US data transfers are in a state of change following the EU-US Data Privacy Framework, which came into force on 11 July 2023, and the UK-US data bridge, which will come into effect on 12 October 2023. You can read more about this in our recent articles here and here. We have set out below some of the key takeaways and focus areas of the ICO in respect of international transfers at the DPPC.
Key learnings
There were four takeaways for the WBD Data team from this ICO session:
- All data transfers to the US are now vastly simplified by the UK-US data bridge: Even where a US business is not certified under the Data Privacy Framework, you can rely on the Department for Science, Innovation and Technology (DSIT) analysis of the legal framework for access to data by public authorities in the US and the US human rights record. You still need to do a transfer risk assessment (TRA), for US data transfers, but the TRA will be much easier to complete. More guidance from the ICO on this topic will be coming soon.
- Where organisations have already carried out a TRA for a US data transfer, there is no need to update it following the UK-US data bridge: This applies if you carried out a TRA prior to the UK-US data bridge coming into force. Notwithstanding this, when you do your regular review, you might want to update your TRA to take account of the DSIT analysis.
- Limits of liability in data transfer contracts need to be high enough so that the recipient of data is incentivised to comply with the contract and takes responsibility: Liability caps also need to be high enough to cover claims by data subjects. It will be interesting to see how this impacts the recent trend on data protection liability caps in the market, which has very much been a dramatic shift away from 'unlimited' liability caps for data. One of the primary drivers for this shift has been the challenge in securing appropriate insurance for data losses, however, we have recently seen a further shift here, with certain organisations finding it 'easier' to secure data and cyber insurance.
- The ICO sees international data transfers as really critical to ensuring data doesn't lose the benefit of the protection it has in the UK, under UK GDPR, when the data is transferred overseas: This emphasises the need for organisations to understand the scope of their data flows and what third party organisations and countries are involved. We often see international transfers considered as an afterthought and the ICO's message is that this should be a priority.
Summary of the ICO session on cross-border transfers
The session looked at seven practical steps when conducting a TRA and the ICO's suggestion for each of the practical steps:
- Can you reduce the amount of data being sent?
- Think about the principle of data minimisation.
- If you are sending less data and less risky data, then conducting a TRA will be more straightforward, making the data transfers effectively 'easier'.
- How risky is your data?
- Think about the principle of data minimisation.
- If you are sending less data and less risky data, then conducting a TRA will be more straightforward, making the data transfers effectively 'easier'.
- Is there a restrictive transfer at all?
- Look at who the contract is with: there is no restricted transfer if you are transferring data to a UK service provider.
- Only the party that initiates the transfer is responsible for the restricted transfer.
- Where a controller appoints a processor and the processor transfers the data to a sub-processor located outside the UK, it is the processor that is responsible for the transfer.
- However, the controller still has a responsibility to conduct appropriate due diligence in relation to its service providers.
- Have you done your due diligence?
- The risk level of the data will impact on what level of due diligence is needed. For high risk data, businesses may do their own version of a TRA as part of the due diligence (though this is not mandatory under UK GDPR).
- Businesses need to carry out sensible and proportionate checks on their service provider:
- What is the service provider's reputation?
- Which countries will the data flow to?
- Can you see the TRAs?
- What are the contract terms? Do they offer enough protection? Is the service provider incentivised to do the right thing in relation to the data?
- Businesses can add to their contract terms with the service provider to improve protection. For example, looking at limits on liability.
- Will the importer enter into the IDTA or Addendum?
- The IDTA/Addendum makes sure that data keeps its protection when it leaves the UK. The ICO recommends that importers enter into one of these mechanisms.
- What is the scope of your TRA?
- You can use the ICO's TRA tool.
- The ICO says it is really important to do a TRA. You need to make sure that your Article 46 UK GDPR transfer mechanism makes sure that UK data subjects' data will remain protected in a third country.
- To make the TRA simpler, can you take steps to make sure your data is all low risk?
- The ICO guidance to the TRA tool suggests three levels of investigation depending on the risk profile of the data.
- DPOs should be able to carry a Level 1 and 2 investigation themselves by doing desk based research about the human rights record of the third country.
- For a Level 3 investigation, professional help is likely to be needed to look at the human rights record and the local laws and practices of the third country and compare to the position in the UK.
- The EDPB guidance requires a detailed review of the framework for public authority access to the data in the third country. The ICO approach is to focus on the human rights risk in the destination country and to assess whether the Addendum/IDTA will be enforceable in that country.
- In practice, we are seeing a lot of organisations adapting their own versions of the TRA tool, based on a combination of the ICO's tool and the EDPB's recommendations on measures that supplement transfer tools.
- How does the data bridge to the US "Data Privacy Framework" help with your TRA?
- Sending data to a US business which has certified under the Data Privacy Framework (DPF)?
You do not need a transfer mechanism or TRA.
- Sending data to a US business which has not certified under the Data Privacy Framework (DPF)?
A TRA is still required (due to the Schrems decision) but you can rely on the DSIT analysis of the legal framework for access to data by public authorities in the US and the US human rights record. That analysis will apply also to data transfers under IDTA/Addendum. The ICO says it is reasonable and proportionate to rely on the DSIT analysis in your TRA, even for a Level 3 investigation.
- The ICO will issue more guidance on what to put in the TRA in the event of a US data transfer. In the meantime:
- You include a statement in your TRA saying you are relying on the DSIT analysis.
- You don't need to assess level of risk in the data as the assessment is the same for all levels of data (you can move straight to Q3 in the ICO's TRA tool).
- In Q4 of the TRA tool which asks "Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?", you will be able to answer "no" and refer to the DSIT analysis.
- In Q5 of the TRA tool which asks whether the transfer mechanism is enforceable, you can answer "yes" and refer to the DSIT analysis.
This is going to make TRAs vastly simpler for US data transfers. You will need to keep this under review in case the adequacy decision is challenged in the future.
You can access the recording of the session on the ICO website.