The Transfer Impact Assessment (TIA) is a relatively new addition to the data protection toolkit. It is not to be found in the GDPR but is a development rooted in court decisions and administrative practices. It aims to clarify the risk the recipient of personal data in a third country may be forced by the applicable law to violate their data protection obligations.
In its Schrems II ruling, the European Court of Justice (ECJ) made very clear that when Standard Contractual Clauses (SCC) are used as a data transfer tool, every transfer must still be assessed to find out whether the personal data transferred will be adequately protected in practice. Or, to be blunt: if adequate data protection happens just on paper or also in reality. This idea has found its way into the version of the SCC, Art 14.
To this end, the Transfer Impact Assessment should
- describe the details of the data transfer at hand, including the type of data transferred and how sensitive they are,
- identify the legal and administrative landscape in the recipient country, in particular assessing the risk of third parties such as intelligence services and law enforcement gaining access to the data transferred,
- identify and access existing data protection measures, such as encryption, and finally
- assess the risk of the transfer by weighing the factors found.
Consequently, seriously looking on Standard Contractual Clauses which were agreed between European an US counterparts to comply with GDPR law has to yield the result that the vast majority of SCCs will not pass the Transfer Impact Assessment and hence leads to non-compliance with European law.