Why conduct a TIA?
Under GDPR, personal data transfers outside the EEA are only permissible if the target country provides an equivalent level of protection to that in the EEA. The ever-growing number of international data transfers, driven by technological advancements and the extensive use of cloud solutions, makes understanding the need for TIAs essential. The country of destination or, as the case may be, the organization located in such country, may be covered by an adequacy decision issued by the European Commission, in which case exporters may carry out the transfer without implementing further guarantees. Otherwise, exporters should rely on other personal data transfer mechanisms provided by Chapter V of the GDPR, including the standard contractual clauses (SCCs).
On July 16, 2020, the Schrems II ruling invalidated the Privacy Shield (adequacy decision for the United States) while validating the use of SCC. The CJEU emphasized that companies that transmit data outside the EEA have the responsibility to evaluate the degree of protection offered by the receiving country and to establish appropriate measures to ensure data security. Following this ruling, the European Commission issued new SCCs taking into account the interpretation of the CJEU and the necessity to assess the legislation of the country of destination.
From now on, in the absence of an adequacy decision or applicable derogation, exporters must carry out a TIA before transferring personal data to a third country.
How do you conduct such a TIA?
TIAs allow data exporters to assess whether the level of protection provided in the country of destination is equivalent to the European Union standard and, if not, whether supplementary measures could be implemented to reach that standard.
On June 18, 2021, the EDPB issued its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, to help exporters assess legislation in third countries and identify appropriate supplementary measures.
In accordance with the EDPB, the CNIL reminds exporters of the methodology to use and outlines the six steps involved in performing a TIA:
- Know your transfer;
- Document the transfer tool used;
- Evaluate the legislation and practices in the country of destination and the effectiveness of the transfer tool;
- Identify and adopt supplementary measures;
- Implement the supplementary measures and the necessary procedural steps;
- Re-evaluate at appropriate interval the level of protection afforded to personal data and monitor potential developments that may affect it.
For each step, the CNIL provides organizations with templates to help them document their assessment of the legislation in question. Such assessments can indeed be time-consuming and costly for some exporters, who may not have the dedicated resources to carry out this often complex evaluation of foreign legislation.
With this public consultation, the CNIL is seeking inputs from organizations dealing with personal data transfer outside the EEA. The aim is to enable the authority to better understand the needs of these organizations, and to provide them with tools that make it as easy as possible for them to meet their obligations.
Despite improvements brought by the Data Privacy Framework, the CNIL underscores the importance of adhering to the existing requirement for completing Transfer Impact Assessments, reminding us that this obligation remains unchanged and must be strictly followed.
The public consultation will end on February 12, 2024, and the guide will be published later in the year.
Please follow this link to participate in the public consultation (available in English).
