The extra-territorial effect of the GDPR (both EU and UK) provides that the rules protecting personal data in the EU apply regardless of where personal data is being processed. EU and UK citizens and residents can therefore be sure that they enjoy the same level of data protection regardless of the nationality or establishment of the individuals or companies they interact with. However, the extra-territorial effect of the GDPR has its limits, and additional mechanisms are put in place to ensure that certain data protection standards are guaranteed to be applied regardless of the differences that may exist between privacy regimes at the international level.
The most widely recognised mechanism for transferring personal data is an Adequacy Decision, a European Commission Decision by means of which a certain country’s legal regime is evaluated as offering a level of data protection that is equivalent to that of the EU. In this case, personal data transfers are permitted without further safeguards. When no Adequacy Decisions is in place, other mechanisms can be employed to raise the level of personal data protection afforded to the transferred personal data, such as Standard Contractual Clauses, Binding Corporate Rules, or other ad hoc mechanisms such as the consent of the individual.
Why are Transfer Impact Assessments relevant?
The Court of Justice of the European Union (CJEU) ruled in Schrems II that a company intending to transfer data to a third country should conduct a case-by-case assessment of the laws and practices of the third country in order for data exporters to verify what security measures and safeguards are being implemented by the third country (Schrems II, para 134, 146). More specifically, Transfer Impact Assessments aim to assess:
- the relevant aspects of the legal system of the third country to which personal data are transferred and the possibility of public authorities of that third country having access to that data;
- The relevant cooperation mechanisms, under which data subjects will be able to enjoy effective and enforceable rights and effective administrative and judicial redress.
The EDPB has placed emphasis on the thorough examination of practices by third country public authorities to ascertain whether such practices can hinder the efficacy of the SCCs. The rationale lying behind the Court’s decision of introducing TIAs is the fact that while SCCs bind data exporters and data importers in relation to data processing, they do not bind public authorities from getting access to the data transferred. An example is third country legislation permitting government agencies or public authorities gaining access to any data transferred by EU entities. Such legislation has been termed ‘problematic legislation’ by the EDPB. Problematic legislation is legislation that
- imposes on the recipient of personal data from the European Union obligations and/or affect the data transferred in a manner that may impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection, and
- does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in Union or EU Member States’ law, such as those listed in Article 23 (1) GDPR’.
Apart from problematic legislation, a TIA is also useful in order to assess the effectiveness of judicial redress mechanisms in case personal data is being unlawfully accessed by LEAs or other government agencies.
A further debate has arisen on the topic of whether TIAs should follow a risk-based approach. It seems that while the EDPB argues to the contrary, the European Commission’s approach tends to favour a risk-based method in order to assess whether a transfer should be executed or not.
More specifically, those transferring data should take account of the realistic risks, the subjective factors and the practical experience which will indicate the risks involved into transferring personal data to third countries. There should be a specific focus on whether there have been instances of requests for disclosure of data received by the data importer by public authorities of the third country.
As a Data Protection Officer (DPO), you can assess the level of data protection in the country you plan to transfer personal data by evaluating the country’s legislation that may hinder your transfer. For instance:
- if you are transferring children’s’ data, laws or regulations of the third country protecting children will be relevant to your transfer.
- you may want to establish the level of access that the recipient country’s public authorities have to the data you are transferring, by examining the country’s laws on surveillance. The EDPB’s Recommendations on the European Essential Guarantees for surveillance measures can be useful to compare the third country’s level to the equivalent European standards.
In addition, the following factors should be assessed on a transfer impact assessment (following a risk-based approach).
- The type of data involved in the transfer,
- The confidentiality and availability of the data which could be potentially disclosed or accessed,
- The transparency under which data is being transferred, and
- The existence of judicial redress mechanisms for data subjects
Although assessing the equivalent safeguards of data protection in a third country is not a novel addition to the data protection landscape, the requirement of conducting such an assessment prior to data transfers has become more demanding due to the increasing availability of data as well as the easiness of transfers.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations to make lawful data transfers using SCCs and conducting TIAs. For more information, please feel free to contact our advisers, who would be more than happy to help.