The Court of Justice of the European Union (CJEU)’s Schrems II decision clarified strict rules for personal data transfers outside of the European Union. The European Data Protection Board (EDPB) followed up with recommendations setting out its expectations on what the Schrems II decision meant for carrying out a data transfer impact assessment (TIA) for Article 46 GDPR instruments. The French data protection authority (CNIL) has recently followed up with its own step-by-step guidance on TIAs. This guidance, published in French and English, aims to provide practical assistance to data exporters and is based on the EDPB’s previous recommendations.
The guidance includes tables to collate key information and sets out a process to determine if a TIA is necessary and then provides step-by-step information summarising the EDPB’s recommendations on how to carry out the impact assessment. It makes some unwelcome comments in relation to the involvement of importers in the TIA process and the need to undertake TIAs on downstream onward transferees.
It is currently in a consultation phase, with the consultation due to close on 12 February 2024 and the final guidance expected later in the year.
When is a TIA required?
Article 44 GDPR places restrictions on transfers of personal data outside the European Economic Area (EEA).
Where the EU Commission has made an “adequacy decision” in respect of a country, data can be transferred outside the EEA without additional safeguards to that country. A TIA is not required for transfers to jurisdictions with an adequacy decision in place, which include Israel, Argentina, and Switzerland. The Commission recently made a partial adequacy decision for transfers to the US under the EU-US Data Privacy Framework (DPF), meaning that a TIA is not required for transfers to recipients who have self-certified under the DPF.
For transfers to jurisdictions for which no adequacy decision is in place, Article 46 of the GDPR lists a series of transfer instruments or “appropriate safeguards” that exporters can rely on. These include binding corporate rules (BCRs) and standard data protection clauses adopted by the Commission, known as standard contractual clauses or SCCs.
The Schrems II decision clarified that the exporter must assess through a TIA whether the personal data transferred under the SCCs will benefit from an essentially equivalent level of protection in the importer’s hands in the importing jurisdiction. The EDPB has since clarified that it also expects this assessment for BCRs and other Article 46 tools. The CNIL is looking to help organisations navigate this assessment through its guide.
The CNIL clarifies that an exporter should carry out a TIA for transfers to jurisdictions with a partial adequacy decision that does not cover the data transferred, or only covers some of the data transferred. This applies for transfers to the US where the recipient has not signed up to the DPF.
A notable increase in the importer’s involvement
From step 3 onwards, the guide offers a comprehensive checklist to assess the laws and practices of the country to which the data is transferred, the effectiveness of the transfer tools, potential supplementary measures to be added and the associated procedural steps.
The CNIL shows a clear intention to involve the importer, i.e. the receiving party in the third country (who can be a controller or processor). The CNIL considers the importer’s cooperation to be essential, as they hold a lot of information required for the assessment. The CNIL provides questions for the data importer in step 3 and underlines that the process of identifying supplementary measures (step 4 of the guide) “should be undertaken with due diligence, in collaboration with the importer and must be documented”. The CNIL also emphasises the need for users of the guide to determine the roles of the parties involved in the transfer (controller, joint controller, or processor), “as it determines the allocation of responsibilities”.
This is a more stringent approach compared to the EDPB’s recommendations which confine the collaboration of the importer to “where appropriate”.  It implies that the data importer would possess essential information for the TIA without directly putting any duty on them, only quoting them as one possible source of information. However, the EDPB does acknowledge that the CJEU made both the data exporter and the data importer responsible for assessing that the level of protection in third countries is compliant in practice with the level set by EU data protection law, in the Schrems II judgment.
A strict approach for data processors
The CNIL takes a strict view of the obligations of processors in relation to the provision of information. It highlights that, in its reading of the GDPR, “in the context of a relationship between a controller and a processor, the transmission of this information to the controller by the processor is part of the latter’s obligations under Article 28 of the GDPR, and in particular Article 28(3)(h)“. This requires that data processor agreements include an obligation on the processor to make available to the controller all information necessary to demonstrate compliance with its GDPR obligations. The guidance does not suggest that expectations would differ for processors not subject to the GDPR.
This includes Information on the legislation of the third country, the practices of the authorities and the circumstances of the transfer. The processor cannot limit its duty to the provision of “a simple conclusion or an executive summary of its assessment”.This may seek to discourage vendor processors from maintaining a policy of providing only high-level information to customers around their assessments.
Through the focus on this article of the GDPR and its interpretation, the CNIL seems to wish to remind readers of the central role of the processor in ensuring precise TIAs. Although, this is only an optional methodology, it could still impact the CNIL’s decisions on whether personal data transfers comply with the GDPR.
A close-up on onward transfers
The CNIL’s draft guide includes a brief, but potentially impactful, comment on onward transfers. Under Article 44 of the GDPR, onward transfers refer to a transfer of personal data to another third country or international organisation, which occurs after the personal data has already been transferred to a data importer outside the EEA.
The EDPB’s recommendations leave room for interpretation on the scope of assessment that must be carried out for onward transfers, noting that “When mapping transfers, do not forget to also take into account onward transfers“. The CNIL, however, is more specific on this point in step 1 of its draft guide. One of the questions in this section asks about the possibility of onward transfers by the importer. Where onward transfers will take place, the guide notes that exporter should “conduct a separate TIA dedicated to each onward transfer”.
As a result, the CNIL suggests that exporters will need to enquire whether any further transfers take place after the initial transfer, and act accordingly. If onward transfers will take place, then exporters will have to use one document for the initial transfer and then separate documents for each onward transfer (if following the process set out by the CNIL). This undoubtedly increases the data exporter’s burden while conducting TIAs.
This requirement may present practical challenges, as exporters are often unable to obtain much more than an assurance from importers or processors that the level of security and risk of access by the authorities in the third countries will not be worse than in previous transfers. As discussed above, this is an issue that the CNIL considers significant enough to address explicitly. At present, it may be challenging to obtain sufficient details to carry out assessments for onward transfers in all cases.
An optional methodology
The CNIL is clear on its intent for this guide. It is “a methodology, a checklist” identifying “various elements to be considered when carrying out a TIA”. It is a tool using the six steps set out in the EDPB’s recommendations to give indications on “how the analysis can be carried out […] and points to the relevant documentation”. Use of the guide is not obligatory, and other methodologies can be applied when conducting TIAs.
The CNIL’s draft guide is comprehensive and detailed. It offers some insight into the French authority’s strict interpretation of the analysis required for a TIA. It demonstrates an underlying goal of upholding EU data subjects’ rights, with less focus alongside this on a risk-based and business-friendly tool than other authorities outside of the EU, for example the ICO.
As a comprehensive step-by-step guidance on carrying out a TIA from an EU regulator, when finalised, the guide will be a cautionary point of reference for organisations with EU GDPR obligations.
TIAs are no longer required for transfers to the US to DPF certified recipients, but the CNIL has made it clear that is expects to see TIAs for transfers to the US that do not rely on the DPF, and TIAs continue to be required for transfers to other non-adequate third countries.
Exporters will have to ensure the collaboration of importers, particularly where their importers are data processors. Exporters can also flag to importers that the CNIL’s view is that their provision of information relating to the law enforcement laws and practices in their jurisdiction is a requirement under the GDPR.
The CNIL’s strict stance on the need to carry out a TIA for each onward transfer would be burdensome to comply with. The CNIL acknowledges some processors’ reluctance to provide comprehensive information on onward transfers. This area has the potential to create further TIA work where exporters have not undertaken TIAs to this level. The CNIL’s enforcement activity in this space coupled with the final text of the guidance should be monitored closely.
The consultation remains open until 12 February for organisations wishing to respond. The CNIL is likely to publish its final position later in the year.
Thanks to Laura Helloco for contributing towards this article.
 CJUE, C-311/18 “Facebook Ireland and Schrems”, 16 July 2020, ECLI:EU:C:2020:559.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024.
 GDPR, Article 46 “Transfers subject to appropriate safeguards”.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021, para 22.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, p. 2.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, p. 14.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021, para. 30.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021, para. 31, 39, 44, 45.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021, para.1.5.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, p. 2.
 GDPR, Article 28 “Processor”.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, p. 4.
 GDPR, Article 44 “General principle for transfers”; Recital 101 “General Principles for International Data Transfers”.
 EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021, para. 10.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, p. 7.
 CNIL, Draft practical guide, Transfer Impact Assessment, 8 January 2024, para 1.2.
 ICO, TRA tool, November 2022 <https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fico.org.uk%2Fmedia%2Ffor-organisations%2Fdocuments%2F4022639%2Ftransfer-risk-assessments-tool-202211.doc&wdOrigin=BROWSELINK>