Transfers of personal data outside the European Union: the French Data Protection Authority (CNIL) publishes a draft practical guide to carry out a Transfer Impact Assessment

Why the CNIL publishes this practical guide?

The General Data Protection Regulation ("GDPR") aims at ensuring an equivalent level of protection to personal data within the European Union ("EU") by imposing a regulatory framework which applies to all processing carried out within the EU or relating to individuals residing in the EU.

Some companies may transfer personal data outside the EU as part of their activities, for example by using service providers located in third countries, by using cloud services, or by communicating personal data to a parent company or subsidiaries. This raises the question of the protection of personal data transferred outside the EU, to countries that do not have the same legislation as the EU.

Under the GDPR, personal data must be offered the same level of protection afforded by the GDPR within the EU. This is the case, for example, when personal data is transferred to a country benefiting from an adequacy decision, i.e. a country recognised by the European Commission as offering an adequate level of protection that does not require the implementation of additional measures.

In the absence of an adequacy decision, the data exporter, whether acting as a controller or a processor, must implement measures to compensate for the lack of data protection in the third country, receiving personal data, by providing appropriate safeguards (Binding Corporate Rules (BCR), Standard Contractual Clauses (SCCs), etc.).

In its "Schrems II" judgment of 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that standard contractual clauses were insufficient to ensure an effective protection of personal data, as they do not bind third countries due to their contractual nature.

As a consequence, the CJEU ruled that the data exporter must (i) verify whether the legislation of the third country receiving the personal data offers a level of protection that is essentially equivalent to that guaranteed in the EU and (ii) determine the appropriate additional measures where necessary, in addition to implementing the appropriate safeguards.

In order to fulfil this obligation, and where the transfer of personal data is based on a transfer tool listed under Article 46 of the GDPR, the data exporter, in collaboration with the data importer, must carry out a data transfer impact assessment (also referred to as a “TIA”).

The European Data Protection Board (EDPB) has already published, in June 2021, its recommendations on measures to supplement transfer tools to ensure compliance with the EU level of personal data protection in which the EDPB details the different steps to be followed by the data exporter when carrying out a TIA and provides information on the supplementary measures that can be implemented and their effectiveness.

Up until now, organisations have essentially relied on these recommendations and on the recommendations 02/2020 on essential European safeguards for surveillance measures to carry out TIAs.

It is in this context that the CNIL decided to draft its own practical guide to, in its own words, "help data exporters carry out their TIAs".

At this stage, the CNIL is publishing a draft guide for public consultation until February 12, 2024. Publication of the definitive guide is scheduled for 2024.

What this guide contains?

This guide should be used as a methodology available for data exporters and enabling them to carry out a TIA.

It should be noted that the CNIL has very much relied on the EDPB recommendations when elaborating this guide. Nevertheless, this guide is intended to be more practical than the EDPB recommendations, since it includes a TIA template that can be used as is by data exporters. This TIA template takes indeed the form of a table to be completed, including boxes to be ticked, which includes and reorganises the different steps and elements mentioned by the EDPB in its recommendations.

The guide includes a first part dedicated to the questions to be asked in order to determine whether a TIA is necessary:

• Is the data in question personal data?
• Is there a transfer of personal data?
• What is the qualification of the actors implicated?
• Does the transfer comply with all the principles of the GDPR and, in particular, can you minimise the amount of personal data transferred or transfer anonymised data rather than personal data?
• Can your data be transferred to a country that has been recognised by the European Commission as offering an adequate level of protection?

The guide then provides a TIA template based on the six steps mentioned by the EDPB for carrying out a TIA, which are as follows:

1. Know your transfer
2. Document the transfer tool used
3. Evaluate the legislation and practices in the country of destination of the data and the effectiveness of the transfer tool
4. Identify and adopt supplementary measures
5. Implement the supplementary measures and the necessary procedural steps
6. Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it.

The compilation of the different steps and information provided by the EDPB in its recommendations, in the form of a table listing all the elements that must be included in a TIA, appear to be useful and practical for data exporters.

What are the key takeaways of this guide?

Some elements are worth noting:

• This guide does not constitute or contain, and is not intended to contain, an assessment of the legislation and practices of third countries. The CNIL therefore does not take a position on the level of personal data protection afforded by countries outside the EU, leaving it up to organisations to assess the legislation and practices of third countries.

• The template includes a section dedicated to the transfer tools used, which corresponds to step 2 of the TIA, also listed by the EDPB. As provided by both the EDPB and the CNIL, a TIA is not required when the recipient country benefits from an adequacy decision. However, with this template, which is a TIA template, it seems that the data exporter should complete step 1 (know your transfer) and step 2 (document the transfer tool used), for all transfers carried out, regardless of the transfer tool. In this context, the CNIL's requirements seem to go beyond the EDPB’s requirements.
  
  If this draft guide is adopted as is, organisations that do not carry out TIAs for transfers to countries benefiting from an adequacy decision, and rightly so, will have to review their compliance strategy if they wish to align themselves with the CNIL's more stringent requirements.

• If onward transfers are carried out by the data importer, the CNIL considers that a specific TIA should be carried out for each type of onward transfer. The EDPB recommendations are not that precise on this particular topic, since the EDPB merely states that "When mapping transfers, do not forget to also take into account onward transfers". Covering the initial transfer and onward transfers within the same TIA does not therefore seem to be the CNIL's recommendation. Another document will have to be prepared for each onward transfer, which increases the burden imposed on the data exporter, as described in the EDPB recommendations.
  
  
• The CNIL also increases the role and obligations of the data importer, particularly when it is acting as a processor. In its Schrems II judgment, the CJEU ruled that "controller or processor [must] verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law [...]". The data importer may be a data controller or a data processor. The CNIL is rigorous towards the data importer since the CNIL indicates that the importer's cooperation is essential for the TIA to be carried out.
  
  

The CNIL has a much stricter interpretation of this duty to cooperate when the data importer is acting as a processor. The CNIL states that "In the context of a relationship between a controller and a processor, the transmission of this information to the controller by the processor is part of the latter's obligations under Article 28 of the GDPR, and in particular Article 28(3)(h)". The CNIL also considers that "the transmission by the importing processor of a simple conclusion or an executive summary of its assessment, without the provision of concrete information on the legislation of the third country and the practices of the authorities, as well as on the circumstances of the transfer, does not enable the processor to fulfil its obligations under Article 28 of the RGPD". This rigorous interpretation of Article 28 of the GDPR requires the data processor importer to be significantly involved as it must provide concrete information on the legislation of the third country and the practices of its authorities.

This practical guide, which is still awaiting its final publication in 2024, is not mandatory but constitutes a tool helping organisations to comply with TIA requirements.

The CNIL's draft practical guide is available in French and in English. Organisations have until February 12, 2024 to submit their comments.

If you have any questions, please contact Willy Mikalef (Partner) and Julie Verdure (Associate).