Transfer Impact Assessment: the CNIL published a draft guide

Pursuant to the Regulation UE 2016/679, commonly known as the General Data Protection Regulation (“GDPR” or “Regulation”), entities engaged in transferring personal data outside of the European Economic Area (“EEA”) must assess the level of data protection in the countries of destination and the necessity for implementing additional protective measures.

In order to facilitate this process, the Commission Nationale de l'Informatique et des Libertés (“CNIL") has released a preliminary version of the “Draft Practical Guide – Transfer Impact Assessment” for public consultation until February 12^th, 2024 (the “Guide”). This Guide has been drafted following the European Data Protection Board’s (“EDPB”) Recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, adopted on June 18^th, 2021, with the aim of supporting the preparation of Transfer Impact Assessment (“TIA”) for exporters of personal data.

Context

The concern of data transfer affects a broad spectrum of controllers and processors, irrespective of their nature (public or private, profit or non-profit) and scale (from multinational enterprises to small/medium-sized businesses and individual professionals). The proliferation of cross-border services, especially cloud-based solutions, has expanded the scenarios in which personal data is processed entirely or partially in third countries not governed by the GDPR. This situation necessitates data transfers under specific conditions outlined in Articles 44-49 of the GDPR.

As a general rule, the GDPR provides that the transfer of personal data outside the EEA is forbidden unless the third country ensures an adequate level of protection as the one afforded by the GDPR.

To this end, Article 45 of the GDPR provides that a transfer of personal data to countries outside the EEA may take place where the European Commission has decided – with an adequacy decision – that the third country in question ensures an adequate level of protection of personal data.

In the absence of such decision, Article 46 of the GDPR stipulates that data transfer to a third country may occur only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In this regard, the tools that may constitute “appropriate safeguards” are, by way of example and not limited to, the binding corporate rules (“BCR”) and the standard contractual clauses (“SCC”).

Finally, Article 49 of the GDPR provides certain derogations, such as the consent of the data subject, which allow the transfer of personal data in the absence of an adequacy decision or appropriate safeguards.

Notwithstanding the above, the Court of Justice of the European Union (“CJEU”), with its ruling “Schrems II”^[1], has also emphasized the responsibility of exporters and importers to ensure that personal data is processed, and continues to be processed, in compliance with the level of protection set by the EU data protection legislation. This responsibility includes suspending the transfer and/or terminating the contract if the importer is not, or is no longer, in a position to comply with its personal data protection obligations.

Cases where a TIA should be carried out

A TIA is required when controllers or processors, acting as exporters, plan to transfer personal data from an EEA country to a third country using tools under Article 46 of the GDPR. The obligation to conduct a TIA does not apply if the data is destined for a country with an adequacy decision or if the transfer falls under the derogations in Article 49.

The purpose of the TIA

The TIA aims to assess the level of adequacy of data protection guaranteed by local legislation and practices of the third country of destination and take into account the practices of authorities in the third country regarding the access to the transferred data.

Where necessary, the TIA should enable the exporter to assess whether supplementary measures would make it possible to remedy the shortcomings identified and ensure the level of data protection required by EU legislation.

In order to carry out the TIA, the cooperation between the importer and the exporter is essential considering the amount of information that the importer has at its disposal. Moreover, such cooperation,
within the framework of the relationship between a controller and a processor, constitutes one of the obligations outlined in Article 28 of the GDPR.

Purpose and Implementation of the Guide

As clarified by the CNIL, the Guide constitutes a methodology and, more specifically, a checklist for the exporters, which identifies various elements to be considered when carrying out a TIA.

In fact, the Guide provides indications on how the analysis can be carried out by following the six steps set out in EDPB’s recommendations and refers to the relevant documentation.

In particular, the steps are the following:

1. “Know your transfer”: this section enables the exporter to describe the transfer so that its characteristics and sensitivity can be considered in the assessment;
2. “Document the transfer tool used”: this step requires the exporter to document the tool that will be used for the transfer and the analysis concluding whether or not a TIA is required for it;
3. “Evaluate the legislation and practices in the country of destination of the data and the effectiveness of the transfer tool”: this section enables the exporter to assess the legislation and practices in the country of destination of the data and to identify whether there are any factors that could affect the effectiveness of the appropriate safeguards in place or that could prevent the exporter from fulfilling its obligations;
4. “Identify and adopt supplementary measures”: considering that - according to the EDPB’s recommendations on supplementary measures, contractual and organizational measures are not sufficient in themselves to prevent possible access to data by the authorities of the third country and that they must always be complemented by technical measures (referred to as “supplementary” measures) – this step consists of identifying, on a case-by-case basis, which supplementary measures could be effective for the transfer in question towards the third country that ensure a sufficient level of data protection in the third country that is substantially equivalent to that afforded within the EEA;
5. “Implement the supplementary measures and the necessary procedural steps”: this section contains an action plan for the operational implementation of the supplementary measures identified in step 4;
6. “Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it”: it allows the exporter to anticipate future reassessments of the transfer.

It should be noted that the use of the Guide is not mandatory for the exporter and that it does not constitute an evaluation of the laws and practices in the third country and risks related thereto.

Conclusion

The CNIL promotes a dynamic approach in managing cross-border data transfer operations, emphasizing the responsibility of conducting TIAs to ensure adequate protection. Notwithstanding the Guide is still under public consultation until February 12^th, 2024, the TIA methodology proposed by the CNIL, it represents a significant step towards balancing the free flow of data outside the EEA with the protection of individual rights in the data management processes.

[1] Judgment of the Court (Grand Chamber) of 16 July 2020, “Schrems II”, C-311/18.