By

|

Published 11 January 2024

Overview

Following the implementation of the UK-US Data Bridge in October 2023, the ICO has updated its Transfer Risk Assessment guidance with a specific section on TRAs relating to transfers to the United States.

The updated guidance makes it clear that can parties rely on the analysis published by Department of Science, Innovation and Technology in relation to the Data Bridge when making data transfers on the basis of an alternative mechanism.

Data Bridge

The UK-US 'Data Bridge' took effect on 12 October 2023. It is an extension of the EU-US Data Privacy Framework, approved by the European Commission as adequate in respect of transfers from the EU to the US. As with previous, similar transatlantic arrangements, it can only be relied upon in respect of transfers to recipients who are certified under the scheme. As we highlighted in our analysis of the Data Bridge, this means that a TRA is still required for transfers to the US based on other transfer mechanisms. However, the DSIT analysis is still relevant in these circumstances. The ICO concludes that "it is reasonable and proportionate for you to rely on the DSIT analysis in your TRA, regardless of whether the personal information you are transferring is categorised as low, medium or high harm risk."

ICO guidance on relying on the DSIT analysis

The ICO guidance states that a broad section of the DSIT analysis was directed at the application of relevant of US laws and practices more generally. It considered US respect for the rule of law and fundamental rights and freedoms, the existence of an effective and independent supervisory authority, and its relevant international commitments. The framework for public authorities to access personal data following transfer to the US was considered to be satisfactory and underpinned by appropriate safeguards and redress.

To that end, organisations are encouraged to simply incorporate the DSIT analysis into their TRAs by reference, documenting that:

  • the DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal data is transferred to the US;
  • it is reasonable and proportionate to rely on the DSIT analysis because the scope of assessment is as required under Article 45 UK GDPR; and
  • any published updates will be kept under review.

Helpfully, the ICO provides examples of suitable wording for a TRA using the above direction, which can be found as part of the overall guidance here and helps to significantly streamline the TRA process.

 

Author