On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., conduct a transfer impact assessment (“TIA”)). The Guidance is intended to assist data exporters in carrying out TIAs.
The draft Guidance is a methodology that identifies various elements to be considered when conducting a TIA. It does not constitute an evaluation of the laws and practices of any third countries or any risks related thereto. The Guidance includes the following six steps:
- Know your transfer.
- Document the transfer tool used.
- Evaluate the legislation and practices in the designated country of the data and the effectiveness of the transfer tool.
- Identify and adopt supplementary measures.
- Implement the supplementary measures and the necessary procedural steps.
- Re-evaluate at appropriate intervals the level of data protection and monitor potential developments that may affect it.
The consultation will end on February 12, 2024. The CNIL will then review all submitted responses and intends to publish the final guidance in 2024.