Transfer Impact Assessments: the CNIL is seeking public input on TIA guide

On January 8, 2024, the CNIL launched a public consultation on a draft guide (Draft Guide) covering Transfer Impact Assessments (TIA). Under GDPR, as interpreted by the Court of Justice of the European Union (CJEU) and European data protection authorities, we all know now that any personal data transfer outside the European Economic Area (EEA) is subject to prior assessment by exporters to ensure an equivalent level of protection of the personal data to that afforded within the EEA is guaranteed. The Draft Guide, primarily based on the European Data Protection Board's suggestions, aims to assist organizations in complying with these transfer regulations. The Draft Guide proposes standardized documents and is open for public feedback until February 12, 2024. Although there have been improvements on the data transfer front with the Data Privacy Framework, the CNIL reminds us that the requirement for completing Transfer Impact Assessments remains unchanged and must be strictly followed.

Why conduct a TIA?

Under GDPR, personal data transfers outside the EEA are only permissible if the target country provides an equivalent level of protection to that in the EEA. The ever-growing number of international data transfers, driven by technological advancements and the extensive use of cloud solutions, makes understanding the need for TIAs essential. The country of destination or, as the case may be, the organization located in such country, may be covered by an adequacy decision issued by the European Commission, in which case exporters may carry out the transfer without implementing further guarantees. Otherwise, exporters should rely on other personal data transfer mechanisms provided by Chapter V of the GDPR, including the standard contractual clauses (SCCs).

On July 16, 2020, the Schrems II ruling invalidated the Privacy Shield (adequacy decision for the United States) while validating the use of SCC. The CJEU emphasized that companies that transmit data outside the EEA have the responsibility to evaluate the degree of protection offered by the receiving country and to establish appropriate measures to ensure data security. Following this ruling, the European Commission issued new SCCs taking into account the interpretation of the CJEU and the necessity to assess the legislation of the country of destination.

From now on, in the absence of an adequacy decision or applicable derogation, exporters must carry out a TIA before transferring personal data to a third country.

How do you conduct such a TIA?

TIAs allow data exporters to assess whether the level of protection provided in the country of destination is equivalent to the European Union standard and, if not, whether supplementary measures could be implemented to reach that standard.

On June 18, 2021, the EDPB issued its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, to help exporters assess legislation in third countries and identify appropriate supplementary measures.

In accordance with the EDPB, the CNIL reminds exporters of the methodology to use and outlines the six steps involved in performing a TIA:

  1. Know your transfer;
  2. Document the transfer tool used;
  3. Evaluate the legislation and practices in the country of destination and the effectiveness of the transfer tool;
  4. Identify and adopt supplementary measures;
  5. Implement the supplementary measures and the necessary procedural steps;
  6. Re-evaluate at appropriate interval the level of protection afforded to personal data and monitor potential developments that may affect it.

For each step, the CNIL provides organizations with templates to help them document their assessment of the legislation in question. Such assessments can indeed be time-consuming and costly for some exporters, who may not have the dedicated resources to carry out this often complex evaluation of foreign legislation.

With this public consultation, the CNIL is seeking inputs from organizations dealing with personal data transfer outside the EEA. The aim is to enable the authority to better understand the needs of these organizations, and to provide them with tools that make it as easy as possible for them to meet their obligations.

Despite improvements brought by the Data Privacy Framework, the CNIL underscores the importance of adhering to the existing requirement for completing Transfer Impact Assessments, reminding us that this obligation remains unchanged and must be strictly followed.

The public consultation will end on February 12, 2024, and the guide will be published later in the year.

Please follow this link to participate in the public consultation (available in English).


Authored by Charlotte Haddad, Remy Schlich, and Camille Schu.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.