France DPA Releases Draft Guidelines on International Data Transfer Impact Assessments

On January 8, 2024, France’s Data Protection Authority, the CNIL, published a draft guideline  for transfer impact assessments (TIA) to help organizations that transfer personal data outside the European Economic Area (EEA), which is now open for public consultation until February 12, 2024. 

The aim of the guide, as stated in its introduction, is to offer “a methodology, a checklist, which identifies various elements to be considered when carrying out a TIA.” to give “indications on how the analysis can be carried out by following the six steps set out in EDPB’s recommendations,” and to point “to the relevant documentation.”

It is organized into six steps that your organization can follow in order to carry out a TIA, and for your organization to determine whether a TIA is necessary or not, the guidelines offer five questions, as follows: 

1. Is the data in question personal data?
2. Is there a transfer of personal data?
3. What is the qualification of the actors implicated?
4. Does the transfer comply with all the principles of the GDPR, and, in particular, can you minimize the amount of personal data transferred or transfer anonymised data rather than personal data?
5. Can your data be transferred to a country that has been recognised by the European Commission as offering an adequate level of protection?

Following these initial five questions, if you determine the need to transfer personal data to a country without an adequacy decision, you can follow the following steps: 

1. Know your transfer: this step enables the exporter to describe the transfer so that its characteristics and sensitivity can be considered in the assessment.
2. Document the transfer tool used: this step involves documenting the tool that will be used for the transfer and the analysis concluding whether or not a TIA is required for it. 
   

   A transfer may be based on

   • an adequacy decision by the European Commission; 
   • one of the transfer tools listed in Article 46 of the GDPR; or 
   • a derogation in accordance with Article 49 of the GDPR. With regards to the latter, it should be recalled, as underlined in the EDPB recommendations on supplementary measures, that "only in some cases you may be able to rely on one of the derogations provided for in Article 49 GDPR if you meet the conditions. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations".

   Keep in mind that conducting a TIA is required only when one of the tools of Article 46 is used.

   
   
3. Evaluate the legislation and practices in the country of destination of the data and the effectiveness of the transfer tool: this enables the exporter to assess the legislation and practices in the country of destination of the data and to identify whether there are any factors that could impinge on the effectiveness of the guarantees provided by the transfer tool used (step 2). 
4. Identify and adopt supplementary measures: consists of identifying the existing security measures (technical, contractual, and organizational) that ensure a sufficient level of data protection in the third country, considering the transfer (step 1) and the assessment of the third country's legislation and practices (step 3). If these measures are not satisfactory, the exporter identifies the supplementary measures that need to be implemented to ensure that the data transferred enjoys a level of protection in the third country that is substantially equivalent to that afforded within the EEA.
5. Implement the supplementary measures and the necessary procedural steps: contains a model action plan for the operational implementation of the additional measures identified in step 4.
6. Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it: allows the exporter to anticipate future reassessments of the transfer.

For each of the six steps outlined above, the guide offers a table that you can fill out in order to organize your transfer impact assessment process. The public consultation process will end on February 12, 2024, and the CNIL has stated that it “would like to give as many people as possible the opportunity to take part in this public consultation, whether they are natural persons or legal entities, public or private actors. In particular, the CNIL wishes to mobilize all players who transfer data outside the EEA whether they have already carried out Transfer Impact Assessments or not.” Stakeholders can submit their comments on the CNIL’s official website, by accessing the webform Public Consultation: Transfer Impact Assessment (TIA) Guide.