Transfer Impact Assessment – what is it, and do I need to do one?
In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield. In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned”.
Following the Schrems II judgment, the European Data Protection Board (EDPB) issued two pieces of guidance to help data exporters with the analysis required by the ECJ: Measures that supplement transfer tools (Recommendations 01/2020); and European Essential Guarantees (Recommendations 02/2020). In addition, the European Commission published updated draft SCCs for consultation, which are expected to be adopted in March 2021.
In practice, this means that businesses which propose to transfer – or to continue to transfer – personal data using SCCs (or another transfer tool) to a third country must first carry out a transfer impact assessment (TIA) with a successful outcome in accordance with the six-step process set out in the EDPB’s Measures that supplement transfer tools (Recommendations 01/2020):
Step 1: Map your data flow, i.e. the scope and categories of personal data to be transferred, the data subjects concerned, and the purposes for which the data is being transferred.
Step 2: Identify your transfer tool, which will usually be SCCs but could be for example Binding Corporate Rules (BCRs).
Step 3: Assess the laws of the third country for the purpose of identifying any respects in which those laws may not permit the data importer to comply with its obligations under the SCCs (or other transfer tool), and therefore not provide protection which is essentially equivalent to that provided by EU law. The EDPB’s European Essential Guarantees (Recommendations 02/2020) sets out the minimum standards by which the third country’s laws can be assessed.
Step 4: Identify appropriate supplementary measures to remedy any shortcomings disclosed by the assessment in Step 3. Supplementary measures may contractual, technical or organisational in nature.
Step 5: Implement your supplementary measures.
Step 6: Re-evaluate your assessment at appropriate intervals.
Also, note that the TIA must be properly documented, and include appropriate supporting documentation such as data mapping records and legal opinions from local counsel. And if the TIA discloses the existence of local laws which impinge on the effectiveness of the SCCs (or other transfer tool), and no supplementary measures are available to mitigate the risk, then the transfer cannot proceed/must be suspended immediately.
Reaction to the brave new, post-Schrems II world of data transfers has been mixed… Ensuring EU-standard privacy protection for data that is transferred outside the EEA is of course commendable, at least in principle. But requiring all businesses to not only put in place comprehensive contractual protections (e.g by way of SCCs) but also to carry out a time consuming, technically difficult and potentially very costly TIA for each type of transfer is arguably so onerous that many businesses, particularly SMEs, will take a risk-based view and simply dispense with the TIA. Other businesses may take the view that exporting data outside the EEA is simply too difficult, and replace its existing service providers with EEA-based providers.
The European Commission (EC) is of course aware of the difficulties that Schrems II has created for EEA organisations, including those which already have established global data sharing networks, and those looking to transfer data to non-EEA service providers for which are no equivalents available in the EEA. But while we wait for the EC to come up with some more workable alternative options, businesses which are exporting, or looking to export, personal data to third countries may now want to start:
- Looking at their data flows to non-EEA countries, and considering whether any personal data (and especially special category data) can be removed from the data export.
- Setting up a TIA process, supported by appropriate documentation.
- Developing a toolbox of risk mitigating measures, such as data encryption/pseudonymisation, privacy-friendly data sharing procedures etc.