The draft guide is published in the context of a public consultation. Organisations have 1 month to submit their observations to the CNIL. This article walks you through the context in which CNIL publishes this guide, its content and the keys takeaways.
The General Data Protection Regulation ("GDPR") aims at ensuring an equivalent level of protection to personal data within the European Union ("EU") by imposing a regulatory framework which applies to all processing carried out within the EU or relating to individuals residing in the EU.
Some companies may transfer personal data outside the EU as part of their activities, for example by using service providers located in third countries, by using cloud services, or by communicating personal data to a parent company or subsidiaries. This raises the question of the protection of personal data transferred outside the EU, to countries that do not have the same legislation as the EU.
Under the GDPR, personal data must be offered the same level of protection afforded by the GDPR within the EU. This is the case, for example, when personal data is transferred to a country benefiting from an adequacy decision, i.e. a country recognised by the European Commission as offering an adequate level of protection that does not require the implementation of additional measures.
In the absence of an adequacy decision, the data exporter, whether acting as a controller or a processor, must implement measures to compensate for the lack of data protection in the third country, receiving personal data, by providing appropriate safeguards (Binding Corporate Rules (BCR), Standard Contractual Clauses (SCCs), etc.).
In its "Schrems II" judgment of 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that standard contractual clauses were insufficient to ensure an effective protection of personal data, as they do not bind third countries due to their contractual nature.
As a consequence, the CJEU ruled that the data exporter must (i) verify whether the legislation of the third country receiving the personal data offers a level of protection that is essentially equivalent to that guaranteed in the EU and (ii) determine the appropriate additional measures where necessary, in addition to implementing the appropriate safeguards.
In order to fulfil this obligation, and where the transfer of personal data is based on a transfer tool listed under Article 46 of the GDPR, the data exporter, in collaboration with the data importer, must carry out a data transfer impact assessment (also referred to as a “TIA”).
The European Data Protection Board (EDPB) has already published, in June 2021, its recommendations on measures to supplement transfer tools to ensure compliance with the EU level of personal data protection in which the EDPB details the different steps to be followed by the data exporter when carrying out a TIA and provides information on the supplementary measures that can be implemented and their effectiveness.
Up until now, organisations have essentially relied on these recommendations and on the recommendations 02/2020 on essential European safeguards for surveillance measures to carry out TIAs.
It is in this context that the CNIL decided to draft its own practical guide to, in its own words, "help data exporters carry out their TIAs".
At this stage, the CNIL is publishing a draft guide for public consultation until February 12, 2024. Publication of the definitive guide is scheduled for 2024.
This guide should be used as a methodology available for data exporters and enabling them to carry out a TIA.
It should be noted that the CNIL has very much relied on the EDPB recommendations when elaborating this guide. Nevertheless, this guide is intended to be more practical than the EDPB recommendations, since it includes a TIA template that can be used as is by data exporters. This TIA template takes indeed the form of a table to be completed, including boxes to be ticked, which includes and reorganises the different steps and elements mentioned by the EDPB in its recommendations.
The guide includes a first part dedicated to the questions to be asked in order to determine whether a TIA is necessary:
The guide then provides a TIA template based on the six steps mentioned by the EDPB for carrying out a TIA, which are as follows:
The compilation of the different steps and information provided by the EDPB in its recommendations, in the form of a table listing all the elements that must be included in a TIA, appear to be useful and practical for data exporters.
Some elements are worth noting:
The CNIL has a much stricter interpretation of this duty to cooperate when the data importer is acting as a processor. The CNIL states that "In the context of a relationship between a controller and a processor, the transmission of this information to the controller by the processor is part of the latter's obligations under Article 28 of the GDPR, and in particular Article 28(3)(h)". The CNIL also considers that "the transmission by the importing processor of a simple conclusion or an executive summary of its assessment, without the provision of concrete information on the legislation of the third country and the practices of the authorities, as well as on the circumstances of the transfer, does not enable the processor to fulfil its obligations under Article 28 of the RGPD". This rigorous interpretation of Article 28 of the GDPR requires the data processor importer to be significantly involved as it must provide concrete information on the legislation of the third country and the practices of its authorities.
This practical guide, which is still awaiting its final publication in 2024, is not mandatory but constitutes a tool helping organisations to comply with TIA requirements.
The CNIL's draft practical guide is available in French and in English. Organisations have until February 12, 2024 to submit their comments.
If you have any questions, please contact Willy Mikalef (Partner) and Julie Verdure (Associate).