France: CNIL publishes proposed methodology for assessing third-country data transfers
The French data protection authority ('CNIL') published, on 23 June 2021, a proposed methodology for identifying and processing data transfers outside the EU, and in particular to the US, to aid organisations in carrying out third country assessments, as required by the judgment of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In addition, CNIL updated its guidance on the consequences of the Schrems II judgment for organisations wishing to transfer personal data outside the EU, and its FAQs on the Schrems II judgment.
In particular, CNIL highlighted that the proposed methodology aims to complement and clarify, from an operational point of view, the European Data Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. More specifically, CNIL outlined that the proposed methodology may be used to precisely identify third-country transfers, by means of a technical and legal inventory, and to implement an action plan adapted to the specific organisation.
As a first step, CNIL recommends making an inventory of the transfers of personal data linked to digital tools, highlighting that an inventory should make it possible to highlight any transfers of data outside the EU carried out as part of business activities and support functions. Furthermore, CNIL outlined that the key business functions involved in this exercise are the organisation's data protection officer ('DPO'), information systems department, the purchasing department, the operational managers of the various services, and any digital service providers, to specify the scope of any transfers.
In addition to the above, CNIL recommends identifying all digital tools used by the organisation, as well as all vendor contracts, and using the inventory of both these technical and legal elements to complete a summary document listing the flows outside the EU of personal data implemented within the framework of the activities.
Defining an action plan
As a second step, CNIL recommends creating an action plan. In particular, CNIL recommends carrying out risk assessments with respect to personal data flows, in addition to assessing whether the transfers have a legal basis, and possible solutions following such analysis. Specifically, CNIL outlined that it will be necessary to identify the supervision of transfers and the transfer tools put in place and to assess the effectiveness of the tool used in relation to the legislation of the country to which the data is being transferred, emphasising that in the event that the effectiveness of the tool is likely to be reduced due to the application of the legislation of the third country, the implementation of additional measures will be required.
Further to the above, CNIL highlighted the following possible outcomes to the third-country assessment:
- Continue data transfers outside the EU.
- Continue transfers outside the EU by defining new guarantees, such as:
- additional technical measures such as encryption and pseudonymisation;
- additional contractual measures such as the addition of clauses approved by the EDPB in contracts and the revision of Article 28 GDPR agreements with subcontractors; and
- additional organisational measures such an organisational awareness and internal documentation.
- End transfers without a legal basis and redefine your data management policy.
In terms of final steps, CNIL recommends submitting the assessment and action plan, which should include the identified action priorities and the resources that can be operationalised to achieve the same, to the relevant organisation executive, as well as regularly reviewing data flows outside the EU alongside reviewing their legality, in particular on the occasion of each new purchase of digital services.