On May 3, 2022, the Icelandic data protection Supervisory Authority (SA) issued a fine of 5 million Kronur (about 35,000 Pounds) against the municipality of Reykjavík. The culprit? One of their elementary schools had employed an American educational cloud-based service. The school failed to implement appropriate safeguards, which were necessary to keep data (especially sensitive as it concerned children) secure as the processor was based in a country with inadequate data protection regulations. Although presumably a significant fine for a municipality, this amount pales in comparison to the maximum penalties set by the UK GDPR for such violations – £17.5 million or 4 percent of annual global turnover, whichever is greater.
When do you need a Transfer Risk Assessment?
A transfer risk assessment is one of the measures that companies can take to avoid such fines. It works as a component of the appropriate safeguards provided for in the UK GDPR when transferring data to any country other than the ones that have been granted adequacy status by the UK’s Information Commissioner’s Office, a list which mostly comprises EEA nations.
Transfers of personal data to countries not on that list (such as the United States) are referred to as restricted transfers – prohibited unless an exception can be applied. To transfer personal data to those countries compliantly, the UK GDPR permits companies to use a number of “appropriate safeguards”. The goal of these safeguards is to ensure that the protections afforded to data subjects by UK laws remain in place even when the data is transferred outside the country. One of those safeguards is the International Data Transfer Agreement (referred to as the Standard Contractual Clauses (SCCs) in the EU), which is a template agreement that binds the importer and exporter to maintain certain standards in the course of the processing contract.
In the past, the International Data Transfer Agreement (in the form of the Standard Contractual Clauses template that preceded it) was sufficient, by itself, to show that the data would be secure, thus complying with the GDPR’s requirements. However, in July 2020, the Court of Justice of the European Union (CJEU) declared in the popular Schrems II case that in light of the ability of foreign nations to access personal data despite the controls in the SCCs, using the template agreements would no longer be an automatic exception to the prohibition against transferring personal data outside the EEA. Instead, they would now have to be preceded by a Transfer Risk Assessment that would determine if the template agreement would provide enough security.
Key Considerations When Conducting Transfer Risk Assessments
The most important point for companies intending to export personal data to consider, is that a TRA must be specific yet comprehensive. It must be focused on the particular transfer that is intended to be made, considering the types of personal data and the unique risks that exposure may pose to the data subjects. On the other hand, it must be comprehensive in its evaluation of the country to which the transfer is to be made. The assessment must take the laws and regulations on data protection into consideration, but also extend to the attitudes of the judicial and administrative authorities with regard to upholding privacy rights.