Do you remember when thinking about and conducting data transfer impact assessments felt like the primary function of the privacy professional? I certainly do.

Cast your mind back to the CJEU's Schrems 2 judgment in July 2020, following which organisations relying on the EU Commission's standard contractual clauses for international data transfers needed to assess, on case-by-case basis, whether the data would receive equivalent protection in the recipient country(ies). The document that resulted from this analysis was generally known as a DTIA or TIA.

As anyone who conducted these exercises will remember, assessing the laws of recipient countries often proved very difficult indeed — and that struggle was felt by organisations of all sizes. For the smaller companies in the EU and UK, with limited internal resources (and often no in-house data protection specialist), attempting to wrap their heads around the intricacies of third-country surveillance and government data access laws often felt like an impossible task. And for large organisations, which sent personal data from Europe to tens — and in some cases, hundreds — of foreign countries, conducting these DTIAs became a full-time job for their legal and compliance teams and the companies' external advisers.

Fast forward to July 2023, when the EU Commission implemented the EU-U.S. Data Privacy Framework. The DPF allows participating organisations to freely receive personal data in the U.S. without the need for additional data transfer safeguards or derogations. Issued at the same time, the Commission's FAQs on the DPF helpfully made clear that the measures put in place by the U.S. government to secure adequacy under the DPF also apply to transfers made under other mechanisms (i.e., SCCs and BCRs).

The same approach applies to the so-called UK Data Bridge to the DPF, which allows qualifying U.S. organisations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transport to receive personal data from the UK without having to rely on an alternative transfer mechanism under the UK GDPR. At the time that the Data Bridge was agreed (September 2023), I wrote this:

"Does this mean that organisations in the UK which rely on alternative transfer mechanisms no longer need to complete DTIAs when sending personal data to the U.S.? It's certainly arguable, but nevertheless I would suggest putting in place a short-form DTIA — and it really can be short — that refers to the relevant UK legislation, the opinions of the Information Commissioner's Office and the UK government on the UK Extension."

Last week, the ICO issued DTIA guidance in which it confirmed that approach (the link to the guidance is here). The ICO gives the example of a UK company transferring personal data to a U.S. HR platform. Because the HR provider is not certified to the UK Data Bridge, the parties must enter into the international data transfer agreement (the UK's version of the SCCs). However, rather than conducting a detailed DTIA, they can simply include the following language at the end of Part 1 of the IDTA:

"The Exporter has completed a transfer risk assessment (TRA). It has relied on the Department for Science, Innovation and Technology's Analysis of the UK Extension to the EU-US data privacy framework published in September 2023 (the DSIT analysis). The Exporter is satisfied that the DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal information is transferred to the US for risks to people's rights: (i) arising in the US from third parties that are not bound by this IDTA accessing the transferred personal information in particular, government and public bodies; and (ii) arising from difficulties enforcing the IDTA. The Exporter considers that it is reasonable and proportionate for it to rely on the DSIT analysis, given the scope of this assessment is as required under Article 45 UK GDPR, and the enactment of adequacy regulations under Section 17A DPA 2018 by the Secretary of State and Parliament, on the basis of that assessment. The Exporter will review this TRA if a new or amended version of the DSIT analysis is published, or the DSIT analysis is withdrawn."

So that's it — that's your DTIA for UK-U.S. transfers. The Commission and/or the European Data Protection Board don't appear to have endorsed a similar approach, but it's not unreasonable to think that the same logic would arguably work for transfers to the U.S. under the EU GDPR. Of course, you may already have your DTIAs in place, but the approach set out in the ICO guidance will certainly ease the burden going forward.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.