The impetus to conduct a Data Transfer Impact Assessment (TIA) comes from three legal authorities: (1) the European Court of Justice’s recommendation in Schrems II that the parties to a transfer verify on a case-by-case basis whether the “law of the third country of destination ensures adequate protection . . . of personal data transferred pursuant to the standard data protection clauses,”[1] (2) the European Data Protection Board’s (EDPB) recommendations on measures to supplement data transfer tools, [2] and (3) Clause 14 of the new Standard Contractual Clauses (SCC), which requires the parties to a transfer to warrant that they have analyzed certain factors about the law of the importer.
Among the three sources, the new SCC provide the most specific references to what factors should be analyzed by the parties. These are viewed by many organizations as functionally required parts of a thorough TIA and are indicated below in plain text. In addition to those factors expressly required, the SCC refer to other factors that “may be considered as part of an overall assessment.” These are functionally viewed by many organizations as best practices, but potentially not strict requirements, and are indicated below in bold along with additional factors noted in the EDPB’s recommendation as being potentially “relevant”:
Laws and Practices of the Destination Country:
- Laws requiring the disclosure of personal data by the importer to public authorities.[3]
- Laws authorizing public authorities to access personal data held by the importer. [4]
- Whether the above-referenced laws permit data subjects to obtain judicial redress against unlawful government access.[5]
- Prior instances of requests (or the absence of such requests) for disclosures from public authorities to the importer.[6]
- Reliable information on the existence or absence of requests for disclosure by public authorities “within the same [industry] sector.”[7]
- Case law impacting whether personal data by the importer must be disclosed to public authorities. [8]
- Reports by independent oversight bodies discussing whether personal data (presumably within an industry sector) may be disclosed to public authorities.[9]
- Whether the destination country has a comprehensive national data protection law.[10]
- Whether the destination country has an independent data protection authority. [11]
- Whether the destination country has adhered to international instruments providing for data protection safeguards.[12]
Circumstances of the Transfer:
- Length of the processing chain impacting the personal data.[13]
- Number of actors with access to personal data.[14]
- Transmission channels used to send personal data.[15]
- Intended onwards recipients of the personal data.[16]
- Type of recipients of the personal data.[17]
- Purpose of the processing.[18]
- Categories and format of the transferred personal data.[19]
- Economic sector in which the transfer occurs.[20]
- Storage location of the data transferred.[21]
Supplemental measures to protect personal data:
- Relevant contractual safeguards that may supplement the safeguards provided for in the SCCs.[22]
- Relevant technical safeguards that may supplement the safeguards provided for in the SCCs.[23]
- Relevant organizational safeguards that may supplement the safeguards provided for in the SCCs.[24]
[1] Schrems II at para. 134.
[2] EDPB, Recommendations 01/2020 on measure that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) 18 June 2021.
[3] SCC Clause 14(b)(ii) (all Modules).
[4] SCC Clause 14(b)(ii) (all Modules).
[5] EDPB, 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
[6] SCC Clause 14 (all Modules) fn 12.
[7] SCC Clause 14 (all Modules) fn 12.
[8] SCC Clause 14 (all Modules) fn 12.
[9] SCC Clause 14 (all Modules) fn 12.
[10] EDPB, 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
[11] EDPB, 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
[12] EDPB, 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on 18 June 2021 at ¶ 37.
[13] SCC Clause 14(b)(i) (all Modules).
[14] SCC Clause 14(b)(i) (all Modules).
[15] SCC Clause 14(b)(i) (all Modules).
[16] SCC Clause 14(b)(i) (all Modules).
[17] SCC Clause 14(b)(i) (all Modules).
[18] SCC Clause 14(b)(i) (all Modules).
[19] SCC Clause 14(b)(i) (all Modules).
[20] SCC Clause 14(b)(i) (all Modules).
[21] SCC Clause 14(b)(i) (all Modules).
[22] SCC Clause 14(b)(iii) (all Modules).
[23] SCC Clause 14(b)(iii) (all Modules).
[24] SCC Clause 14(b)(iii) (all Modules).