
When onboarding a new processor, some controllers may request to see copies of their processors’ TRAs to sub-processors.
More information is available in the ICO TRA Guidance.
How to conduct a TRA for a transfer from the UK
The ICO sets out three distinct options for conducting the risk assessment.
Option 1: ICO TRA tool
This is a specific risk-assessment tool. It enables you to evaluate any increased risk to people’s privacy and other human rights as a result of the transfer, comparing this with if the data remained in the UK.
In our view, the ICO has gone to considerable efforts to make this (Word document) tool as straightforward as possible. It helpfully provides a list of common categories of personal information with an initial risk score. You don’t have to use this specific template and can record your answers to six key questions in other ways.
However, to the uninitiated the TRA tool can be tricky to complete. If the circumstances of a specific transfer require a more detailed investigation it will involve a level of research into the legal system, respect for rule of law and the human rights record in the destination country.
Option 2: EDPB approach
This assessment looks at comparing the laws and practices of the UK with those of the destination country (the ‘data importer’). In particular, it means looking at the safeguards in place in relation to third party access to the information, particularly by Governments. The safeguards don’t need to be identical but need to be sufficiently similar to those in the UK.
Option 3: Reliance on published UK Government analysis in making adequacy regulations
As mentioned above, the UK Government can make adequacy decisions (known as ‘data bridges’). In making these decisions there are specific considerations the Government must take account of when assessing another country or territory. This includes an assessment of risks similar to the assessment which would be undertaken when using options 1 and 2. Therefore, if there’s relevant published UK Government analysis, which judges standards of data protection to be satisfactory, this can be relied upon. Notably, in 2023 the Department for Science, Innovation and Technology (DSIT) published analysis for the United States. DSIT Analysis
Transfers from the UK to the United States
It’s worth taking a look specifically at transfers from the UK to US. These are a common type of restricted transfer, especially for UK based organisations considering utilising the services of US based technology / SaaS providers.
Adequacy: the EU-US Data Privacy Framework, plus US-UK ‘data bridge’ extension
There’s an adequacy decision which UK organisations may be able to rely on, meaning a TRA is not required. However, unlike other adequacy decisions for specific countries (such as Japan, Israel and New Zealand), the ability to rely on the adequacy decision for the United States depends on whether the specific US company you are transferring data to has self-certified to the Data Privacy Framework and the UK extension to this framework. You can check if an organisation is certified here.
To give some commonly used examples, at the time of writing, Google LLC, Microsoft, Salesforce and Mailchimp are signed up to the Framework and UK extension (‘data bridge’).
Other safeguard measures and TRA
If an organisation isn’t listed as a signatory to the Data Privacy Framework and UK extension it’s likely you’ll need to rely on the ICO’s IDTA, EU SCCS with the UK Addendum, or BCRs (for intra-group transfers). And options 1, 2 and 3 outlined earlier for conducting a TRA will be in play.
I’d encourage you to read the ICO’s guidance on transfers to the US, which sets out the potential to streamline the TRA process by relying on UK Government analysis (e.g. Option 3). The ICO states: “a significant part of the analysis relates to broader issues not specific to the US data bridge but analyses the application of relevant US laws and practices more generally. It is equally relevant to personal information transferred using an Article 46 transfer mechanism.”
The ICO’s guidance sets out in more detail how you can rely on this analysis, as an alternative to using the TRA Tool or the EDPB approach.
To conclude, international data transfer rules are not simple! They can often feel overly complex, with tricky compliance hurdles. Nonetheless, it’s both legally and ethically the right thing to do to make sure people don’t lose the rights they are entitled to under UK data protection law.
In practice, a risk-based approach is frequently adopted, applying more rigour to more risky transfers. For example, a transfer of a list of employees’ work email addresses is unlikely to pose as much risk as transferring more sensitive personal information. As ever, the devil is in the detail.