You are a U.S.-based company that collects or is otherwise given access to the personal data of European residents. Are you aware of your obligations to perform a Transfer Impact Assessment prior to importing such data? This article describes the purpose and steps to perform such an assessment.
What is a Transfer Impact Assessment?
The term “Transfer Impact Assessment” (TIA) is relatively new to the world of privacy. The obligation to perform a TIA stems from clause 14 of the new standard contractual clauses (SCC), which were published by the European Commission (hereinafter the “Commission”) in June 2021. These new SCCs must be put in place prior to any transfer of personal data originating from the European Union to countries outside the European Economic Area (EEA) which are not subject to an adequacy finding by the Commission. Any transfers within the EEA are covered by the General Data Protection Regulation 2016/679 of 25 May 2016 (hereinafter the “GDPR”), which provides extensive protection for the personal data of individuals residing in the EEA. If a company wants to transfer EU personal data to a third country that is not considered to offer sufficient protection for personal data, such company must comply with one of the mechanisms adopted by the Commission to effect such transfer in accordance with EU law, as specified in the GDPR.
It should be noted that there are two categories of third countries: (i) third countries that benefit of an adequacy decision by the European Commission, and which are therefore considered as guaranteeing an adequate level of personal data security; and (ii) third countries that are not subject to such an adequacy decision, (which include the United States). The transfer of personal data to the first category of third countries is permitted without the need to implement any additional safeguards, amongst which the signature of SCCs and consequently the performance of a TIA, whereas a transfer to the other third countries requires the implementation of such additional safeguards. It is to be noted that an adequacy decision may also be specific to a particular territory or sector in the third country, or to an international organization (such as the United Nations or the World Health Organization).
A TIA is an analysis by a data controller or a data processor of the impact and security implications of a transfer to a country outside the EEA that does not benefit from an adequacy finding by the Commission. TIAs, which often take the form of a questionnaire, must be conducted for every personal data processing activity. Among other things, it establishes whether the laws of the third country in question would allow government agencies of that third country to access the personal data. Other factors will generally be taken into account, such as the protection of human rights generally in the third country. It should be noted, however, that the GDPR does not indicate which factors should be specifically considered when conducting a TIA, nor does it specify that the TIA must be in a written form – however, it is recommended to have it in writing, as it provides evidence that the analysis has indeed been performed.
What should be included in a TIA (International data transfers) ?
Although there are no specific guidelines for the drafting of a TIA, it is important to ensure that a thorough analysis of the applicable legal framework of the third country is carried out. It is crucial to understand all the risks, real or hypothetical, that could threaten the security of the personal data you wish to transfer outside the EEA.
We propose a five-step analysis, which must be conducted before proceeding with the transfer.
The first step is to describe the intended transfer of personal data. For instance, to which country will the data be transferred? Who is importing the data, and in what context are they importing it? What categories of data subjects are concerned? Will sensitive personal data, such as data regarding the sexual orientation, or health data, be transferred?
The second step is to define the TIA parameters, such as the starting date of the intended transfer, its duration, the laws that need to be taken into account in the third country, etc.
The third step is to define the safeguards that are implemented, be it technological, contractual and organizational measures. For example, will the personal data be encrypted or otherwise protected? Would it be possible, given the purpose of the transfer, to instead transfer the data to a third country considered by the Commission as offering an adequate level of protection? Are safeguards recognized by European law, such as SCCs, put in place? Etc.
The fourth step consists of assessing the risk of prohibited lawful access in the target jurisdiction. Of course, this is country-specific, each country having its own laws and regulations. For example, the person conducting the TIA will have to analyze the various laws applicable in the third country in order to determine whether there is a basis for a third party to legally access the transferred personal data, despite the safeguards that are in place. For instance, one would consider whether the third party to whom the personal data is to be transferred could be the target of national authorities’ investigations. Please note that these examples are not exhaustive and are only intended to illustrate the wide range of considerations that must be taken into account when conducting such an analysis.
Finally, in light of this four-step analysis, the person conducting the TIA will conclude whether or not the intended transfer of personal data to a third country involves an acceptable level of risk.
In conclusion, the implementation and the analysis process related to the performance of a TIA is a meticulous work requiring a thorough knowledge of the legal framework governing personal data, both at the European level and at the level of the third country where the personal data is to be transferred. It is therefore important to be accompanied by a professional who will be able to guide you through each step of the process.
We practice both US and European law, and have particular expertise in the field of personal data protection. If you wish to ensure that your organization complies with its obligations when transferring EU personal data to the United States, please do not hesitate to contact us, we would be delighted to assist you!