Extra-EU transfers: EDPB vs ICO on transfer risk assessment (TRA)

Starting point. On 15 January 2026, the ICO released a major update to its international transfers guidance and Transfer Risk Assessment (TRA), taking a more pragmatic, risk‑proportionate stance. This diverges from the EDPB’s Recommendations 01/2020 (final on 21 June 2021), which require demonstrable essential equivalence.

The case

• United Kingdom — ICO updated its “International transfers” package with a simplified guide (including a three‑step test) and a commitment to refine the TRA and the IDTA. Aim: reduce complexity and support innovation while complying with the UK GDPR. The TRA tests whether protection is “not materially lower.” ICO sources (accessed June 2026): 15/01/2026 announcement and A brief guide.
• European Union — Following Schrems II (CJEU, 16 July 2020, C‑311/18), the EDPB adopted on 21 June 2021 the final Recommendations 01/2020 on supplementary measures under GDPR Article 46 (SCCs, BCRs, certification…). The European Commission adopted new SCCs via Implementing Decision (EU) 2021/914. Sources: EDPB — 21/06/2021; EUR‑Lex — 2021/914; CJEU — CP/20/091.

These positions directly shape Luxembourg practice: controllers and processors established in Luxembourg remain subject to GDPR Chapter V and may work with UK providers bound by ICO doctrine.

Legal reasoning

• EU basis (GDPR Arts. 44‑49) — Any third‑country transfer requires an adequacy decision (Art. 45), appropriate safeguards (Art. 46: SCCs 2021/914, BCRs, codes, certification) or, residually, a derogation (Art. 49). Post‑Schrems II, the EDPB requires a robust assessment of the importer’s legal order and, where needed, supplementary measures demonstrating “essentially equivalent” protection. References: EDPB — 21/06/2021; SCCs 2021/914; CJEU — C‑311/18.
• EDPB position — Six‑step method (map, choose the transfer tool, assess third‑country law/practice incl. public access, identify and implement supplementary measures, formalize, re‑assess). Emphasis on objective analysis and strong technical controls (encryption, EU key management). See the Recommendations.
• ICO position — The TRA checks that protection is “not materially lower,” with an outcome‑based, proportionate approach centered on “significant risk” rather than a strict law‑first essential equivalence test. Tools: IDTA + TRA. Sources: ICO announcement; brief guide; overview page.
• Luxembourg — The CNPD follows the EDPB, details tools (SCCs, BCRs, codes, certification) and stresses exporter accountability. Since 2026, certification (Europrivacy) has gained traction as an Art. 46 safeguard. CNPD sources: transfers dossier; certification update.

What this changes in practice

• Luxembourg entities using UK vendors or EU→UK→third‑country chains — Keep EDPB‑aligned documentation (equivalence + supplementary measures), even if a UK partner offers a light TRA. Demonstrate your analysis of the final importer’s law and your countermeasures (exporter‑side encryption, EU‑held keys, minimization, pseudonymization). Ref.: EDPB — 21/06/2021. When needed, an external DPO can help steer decisions.
• Choosing transfer tools — SCCs vs IDTA: the IDTA works under UK GDPR but does not replace SCCs for a Luxembourg exporter. Many EU↔UK groups will maintain SCCs and IDTA in parallel. Ref.: ICO — IDTA overview; EUR‑Lex — 2021/914. Europrivacy certification can structure recurrent transfers.
• “Tried‑and‑tested” clauses and supplementary measures — For sensitive data or regulated sectors (finance, health): end‑to‑end encryption with EU‑held keys, strict role separation, access logging, and a process to challenge government requests. See EDPB Recommendations. A cybersecurity audit can validate the effectiveness of technical controls.

Common pitfalls

1. Equating UK and EU compliance — Accepting a “reasonable” UK TRA while ignoring the EDPB’s Schrems II equivalence requirement. Ref.: ICO — A brief guide; EDPB — 21/06/2021.
2. Filling SCCs “blank” — Sparse technical annexes, generic measures, no notification/challenge plan. Ref.: EUR‑Lex — 2021/914.
3. Skipping importer‑country legal analysis — Relying on “low probability” without reviewing public‑access laws and effective remedies — insufficient per EDPB. Ref.: EDPB — 21/06/2021.
4. Forgetting CNPD‑level accountability — Inability to produce the legal basis (Arts. 45/46/49), data‑flow mapping, Schrems II risk analysis, and supplementary measures. Ref.: CNPD — transfers without adequate protection. In practice, organizing these items strengthens your GDPR compliance in Luxembourg.
5. Poor sub‑processing chains — No SCC flow‑down to sub‑processors; no alert when the processor can no longer follow instructions. Ref.: EUR‑Lex — 2021/914.

Official sources

• EDPB — “Final version of Recommendations on supplementary measures” (21 June 2021): link
• CJEU — Press release, Case C‑311/18 (Schrems II), 16 July 2020: link
• European Commission — Implementing Decision (EU) 2021/914 (SCCs), 4 June 2021: link
• ICO — Updated guidance on international transfers (15 January 2026): link
• ICO — A brief guide to international transfers (June 2026 access): link
• CNPD — Dossier “Transfers outside the EEA without adequate protection” (v. 2025): link
• CNPD — “International data transfers: an important step forward in GDPR certification” (16 April 2026): link

In short

The divergence lies in the assessment standard: the EDPB requires demonstrated essential equivalence; the ICO accepts a “not materially lower” standard focused on likelihood and severity of harm. For Luxembourg leaders, keep an EDPB‑compliant analysis for all GDPR‑covered flows, even when using ICO tools.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.