“Transfer Impact Assessment” (TIA) – New transfer mechanism to ensure adequate level of data protection in third country

On 16 July 2020, the ECJ declared the EU’s GDPR adequacy decision for the United States (the “EU-US Privacy Shield”) invalid – the so-called “Schrems II” judgment (case no. C 311/18). (Also) in light of this decision, the European Commission reevaluated the Standard Contractual Clauses (SCC) instrument for international data transfers and published an updated version on 4 June 2021.

In clause 14, the new Standard Contractual clauses require the parties to conduct a so-called “Transfer Impact Assessment” to ensure that the transfer mechanism under art. 45 et seq. GDPR is effectively guaranteeing an adequate level of data protection in the third country and is not undermined by the transfer in practice or local legislation. If such a Transfer Impact Assessment is not prepared carefully, the SCCs could become unlawful which would result in an illegal transfer of personal data from the EU to a third country. To prevent potential fines due to such a violation of the GDPR, we would like to support you in correctly setting up the SCCs and the TIAs in particular.

In summary, for the new SCCs to be valid the level of data protection in the third country must be essentially equivalent to the level of protection guaranteed by the GDPR in the EEA. If mechanisms under art. 45 et seq. GDPR fail to guarantee an equally high level of protection in the third country, the transfer of personal data is unlawful. This is especially the case if the importer is prevented from complying due to the third country’s legislation and practices applicable to the transfer, including the transit of data from the exporter to the importer’s country.

Therefore, the key question such a Transfer Impact Assessment should focus on is: “Are there any laws and/or practices in force that impede the effectiveness of the appropriate safeguards of your transfer tool in context of your specific transfer?”

The most important aspects a TIA should include are therefore

  1. whether public authorities of the third country of your importer may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedent and
  2. whether public authorities of the third country of your importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents. 

To fully evaluate the risks for the rights and freedoms of data subjects that result from this data transfer, a TIA should contain five steps: 
First, the data transfer as such should be described focusing on the specific characteristics and circumstances of the transfer. This should include general information such as the identities of the data importer and the data exporter and the data categories that are transferred. This section should then include information the purpose of the transfer, the affected data subjects, and whether or not an onward transfer to another third country is possible. Finally, you need to state why the transfer is necessary and why it was not an option to choose a European partner or service provider. You need to give detailed reasons as to a European solution is out of the question, or why this particular provider in a third country is without alternative.

The second step evaluates whether laws and practices are in force in the third country that could affect the security of the data transfer and/or the processing of the data. This evaluation should primarily focus on the relevant laws in the respective third country that lay down requirements to disclose personal data to public authorities or granting such public authorities’ powers of access to personal data. This could be criminal law, regulatory, or national security powers. This step should also explain these rules and practices in the third country and the legal system in general that could affect the transfer of data. Generally speaking, a full and thorough description of the relevant legal provisions in the third country is required.

In step three, all the relevant aspects, arguments, and circumstances identified in steps 1 and 2 are evaluated und summarized to assess the risks for the rights and freedoms of the data subjects that are created with the data transfer to the third country. In particular, it is crucial to assess whether a public authority might access the data and what risks result for the data subjects in the event of such an access. This evaluation then concludes whether additional security measures are required to properly fulfill the aim of the SCCs to effectively guarantee a level of data protection in the third country that is equivalent to the level in the EEA.

If step three revealed that additional security measures are necessary, these are identified in the fourth step to mitigate the risks identified in the first and second steps. We recommend considering technical, contractual, and organisational measures, although contractual and organisational measures alone will hardly prevent authorities from accessing the personal data. Therefore, contractual and organisational measures should be paired with technical measures to raise the level of data protection. These measures have to be carefully chosen to mitigate the identified risks and need to be properly implemented both in light of the recent Schrems II decision and the relevant guidelines of data protection authorities such as the EDPB. If these measures are not chosen or correctly implemented, the SCCs and the overall transfer of data to the third country remain invalid and therefore unlawful.

The fifth and final step concludes the TIA and states your final decision, i.e. whether the data transfer is acceptable considering all the relevant aspects identified before. The risks identified in step 3 are matched with the implemented security measures listed in step 4. A lawful data transfer is only possible if the final conclusion can state that the the level of data protection in the third country is essentially equivalent to the level of protection guaranteed by the GDPR in the EEA despite of the national legislation that could potentially interfere with the given security guarantees.

Since this a both important and complex issue, we have created a template Transfer Impact Assessment document and added all these steps, questions, and necessary information into the template so that you can set up such a TIA without having to research the required information yourself. Please don’t hesitate to reach out in case you would like to use our TIA template or alternatively download it directly from your ePrivacyaudit account.

We are of course happy to support you with every question you might have regarding the TIA process or with setting up compliant TIAs for your business.