Completing a transfer risk assessment when transferring personal information to the US using an Article 46 transfer mechanism
Who is this guidance for?
This guidance is relevant to you if you wish to make a restricted transfer of personal information to a recipient in the US using an Article 46 transfer mechanism. These are the “appropriate safeguards” listed in Article 46 of the UK GDPR. Examples are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and Binding Corporate Rules (BCRs).
At a glance
You may only make restricted transfers of personal information to recipients in the US using an Article 46 transfer mechanism if you have first completed a transfer risk assessment (TRA).
We encourage you to rely on the Department for Science, Innovation and Technology (DSIT)’s published analysis to streamline your TRA process for US transfers. The DSIT analysis considers US laws related to access and use of personal information by US agencies for the purposes of national security and law enforcement. This guidance explains how you can use that analysis as part of your TRA process for US transfers.
When may we need to rely on an Article 46 transfer mechanism for US transfers?
UK GDPR prohibits restricted transfers of personal information outside the UK unless:
- the receiver is located in a third country or territory, or is an international organisation, or in a particular sector in a country or territory, covered by UK adequacy regulations, under Article 45 of the UK GDPR, also known as a data bridge;
- it is covered by an Article 46 transfer mechanism, including the IDTA, the Addendum and UK BCRs; or
- it is covered by one of the eight exceptions set out in Article 49 of the UK GDPR.
There are a range of reasons why you may wish to rely on an Article 46 transfer mechanism to transfer personal information to the US, including:
- your US recipient is not certified to the UK Extension to the EU-US data protection framework or the restricted transfer is not covered under your recipient’s certification;
- none of the eight exceptions set out in Article 49 of the UK GDPR apply to your restricted transfer;
- you are making the restricted transfer under a UK BCR; or
- you or your US recipient uses the Addendum or the IDTA as the preferred standard transfer mechanism.
Ultimately, the decision to use an Article 46 transfer mechanism will depend on:
- the circumstances of each individual transfer;
- the extent to which other options are available; and
- the commercial practices of you and your recipient.
The requirement to complete a TRA before transferring personal information on the basis of an Article 46 transfer mechanism applies regardless of which mechanism you use or why.
Further reading
Why is a TRA required?
Following the 2020 case of Schrems II, you must complete a transfer risk assessment (TRA) before transferring personal information out of the UK using an Article 46 transfer mechanism. This ruling remains binding on restricted transfers made under the UK GDPR, notwithstanding the UK’s withdrawal from the EU.
What must the TRA cover?
Carrying out a TRA helps you ensure that, in the specific circumstances of your restricted transfer, the Article 46 transfer mechanism will provide appropriate safeguards, and effective and enforceable rights for people.
There are two broad types of risk you must consider in your TRA:
- Risks to people’s rights arising in the destination country from third parties that are not bound by the Article 46 transfer mechanism accessing the information, in particular government and public bodies.
- Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism, as a result of the laws in the destination country.
Further reading
What is the DSIT analysis?
In October 2023, the UK introduced a US data bridge in the form of the UK Extension to the EU-US data privacy framework. The US data bridge is covered by adequacy regulations. It allows the free flow of personal information to US recipients that are appropriately certified under the scheme, without the need for an Article 46 transfer mechanism or an Article 49 exception.
The work undertaken to establish the US data bridge included a detailed analysis by DSIT of the level of protection that the US gives people in the UK. DSIT’s review took into account:
- the rule of law;
- respect for fundamental rights and freedoms;
- the existence of an effective and independent supervisory authority; and
- relevant international commitments.
DSIT concluded that the US data bridge and other relevant US laws and practices provide an adequate level of protection for UK personal information. They do not undermine the level of protection that people in the UK enjoy under the UK GDPR, when that personal information is transferred to certified US organisations.
DSIT’s analysis has been published in full.
Further reading
Why can we rely on the DSIT analysis to streamline our TRA process for US transfers?
Some of the DSIT analysis was, of course, specific to restricted transfers under the US data bridge. However, a significant part of the analysis relates to broader issues not specific to the US data bridge but analyses the application of relevant US laws and practices more generally. It is equally relevant to personal information transferred using an Article 46 transfer mechanism.
First, in the section “Legislative Framework and Commitment to Data Protection”, DSIT considers the US respect for the rule of law and for fundamental rights and freedoms, the existence of an effective and independent supervisory authority, and its relevant international commitments. DSIT concludes that:
“On the basis of this analysis, DSIT considers that the US respects and maintains the rule of law in its constitutional and legislative framework, and that the US respects human rights and fundamental freedoms”
Second, in the section “Government Access to Personal Data - An Overview”, DSIT considers the framework under which US public authorities are able to access personal information after it has been transferred to the US for matters in the public interest, in particular for national security and law enforcement and purposes.
DSIT concludes about access for national security purposes:
“… DSIT is satisfied that when the US authorities access data for the purposes of national security, they do so in a manner provided for by law, and in accordance with a framework that ensures sufficient limitations and safeguards that ensure that interferences are necessary and proportionate, and conducted in the pursuit of legitimate aims. These safeguards and limitations sufficiently mitigate the potential for abuse. There is effective redress to rectify unlawful interferences. In addition, the specific requirements under the US legislative instruments highlights the importance of privacy and civil liberties considerations throughout the US signals intelligence procedure.”
DSIT concludes about law enforcement that:
“…the US system is underpinned by robust limitations, safeguards, oversight and redress mechanisms in relation to law enforcement access to personal data. Based on the totality of this assessment, DSIT is content that the protections available for UK data subjects are not undermined when their personal data is transferred to the US under the UK Extension.”
Note: this conclusion refers to the US data bridge (ie the UK extension) but the analysis applies more widely.
These broader issues analysed by DSIT mirror the issues that you are required to address in your TRA. So, you can simply incorporate the DSIT analysis into your own TRAs by reference, rather than repeating the analysis process yourself.
We consider that it is reasonable and proportionate for you to rely on the DSIT analysis in your TRA, regardless of whether the personal information you are transferring is categorised as low, medium or high harm risk.
How can we rely on the DSIT analysis to conduct our TRA?
You should note and document that:
- The DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal information is transferred to the US, for the risks to people’s rights:
• arising in the destination country from third parties that are not bound by the Article 46 transfer mechanism accessing the information, in particular government and public bodies; and
• arising from difficulties enforcing the Article 46 transfer mechanism, as a result of the laws in the destination country. - It is reasonable and proportionate for you to rely on the DSIT analysis for your TRA because the scope of this assessment is as required under Article 45 UK GDPR. In addition, one of the following will apply depending on the purpose for which the assessment was conducted:
• for adequacy regulations under Section 17A DPA 2018: the enactment of those adequacy regulations by the Secretary of State and Parliament, on the basis of that assessment; or
• to review adequacy regulations under Section 17B DPA 2018: the Secretary of State’s decision on the basis of that assessment.
You must keep under review any published updates to the DSIT analysis. If DSIT changes those conclusions referred to in your TRA, then you must review your TRA.
Example 1
A UK company wishes to use an HR platform to record holiday and sickness absence. The HR platform is provided by a US company which stores all client information in the US. The UK company recognises that when it uses the HR platform it will be making a restricted transfer to the US.
The UK company checks the EU-US data protection framework register and notes that the US provider of the HR platform is not certified to it. The UK company therefore considers an Article 46 transfer mechanism and decides to use the IDTA. The US provider confirms that it has used the IDTA previously and has a template version that it can provide.
The UK company recognises that it must complete a TRA before signing the IDTA. It reviews the ICO’s guidance on transfer risk assessments and decides that it would like to follow option 3, relying on the DSIT analysis.
The UK company amends the IDTA by adding the following wording at the end of Part 1 of the IDTA to document that it has carried out a TRA:
“The Exporter has completed a transfer risk assessment (TRA). It has relied on the Department for Science, Innovation and Technology’s Analysis of the UK Extension to the EU-US data privacy framework published in September 2023 (the DSIT analysis).
The Exporter is satisfied that the DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal information is transferred to the US for risks to people’s rights:
(i) arising in the US from third parties that are not bound by this IDTA accessing the transferred personal information in particular, government and public bodies; and
(ii) arising from difficulties enforcing the IDTA.
The Exporter considers that it is reasonable and proportionate for it to rely on the DSIT analysis, given the scope of this assessment is as required under Article 45 UK GDPR, and the enactment of adequacy regulations under Section 17A DPA 2018 by the Secretary of State and Parliament, on the basis of that assessment.
The Exporter will review this TRA if a new or amended version of the DSIT analysis is published, or the DSIT analysis is withdrawn.”
The amended IDTA is signed by both companies.
The UK company has completed and documented its TRA. There is no need for it to use the ICO’s TRA tool or take any further steps about its TRA, unless its review obligations are triggered.
Example 2
This is an identical scenario to Example 1, except that the US provider confirms that it has used the addendum previously and has a template version that it can provide.
In that case, the identical TRA wording is inserted into the addendum at the end of Part 1.
Importantly, this guidance is only relevant to TRAs completed about transfers to the US. If you are transferring personal information to an importer in a country other than the US, you must complete a full TRA following our transfer risk assessment guidance.
Further reading