International: How are companies dealing with transfer impact assessments in practice?
In the aftermath of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the requirement to carry out transfer impact assessments ('TIAs') before transferring data to third countries has become a major concern, not only for many businesses carrying out international activities, but also for any companies – including small to medium-sized enterprises ('SMEs') – relying on foreign providers. Sonia Cissé, Clémentine Richard, and Julie Favreau, from Linklaters, shed light on the specificities of this new but already well-known requirement and set out the legal, organisational, technical, and financial complications many companies are facing in implementing it.
In Schrems II Case, the Court of Justice of the European Union ('CJEU') overturned the legal framework for transfers of personal data outside the European Economic Area ('EEA') when it ruled that data exporters were required to "verify on a case-by-case basis […] whether the country of destination ensures adequate protection, under EU law" of personal data transferred by providing, where necessary, additional safeguards to those offered by the Standard Contractual Clauses ('SCCs'). In other words, data exporters can no longer transfer personal data to a data importer located in a third country (i.e., a country outside the EEA and which is not covered by an adequacy decision of the European Commission) simply relying on SCCs1 or Binding Corporate Rules ('BCRs') without first conducting a specific assessment of the circumstances of each transfer at stake2.
What exactly is a TIA?
A TIA is a process to assess the risks entailed by data processing and the relevant measures to mitigate such risks that any data exporter must carry out and document before transferring personal data to a third country.
Its purpose is to identify and analyse the laws applicable in the data importer's country against the European Essential Guarantees3, and notably to identify whether there is anything in the law or practice of the third country allowing local public authorities to access the personal data transferred that may impinge on the effectiveness of the safeguards provided for by the SCCs or the BCRs.
Once duly completed, the TIA enables the data exporter to establish whether the intended transfer complies with the level of protection set by EU data protection law, and if not, whether supplementary measures could be taken to ensure the confidentiality and security of the personal data transferred.
What steps need to be taken when conducting a TIA?
First and foremost, data exporters need to map their data flows and identify the transfer tools on which these transfers rely4.
Once achieved, controllers and processors must start carrying out their TIAs and prepare appropriate documentation following at least the following steps:
- Summarising the characteristics of the intended transfer: gathering all information on the data exporter, data importer, and characteristics of the transfer (categories of personal data, categories of data subjects, format, volume, etc.).
- Assessing the enforceability of the transfer tool in the importer's country – local laws and practices assessment: gathering all relevant information based on the analysis of the third country law. This analysis is the cornerstone of the TIA. Data exporters are required to identify and analyse the laws and practices (e.g., case law) of the data's importer country to identify to which extent these laws may impinge on the effectiveness of the chosen transfer tool. According to the European Data Protection Board ('EDPB'), this assessment should determine whether: (i) powers under national laws are clear, precise, and accessible; (ii) grounds on which to exercise the powers are necessary and proportionate; (iii) an independent oversight mechanism is available; and (iv) effective remedies are available for the relevant individuals5.
- Identifying the appropriate supplementary measures: implementing any measures which would mitigate or remedy the risks revealed by the third country law assessment regarding the importer country's legislation in order to avoid being obliged to suspend or stop the transfer.
Once the above TIA steps have been fulfilled, the exporter must ensure proper implementation of the appropriate supplementary measures and re-evaluation of the assessments at appropriate intervals.
What are the main challenges faced by companies?
Carrying out TIAs is not an easy task – exporting companies are confronted with a number of different challenges and have to mobilise significant legal, technical, human, and financial resources to comply with the requirements.
Lack of clarity
The first main legal issue faced by companies is the lack of clarity in the data protection authorities ('DPA') expectations as to what exactly is required. Indeed, very few DPAs issued detailed guidelines on TIAs. The rare examples of DPA publications, including templates of TIAs, are currently available online on DPA websites. However, associations such as the International Association of Privacy Professionals have also published useful materials.
Challenges related to local law assessments
The other challenge faced by companies is to ensure their assessment of third countries' national legislation is reliable and sufficiently exhaustive.
Indeed, in practice, the assessment of such legislation can turn out to be quite burdensome; this is, in particular, the case for countries with federal and state level legislation.
The analysis must encompass all levels of legislation, but state laws generally do not provide for specific public authorities' access rights. However, for example, as regards the US, it could be worth also analysing the laws of business-focused states such as New York, New Jersey, California, and Illinois.
In addition, even though data exporters have a variety of sources of local laws at their disposal, including those listed by the EDPB in its recommendations, there might be inconsistencies between the laws and the practices that cannot easily be spotted or grasped without the assistance of local law practitioners.
One of the solutions found by many data exporters is to rely on data importers' help through a questionnaire on their country's laws and practices – this document can play a key role in the TIA process, in particular when the legislation of the third country is not easily accessible. However, getting feedback from data importers can sometimes be approximative. Data exporters must, nevertheless, bear in mind that they will still need to verify the accuracy of the information provided by data importers – which has been highly criticised in recent months, with certain scholars arguing that the obligation set forth by the EDPB on data exporters to conduct such a comprehensive examination goes beyond what is actually required by Article 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is an exercise that DPAs themselves are not in a position to carry out due to the lack of knowledge on the third countries' legislation.
Organisational challenges: knowledge of TIA and internal organisation
Undertaking a TIA requires a robust internal organisation with a clear allocation of the tasks and responsibilities within the company. It implies being able to rely on a person or a team having an in-depth knowledge and understanding, not only of the processing carried out within the organisation but also of the different guidelines and recommendations released after the Schrems II Case. This knowledge alone is not sufficient, though, to ensure the practical implementation of the TIA requirements in view of the theoretical nature of most of these texts.
Therefore, handling compliance of transfers can be a full-time job. Indeed, the designated person would be in charge, among other things, of the mapping of every data flow carried out by the company, the identification and adoption of the adequate transfer tools under the GDPR, and the undertaking of appropriate TIAs for all transfers or data importers concerned – which is the most important but also burdensome task of all – as well as ensuring continuous updating and monitoring.
Unreachable level of security
From a business and technical standpoint, data exporters and importers are facing hurdles in complying with the expected level of security and regret the lack of pragmatic guidance.
As an illustration, the EDPB declared that transfers to cloud services providers requiring access to data in plain text were unlawful, even in situations where transport encryption and data-at-rest encryption could be ensured. Instead, the EDPB requires, among other technical measures, that cryptographic keys be retained solely under the control of the data exporter or a trusted third party in the EEA. It also requires state-of-the-art encryption (in accordance with the European Union Agency for Cybersecurity's ('ENISA') Guidelines 'State of the art' Technical and organisation measures) that cannot always be reached by all businesses, even big ones. Further to the EDPB, the French data protection authority ('CNIL') ruled, in a recent decision, that the supplementary measures implemented by Google, LLC for Google Analytics were not sufficiently effective without providing indications on the measures that would be considered as such.
Although the EDPB gives useful examples of scenarios in its Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data ('the EDPB Recommendations'), their generality and the many reservations do not in practice allow companies to address all the uncertainty surrounding the compliance of their transfers while such transfers are at the core of the activity of many of them.
Finding the right balance between the risks stemming from non-compliance to all the mechanisms imposed since the Schrems II Case and the business itself, therefore, turns out very challenging for companies which could use more business-oriented and practical guidance.
Lack of business-oriented guidance
Data exporters also complain that the guidance provided at this stage is not sufficiently business oriented.
For instance, following the publication of the EDPB Recommendations, the French Association of Private Companies ('AFEP') reported serious concerns about the requirements resulting from the Schrems II Case as per their applicability from a business perspective6.
Indeed, countless companies do not have any choice but to use services providers located outside the EU – because of various factors such as the nature of the service sought, the longstanding business relationships between the parties or simply for profitability reasons. In this sense, the AFEP underlined that, for the time being, no European companies could reach the American players' technological efficiency, for example, in terms of maintenance or flow speed, meaning that in practice European companies have no other remedy but to rely on them.
Finally, performing TIAs can turn out particularly expensive, in particular when companies have to rely on external counsel, employ people with specific skills, or even acquire specially-designed tools to deal with TIA-related tasks.
Many companies are still struggling to comply with the many obligations stemming from the GDPR considering the costs it entails and are, understandably, not ready to face and implement these new requirements.
To tackle those challenges and reduce the burden, companies are contemplating different solutions to either streamline their TIA process or prioritise the tasks.
Which solutions to reduce the burden on companies?
Data exporters may, during the mapping exercise, identify similarities between their various transfers to slim down the number of individual transfers considered. For instance, not only might the data exporter not conduct separate TIAs per data importer and per country, but instead might decide to group transfers by different data importers to the same country whenever the same categories of data sets are transferred for the same purposes. The local laws assessments could also be mutualised for transfers to data importers located in the same country, by ensuring that it is broad enough to capture all potentially relevant legislation, for transfers to the same country.
Likewise, data exporters could do an aggregated analysis for all transfers and produce a baseline set of technical and organisational measures to be implemented in respect of all transfers to a specific country. For this aspect, (which is of the utmost importance) legal teams, IT departments, and IT security teams should work jointly to be able to assess the robustness and effectiveness of the technical measures implemented or to be implemented.
Considering the amount of time and resources required to reach a level of full Schrems II compliance, several authors and businesses advocate for a 'risk-based approach' of TIAs – a notion at the heart of the GDPR and which involves the need for controllers to identify 'the risks to the rights and freedoms of natural persons and to take into account the likelihood and severity of those risks, in relation to the nature, scope, circumstances and purposes of the processing7' before any data processing.
More precisely, such approach is supported by the principles of accountability and security which impose an obligation on data controllers only when a 'high risk' for the rights and freedoms of data subjects is likely to happen. This is, for instance, the case with Data Protection Impact Assessments which are required whenever a processing 'is likely to result in a high risk8 'to data subjects' rights and freedoms or in the event of a data breach regarding the obligation for data controllers to inform data subjects in this respect9.
The EDPB has so far negated this approach. The only conclusive factor considered to conduct a TIA is whether the legal situation of the third country has an adequate level of protection and/or whether the data processing could otherwise be protected by additional measures10.
A substantial number of businesses nevertheless appear to have no other choice than to proceed on this basis for their existing transfers given the numerous challenges they face.
In its recent decision taken in the context of the global investigation against Google Analytics, the Austrian data protection authority ('DSB') has confirmed that this risk-based approach is a dead end. Indeed, the DSB clearly ruled that "such a risk-based approach [could not] be derived from the wording of Art. 44 GDPR11" thereby closing the door to this alternative solution.
Quick evolution of legal framework
In addition, consideration must be given to the recent announcements of the European Commission and the White House on the new Trans-Atlantic Data Privacy Framework aimed at building a new adequacy decision for US data transfers12. Although the adoption of this framework was received as good news for all stakeholders, it is quite likely to discourage companies that invest substantial resources in carrying out TIAs and implementing supplementary measures whose usefulness may be undermined in the short or medium term.
This adequacy decision is not ready to be published yet though – as discussions are still currently ongoing and since the EDPB will have to examine the US commitments before any decision is taken by the European Commission13.
However, it is noteworthy that the efforts undertaken to draft TIAs for US transfers were not in vain – companies cannot forget that these TIAs will always be useful for transfers to countries other than the US.
1. See the European Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council: "The Parties must warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer (…) prevent the data importer from fulfilling its obligations under these Clauses" (Clause 14).
2. See: Frequently Asked Questions on the Schrems II Case and the EDPB Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0), 18 June 2021.
3. See: The EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, 10 November 2020.
4. See: The EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0), 18 June 2021, p. 10 et seq. for more details about these two steps.
5. See: The EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, 10 November 2020.
6. See: https://afep.com/wp-content/uploads/2021/01/AFEP-01-2020-CEDP-REPONSE-21122020-Finale.pdf
7. See: Nina Diercks and Heiko Markus Roth, ‘Data Transfer to unsafe Third Countries'.
8. Article 35 of the GDPR.
9. Article 34 of the GDPR.
10. See: Nina Diercks and Heiko Markus Roth, ‘Data Transfer to unsafe Third Countries'.
11. See: https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschw%C3%A4rzt%20EN.pdf
12. See: Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework Adopted on 6 April 2022.