(Editor's Note: In July of 2023, the EU-U.S. Data Privacy Framework was accepted as a replacement to the Privacy Shield framework noted as invalidated in this article.)

On July 16, 2020, the European Court of Justice (CJEU) invalidated the EU-U.S. Privacy Shield in a case popularly known as the Schrems II ruling. Following this decision, standard contractual clauses (SCCs) became the most common mechanism to facilitate data transfers to third countries (i.e., countries outside the European Economic Area).

The CJEU, however, stated that before organizations can use SCCs or alternative mechanisms, they must assess (on a case-by-case basis) the risks involved in transferring personal data outside the EEA.

Not surprisingly, the United Kingdom adopted a similar approach to facilitate international data transfers from within the UK to third countries.

These occurrences marked the origin of Transfer Impact Assessment (TIA) and Transfer Risk Assessment (TRA).

In the article below, we'll compare these assessments by looking closely at their legal background, who they apply to, and what steps you can take to conduct them.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Overview of Transfer Impact Assessments (TIAs) and Transfer Risk Assessments (TRAs)

TIAs and TRAs are relatively new concepts in the world of data privacy. Before we dive into the details, it's important to clarify that although the UK is no longer an EU member state, it adopts what is essentially an implementation of the EU's legal framework.

Examples are as follows:

  • The Data Protection Act 2018 (DPA) and the UK GDPR are implementations of the EU's General Data Protection Regulation (GDPR)
  • The Privacy and Electronic Communications Regulation (PECR) is the implementation of the ePrivacy Directive (aka EU Cookies Directive)

These laws bring the EU legal framework into the UK but are slightly altered to reflect domestic areas of the UK's legal system.

Similarly, a Transfer Risk Assessment is simply the UK's implementation of the EU Transfer Impact Assessment.

Now, let's take a look at the legal background of these assessments.

What Was the Origin of Each Assessment?

What Was the Origin of Each Assessment?

The need to conduct a TIA comes from three legal authorities:

  • The European Court of Justice (CJEU)
  • The European Commission, and
  • The European Data Protection Board (EDPB)

As mentioned earlier, the CJEU invalidated the EU-U.S. Privacy Shield in Schrems II, which led to the widespread adoption of alternative data transfer mechanisms. The most common of these mechanisms are EU standard contractual clauses (SCCs).

Before using SCCs or alternative tools, organizations must now assess the risks involved in data transfers to third countries that are not covered by the EU adequacy decision (i.e., countries considered not to have an adequate level of data protection by the European Commission).

Supporting this stipulation, the EDPB released its recommendations on measures to supplement transfer tools, which also requires a TIA to be conducted and documented before international data transfers.

Importantly, data exporters must consider whether the laws and practices in third countries may impede the effectiveness of the safeguards provided by the transfer tools under Article 46 of the GDPR.

Lastly, in light of Schrems II, the European Commission repealed the old SCCs and published an updated version on June 4, 2021. Under clause 14, the new SCCs require the parties to conduct a TIA before transferring data to third countries without an adequacy decision.

Since the TRA is the UK's implementation of the TIA, its origin can be traced to the events surrounding the introduction of the TIA.

After the Schrems II ruling and the release of the new EU SCCs, the UK government published the UK International Data Transfer Agreement (IDTA) and the UK addendum to the EU SCCs.

These are essentially the UK's versions of the EU SCCs, and organizations are free to decide which version they wish to implement.

In any case, UK data exporters must now conduct a TRA before implementing any of the UK SCCs to facilitate data transfers to third countries (much like in the EU).

Who Does Each Assessment Apply to?

Who Does Each Assessment Apply to?

Although TIAs and TRAs are essentially carried out to achieve the same objective, their scope of coverage features slight differences that are worth looking into.

Scope of Transfer Impact Assessments (TIAs)

Conducting a TIA is a legal obligation for all EU-based data exporters who intend to carry out a restricted transfer by relying on one of the transfer tools in Article 46 of the GDPR. This includes SCCs, Binding Corporate Rules (BCRs), etc.

Note that you don't need to conduct a TIA (or even use transfer tools) if you are making a restricted transfer to any country covered by the EU adequacy decision or if one of the exceptions in Article 49 of the GDPR applies.

Your data transfers are considered to be restricted if:

  • The EU GDPR protects the personal data you are transferring
  • You're sending data (or making it accessible) to a recipient who isn't subject to the EU GDPR, and
  • The recipient is a separate individual or organization (including a subsidiary within your corporate group)

Scope of Transfer Risk Assessments (TRAs)

UK-based data exporters must conduct a TRA before making restricted transfers using one of the transfer tools in the UK GDPR (such as the IDTA).

Much like with the TIA, a TRA is not required if you're making a restricted transfer to any country covered by the UK adequacy decision or if one of the exceptions apply.

According to the UK Information Commissioner's Office (ICO), a transfer is restricted when the following applies:

  • The UK GDPR applies to the personal data you are transferring
  • You're sending data (or making it accessible) to a recipient who isn't subject to the UK GDPR, and
  • The recipient is a legally separate individual or organization. This includes another entity within the same corporate group

Now that we're clear on the background and scope of TIAs and TRAs, let's go over how to conduct each assessment.

How to Conduct a Transfer Impact Assessment

How to Conduct a Transfer Impact Assessment

In practice, a TIA usually takes the form of a questionnaire. Among other things, it establishes whether the legal framework in a third country may allow the government or intelligence agencies in that third country to access any transferred data.

There is no specific guidance to help companies conduct a TIA. However, considering the background and purpose of a TIA, we recommend taking the steps below to comply with your TIA obligation.

Note that these steps are broad and tailored towards routine restricted transfers. Therefore, you may need to conduct a more comprehensive assessment for complex or high-risk transfers.

Describe Your Transfer of Personal Data

To start, your TIA should address the specific features and circumstances surrounding your transfer of personal data.

This typically involves describing the following information:

  • The category of data you intend to transfer
  • The third country where you will transfer the data
  • The identity of the data exporter and data importer
  • The location in the third country where the data will be stored
  • The purpose(s) of the data transfer
  • The method of the data transfer
  • The likelihood that the importer will transfer the data to a non-adequate third country (aka onward transfers), and
  • Other related information

Once you've established the data transfer features, the next step is to assess the legal framework of the third country. Your TIA should consider relevant laws and practices in the third country that regulate third-party access (particularly surveillance by government or intelligence agencies).

Vital factors to consider include the third country's human rights protection, data security standards, and the similarity of its legal system to the EU's, among others.

To sum up, a complete and detailed description of the relevant legal requirements in the third country is the way to go.

Identify the Security Measures Implemented

Next, you need to identify the security measures in place to ensure that the transferred data receives a level of protection in the third country equivalent to the EEA.

We recommend implementing contractual, technical, and organizational measures to mitigate any risks identified in the previous steps of the assessment.

This generally involves:

  • Properly implementing appropriate safeguards such as BCRs or SCCs and ensuring that (where applicable) annexes are correctly filled out and completed
  • Encrypting or anonymizing data before facilitating restricted transfers, and
  • Considering the possibility of transferring the data to an adequate third country (depending on the purpose of the transfer)

When carrying out this step, remember to observe the specific guidelines provided in this regard, such as the recommendations issued by the EDPB.

Assess the Risks of Lawful Access to Personal Data

This is perhaps the most crucial step in your TIA. After properly implementing the previous measures, you need to identify and evaluate all the potential threats to data privacy and security in the third country.

In particular, it's crucial to consider whether the third country's laws may allow public authorities or intelligence agencies to access the transferred data legally, despite the safeguards in place.

You should also assess the risks to the rights and liberties of data subjects in the event of such access.

Draw Your Conclusion

The last step in your TIA should state your decision about whether the intended data transfer has an acceptable level of risk considering all the relevant factors identified above.

Your transfer is lawful if your assessment proves that the third country's data protection level is essentially equivalent to the EU's, despite the potential risk of data access by public authorities in the third country.

However, you shouldn't proceed with the transfer if the TIA indicates that the level of risk in the transfer is high or unacceptable.

How to Conduct a Transfer Risk Assessment

How to Conduct a Transfer Risk Assessment

Before using a UK-approved data transfer tool such as the IDTA, data exporters must (with assistance from data importers) conduct a TRA. This helps confirm whether the IDTA provides sufficient security or requires additional protections before the restricted transfer occurs.

The UK ICO has published a draft international transfer risk assessment and tool that features a structured list of questions and tables to help organizations assess risk at each step.

The ICO states that the transfer tool is optional, broad, and can only be used for transfers that are not complex or high risk.

In other words, you need a more comprehensive assessment for complex or high-risk transfers. Such cases include where the importer is based in more than one country or if a Data Protection Impact Assessment (DPIA) is needed.

Finally, note that a TRA ultimately aims to assess whether the IDTA provides a level of protection for data subjects that is "sufficiently similar" to the UK's.

Now, let's briefly go over the ICO's proposed 3-step process to conduct a TRA.

Examine the Facts of the Restricted Transfer

Like with the TIA, your TRA should start by evaluating the characteristics and circumstances of the restricted transfer.

According to the ICO, this step should primarily address the following information:

  • The type of data to be transferred
  • The categories of entities involved in the transfer
  • The sector in which the transfer occurs
  • The purpose of the transfer
  • The method of the transfer
  • The format of the data
  • The organizational and technical security measures in place to protect the data
  • The movement of the data under the control of the importer
  • The possibility of onward transfers
  • If the restricted transfer meets the UK GDPR's obligations
  • If you will store the data outside the UK or if the importer can remotely access the data within the UK

Identify the Facts About the Destination Country

After identifying the facts of the transfer, the next step, according to the ICO, is to examine the relevant laws and practices in the destination country.

In particular, you must consider whether the IDTA is enforceable in the destination country.

If you have concerns here, the ICO recommends conducting a supplementary risk assessment to determine whether there is a potential risk of harm to data subjects.

Other factors to consider in this step include:

  • The third country's courts and legal framework and its similarity to the UK's
  • The human rights history
  • The laws and practices that regulate third-party data access (including public authority surveillance)
  • Whether there are partial UK adequacy decisions concerning the third country
  • How foreign judgments are acknowledged and implemented

Assess the Potential Risk of Harm and Impact on Data Subjects

The final step in the ICO's proposed tool is to assess the potential impact of the transfer and the risk of harm to data subjects.

In doing this, remember to assess the destination country's laws regarding third-party access to data. At the end of this step, you may proceed with the transfer only if any of the following occurs:

  • The destination country's laws regarding third-party data access (including surveillance) are "sufficiently similar" to UK's
  • The likelihood of third-party access is minimal regardless of the destination country's laws
  • The risk of harm to data subjects is low, even if third-party access occurs

Suppose the TRA reveals that the risk to the data subject is high. In that case, you should consider conducting a more comprehensive risk assessment or relying on an alternative safeguard or exception under the UK GDPR.

It's also important to regularly reassess your safeguards for ongoing transfers to ensure that the level of protection does not decrease over time.

Summary

The data privacy landscape is becoming increasingly complex in today's business world. TIAs and TRAs are yet another obligation imposed on certain businesses by the EEA and UK legal framework.

As seen above, the TIA and TRA processes are virtually identical and contain many of the same concepts, which makes things easier for organizations that may need to conduct both.

Whether you're conducting a TIA or a TRA, the critical takeaways you should observe are as follows:

  • A TRA is the UK's implementation of a TIA.
  • TIAs apply to EEA data exporters, while TRAs apply to UK data exporters.
  • When conducting a TIA, you should ensure that you properly assess the destination country's legal system, specifically lawful data access by public authorities.
  • When conducting a TRA, the ultimate goal is to assess whether the destination country's laws and practices are "sufficiently similar" to the UK's.

Finally, given the complexity involved, we recommend seeking legal or professional help to navigate your TIA and TRA obligations properly.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy