The term “Transfer Impact Assessment” or “TIA” is relatively new to the world of data privacy. Indeed, according to one widely used legal database the term was not referenced within any academic journals or secondary sources until 2021.1 The term has come to refer to a written analysis, conducted by a controller or a processor, of the impact that a transfer of personal data to a country outside of the EEA may have on the privacy afforded to the transferred data. TIAs focus specifically, although often not exclusively, on whether the laws of the country to which the data is being imported would permit government agencies access to the personal data.
The impetus to conduct a TIA comes from three legal authorities.
First, in the European Court of Justice’s Schrems II decision the ECJ stated that even when an organization uses a contractual mechanism provided for under the GDPR it is “above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguard to those offered by those clauses.”2 While the ECJ decision did not mandate that the “verif[ication]” be documented and in writing, the concept of a written assessment to analyze the impacts of a transfer (i.e., a transfer impact assessment) can be used by parties to demonstrate that such verification occurred.
Second, approximately a year after the Schrems II decision, the European Data Protection Board (EDPB) finalized its recommendations on measures to supplement data transfer tools.3 That document recommended that before transferring personal data outside of the EEA to a country that lacked an adequacy decision from the European Commission, a data exporter should “first assess, where appropriate in collaboration with the importer” whether there was “anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer.”4 The EDPB further indicated that it considered the following to be necessary components of the assessment:
-
An analysis of the legislation of the data importer’s country.
-
Whether public authorities of the third country may seek access to the data with or without the data importer’s knowledge either via legislation, practice, or reported precedent.
-
Whether public authorities of the third country may be able to access the data through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedent.
The EDPB stated that in its view companies should “document [the assessment] thoroughly.”5 It also noted that the assessment might be requested by “competent supervisory and/or judicial authorities.”6
Third, in June of 2021, the European Commission approved new standard contractual clauses which contained a requirement, within Clause 14, that for all transfers of personal information (regardless of whether they originate from, or are received by, a controller or a processor) the “Parties” must warrant that they have “no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer . . . prevent the data importer from fulfilling its obligations under these Clauses.”7 When providing such warranty, the Parties represent that they have taken specific factors into consideration (e.g., circumstances of the transfer, length of the processing chain, law and practices of the third country of destination). The data importer specifically warrants that it has “made its best efforts to provide the data exporter with the relevant information” to complete the assessment,8 and the Parties jointly agree to “document the assessment . . . and make it available to the competent supervisory authority on request.”9
From these three authorities the Transfer Impact Assessment emerged as a term-of-art to describe the process by which a data exporter and a data importer analyze the impact upon privacy of transmitting personal information from the EEA to a country outside of the EEA that has not been deemed as adequate by the European Commission.
FOOTNOTES
-
Search of secondary sources conducted on Lexis.
-
Schrems II at para. 134.
-
EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) 18 June 2021.
-
EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) at para. 30, 18 June 2021.
-
EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) at para. 47-48, 18 June 2021.
-
EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) at para. 47-48, 18 June 2021.
-
New Standard Contractual Clauses (all Modules) Clause 14(a).
-
New Standard Contractual Clauses (all Modules) Clause 14(c).
-
New Standard Contractual Clauses (all Modules) Clause 14(d).