Skip to content

It depends on the purpose for which a TIA is created. It is unlikely that the attorney-client privilege would apply to a TIA that is created, and used, to satisfy the requirements of the Standard Contractual Clauses (SCCs).

The attorney-client privilege in the United States refers to a judicially recognized ability for a client to refuse to disclose (and to prevent their attorney from disclosing) confidential communications made for the purpose of facilitating legal services. The privilege typically extends to communications between a client and their attorney, between an attorney and the attorney’s representative (e.g., paralegal), or between two parties that share a common legal interest.[1] Four elements are required to establish the existence of the attorney-client privilege:

(1) A communication

(2) made between privileged persons

(3) in confidence

(4) for the purpose of seeking, obtaining, or providing legal assistance to the client.[2]

Companies may create Transfer Impact Assessments (TIA) for different purposes. One of the primary reasons a data importer might create a TIA is to satisfy its contractual warranty under the SCCs  to make “best efforts to provide the data exporter with the relevant information” to complete an assessment of the laws of the destination country,[3] and the parties’ joint agreement to “document the assessment . . . and make it available to the competent supervisory authority on request.”[4]

While U.S. courts have not had occasion to determine whether one (or both) parties to a SCC can claim that a TIA is subject to the attorney client privilege, the elements for establishing the privilege are likely to be challenged on the following grounds: [5]

Element (2): made between privileged persons. The SCCs require that a data importer warrant that it has “made its best efforts to provide the data exporter with the relevant information” to complete a transfer impact assessment.[6] To the extent that a TIA is sent from the data importer to the data exporter to satisfy that contractual requirement, it may be difficult to argue that the importer and the exporter should be viewed as “privileged persons” under U.S. law. The parties may choose to argue that the TIA was protected from waiver of the attorney-client privilege and work product doctrine by a common legal interest, i.e., (1) the parties share a common interest; (2) the disclosing party had a reasonable expectation of confidentiality; and (3) the disclosure is reasonably necessary. This may be a challenging claim to make in jurisdictions that require a pending or threatened litigation for the common interest doctrine to apply.

Element (3): in confidence. The SCCs require that their assessment of the destination countries’ laws be documented and made “available to the competent supervisory authority on request.” As a TIA must be produced to a government regulator, a question arises whether the parties anticipate that the TIA will remain “in confidence” if the intent is to be able to prove to a regulatory authority that the destination country assessment was complete and accurate. [7]

Element (4): for the purpose of seeking, obtaining, or providing legal assistance to the client. When determining if the primary purpose of a communication was to seek legal advice, courts often ask whether the communication would have been sent “but for” the fact that legal advice was sought.[8]  If a communication “would have been made in all events, the communication will generally not be privilege protected.”[9] Given that the parties are contractually obligated to “document the assessment [of the impact of the transfer]” under the SCC, a court may view the communication’s primary purpose as fulfilling a contractual obligation and not to provide legal assistance.

While it is doubtful that a TIA that is created for the purposes of demonstrating compliance with the SCCs would be afforded attorney-client privilege protection, it is possible that TIAs created in other contexts (e.g., a client seeking legal advice from their attorney to determine their own risk relating to a transfer) might be afforded privilege protection.


[1] See Proposed Rule 503(b), Rules of Evidence for United States Courts and Magistrates, 56 F.R.D. 183 (1972). Note that while the proposed rule was never adopted it is often cited by courts as an accurate codification of the common law privilege.

[2] Edna Epstein, The Attorney-Client Privilege and the Work-Product Doctrine (6th Ed. ABA) at 85.

[3] New Standard Contractual Clauses (all Modules) Clause 14(c).

[4] New Standard Contractual Clauses (all Modules) Clause 14(d).

[5] Edna Epstein, The Attorney-Client Privilege and the Work-Product Doctrine (6th Ed. ABA) at 85.

[6] New Standard Contractual Clauses (all Modules) Clause 14(c).

[7] New Standard Contractual Clauses (all Modules) Clause 14(d).

[8] Edna Epstein, The Attorney-Client Privilege and the Work-Product Doctrine (6th Ed. ABA) at 426.

[9] Edna Epstein, The Attorney-Client Privilege and the Work-Product Doctrine (6th Ed. ABA) at 426.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on privacy and cyber risks associated with mergers and acquisitions, venture capital, and securities. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.