Ensuring GDPR Compliance on International Transfers of EU Data
If your U.S.-based company collects or otherwise has access to the personal data of European residents, you may be asked by your European clients or U.S.-based clients who give you access to such data to complete a “Schrems” questionnaire to assess potential exposure to U.S. surveillance and other laws, such as FISA 702 or EO 12333. The purpose of this request is to enable the completion of a Transfer Impact Assessment (TIA).
TIAs are a relatively new obligation in the world of privacy, arising out of clause 14 of the new standard contractual clauses (SCC) published by the European Commission in June 2021. As previously discussed, the new SCCs are one of several EU-approved mechanisms for lawfully transferring EU personal data outside the European Economic Area (EEA). Following the invalidation of the U.S.-EU Privacy Shield in July 2020, EU data exporters and U.S.-based data importers have favored use of the new SCCs to validate their international data transfers.
What is a Transfer Impact Assessment?
TIAs help to identify potential risks to EU data, including possible access by non-EEA government authorities, primarily by analyzing the laws of the non-EEA country in question to determine if any of its government agencies have the legal right to access the personal data of EU residents being received by companies within its jurisdiction. Often, the TIA is conducted after the completion of a questionnaire (a/k/a “Schrems” questionnaire) which is generated by the EU-based data exporter and answered by the non-EEA data importer. A TIA must be performed prior to exporting any EU data outside the EEA for every processing activity undertaken by or on behalf of a data exporter.
How to Conduct a TIA
Although the GDPR does not specifically list the factors which should be considered when conducting a TIA, nor does it provide specific guidelines for drafting a TIA, the European Data Protection Board (EDPB), which is composed of representatives of the 27 EU national data protection authorities, has provided guidance. The following 6-step analysis is based on this guidance and is designed to guide the assessment, which again, must be conducted prior to the transfer.
- Describe the intended transfer of personal data
To which country will the data be transferred? Who is receiving the data, and in what context will they be accessing it? What categories of data subjects are concerned? Will sensitive personal data, such as health data, be transferred?
- Define the transfer tools to be relied upon
Consider the start date of the intended transfer, its duration, the laws that need to be taken into account in the destination country, etc.
- Describe and assess the safeguards that will be implemented
Consider all technological, contractual and organizational protective measures in place. In the case of international data transfers, assess whether or not these measures will be effective vis-à-vis the national laws and regulations of the country where the data is to be exported. In other words, will third parties (e.g. government agencies) have a legal basis to access the transferred personal data?
- If necessary, describe any supplementary measures being adopted
If the above assessment reveals risk to the data, supplementary measures may be added, such as pseudonymizing the data, using a hosting service provider in a third country to store personal data, etc1.
- Perform a risk assessment
The analysis should end with an assessment of whether or not the intended transfer of personal data to a third country represents an acceptable level of risk.
- Re-evaluate at appropriate intervals
Regularly monitor legal developments in the country where the personal data is transferred in order to ensure that the security levels for the data remain adequate.
In summary, a TIA requires a thorough analysis of all applicable laws and regulations in order to understand the risks, both real and hypothetical, that could threaten the security of EU personal data to be transferred outside the EEA. Given its role in GDPR compliance, the TIA should be done in written form in order to provide evidence of its completion.
Impact on U.S. companies
While the obligation to complete a TIA rests with the data exporter, U.S. data importers are obliged to assist with this analysis since the GDPR explicitly requires data processors to assist data controllers with their own GDPR compliance. The SCCs impose a similar responsibility on U.S.-based data importers towards their customers/data exporters.
Moreover, since U.S. data importers are typically more familiar with any applicable U.S. laws than EU-based data exporters may be, it is in their best interests to assist data exporters in performing TIAs. By helping EU-based clients understand U.S. laws and any available safeguards for protecting EU personal data from access by U.S. authorities, U.S.-based importers send a clear message regarding their commitment to the success of their business relationships.
If you are asked to complete, or assist with the completion of, a TIA or “Schrems” questionnaire, a privacy professional who is intimately familiar with the laws governing personal data in both the EU and U.S. can help guide you through each step of the analysis process. If you have questions about a TIA or your compliance obligations as an importer of EU personal data, please contact Stephan Grynwajc for more information or assistance. Stephan can be reached at [email protected] or 347-543-3035.
Stephan Grynwajc is admitted to the practice of law in the U.S., Canada, U.K. and in France/the European Union. He has served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU, UK and Canadian legal and regulatory landscape.
1 For more example of such supplementary measures, please refer to Annex 2 of the EDPB Recommendations 01/2020.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.