TIA Sample
TIA Sample
for use under the EU General Data Protection Regulation (GDPR) and Swiss Data Protection Act (CH DPA), including for
complying with the EU Standard Contractual Clauses (EU SCC)
See the notes at the end for more information on the scope and legal basis of this document. Read them in particular if y
obligations. Also consult the additional worksheets for more examples, infos and an illustration of the scenarios in which
text is mere sample text; the values and reasoning do not necessarily represent the author's opinion and are given for illu
Step 4: Assess the risk of prohibited lawful access in the target jurisdiction 9)
Country-specific! The following factors have been drafted f
Probability†
In view of the above and the applicable data protection laws, the
#REF!
transfer is:
Note: Under the EU SCC, the TIA is to be adopted by both the data exporter and
importer.
Scope of this TIA: This Transfer Impact Assessment should be used for assessing foreign lawful access risks only for the purposes of Eur
access is not per se a problem, but only if it does not respect the essence of the fundamental rights and freedoms or exceeds what is n
safeguard one of the objectives listed in Article 23(1) of the GDPR. Accordingly, foreign lawful access requests that can be challenged
European sense of the word) are permitted if they are regulated by law, are needed to safeguard the aforementioned objectives (such
proportionate manner and come with the possibility of the data subject getting legal redress. For instance, lawful access by way of the
European data protection law; in fact, it is in line with the Cybercrime Convention of the European Council. That said, there may be c
access is an issue, for example, in where professional secrecy obligations apply. In such cases please use the spreadsheet "Cloud Compu
Authorities" also from David Rosenthal, available at www.rosenthal.ch (https://bit.ly/2V9dj7V), which provides for a risk assessment a
this TIA focuses on foreign lawful access where there is no possibility for recourse to an independent court, which is what has been the
Court of Justice in its decision C-311/18 of July 16, 2020.
Legal Basis of this TIA: Art. 44 et seq. GDPR, Art. 6 Swiss Data Protection Act, Art. 16 et seq. revised Swiss Data Protection Act; Recom
Board (Version 2.0 of June 18, 2021); Commission Implementing Decision on standard contractual clauses for the transfer of personal d
2016/679 of the European Parliament and of the Council of the European Commission (C(2021) 3972 final of June 4, 2021), Guide for c
reference to foreign countries (Art. 6 para. 2 letter a FADP) of the Swiss Federal Data Protection and Information Commissioner dated
† Example: If you believe that a particular legal argument will be found valid by three out of ten judges assessing the same case, the p
argument is not valid, enter 0%. If you believe it will in any event be successful, put in 100%. If you don't know, put in 0%. Of course, n
necessary. For a TIA it is sufficient to undertake an diligent and professional predictive judgement following a proper protocol. To avo
structured the assessment in several independent parts. To further reduce noise and bias, ask several knowledgeable people to indepe
discuss their values, and then ask them to again provide their assessment. Use the average of the values each of them provided after t
method).
†† In line of the recommendations of the EDPB, we do not assess whether the access will actually occur or not (because they are not in
assess the (objective) possibility of it occuring. A 100% possibility means that we have to expect that a lawful access under the relevan
not happen because the relevant authorities do not believe it makes sense to order the data importer to produce the data at issue give
know about.
††† These values correspond to the values in C50, C52 and C51 of the "Cloud Computing: Risk Assessment of Lawful Access By Foreign A
www.rosenthal.ch)
1)
The data exporter is the party being subject to the GDPR or Swiss DPA who exports personal data to a non-whitelisted third country (
Standard Contractual Clauses (SCC). The data exporter can be a controller, joint controller, processor or sub-processor. It is not releva
whitelisted country or a non-whitelisted country. It will always be required under the EU SCC and GDPR or Swiss DPA to perform a TIA.
relevant onward transfer then the sender or originator of the relevant onward transfer is the "data exporter" for the purposes of this T
2)
The data importer is the party in a non-whitelisted country (e.g., the US) who receives personal data from a data exporter. The data
processor or sub-processor. It is the party with whom the data exporter will typically want to enter into the EU SCC (unless there are o
for the purpose of assessing a relevant onward transfer then the recipient of the relevant onward transfer is the "data importer" for th
3)
Relevant onward transfers of personal data are onward transfers of personal data by a data importer to another party in a non-white
sub-processor, even if the data exporter has no direct contractual relationship with it, a separate TIA has to be performed for such rel
whitelisted country, because such relevant onward transfer can, as well, expose the personal data at issue to the risk of prohibited for
only one country and one recipient at a time, fill out and perform multiple TIAs for each recipient of a relevant onward transfer.
4)
We have seen that many people have difficulties in coming up with a percentage figure for a probability of an event at which they "h
the test under the EU SCC and the EDPB guidance for the residual risk of a prohibited foreign lawful access). We also found that people
an event by expressing its probability of occurring in number of years ("an earthquake of this kind is to happen only once in 100 years o
calculate the "permitted" residual risk in percent. Because we are not assessing earthquakes (which happen in any event) we have set
occurring. You can also use another value, but we believe that if a lawful access has a 50:50 chance of occuring it in our view has beco
period of time (for example an additional 30 years after our assessment period) for the chances to raise to that level (at which a lawfu
will conclude that the risk of it happening in the first (for example) five years of our assessment period is rather theoretical. We then,
acceptable percentage value for our assessment period (which is then used in Step 4, if necessary).
5)
You do not have to use our "50:50 chances"-method of determining the maximum percentage for assessing the probability of lawful a
manually enter the percentage figure you think is still acceptable (thus overwriting the formula in the cell). The grey number on the r
this will mean in terms of years when using our method. If you do not manually overwrite the percentage, you can ignore the grey num
6)
You will normally not need to care about this figure. It becomes necessary if the importer does not have a "defend you data" obligati
requests in its own jurisdiction. In these cases, we use this figure to determine the probability of the authorities obeying the law even
the importer (if the importer does challenge the lawful access request, a court or other authority will usually determine whether the l
value of 50% means that in half of the cases the authorities may issue and try to enforce a lawful access request even if the requireme
assessment in Step 4 becomes partially moot, because it is based on the assumption that a lawful access will be successful only if the p
figure we take this uncertainty into account if the importeur is expected not to make sure that lawful access requests are challenged.
7)
This question is, in principle, not necessary for assessing the transfer. We have nevertheless included it because many data protectio
has considered alternatives to transferring personal data into a non-whitelisted country and why they are not pursued+. The response h
is for mere documentary purposes.
8)
This is relevant for assessing the exposure to lawful interception of Internet backbones using selectors (upstream monitoring of comm
9)
In this section, the probability of a foreign authority accessing the personal data in clear text in a manner that does not respect the
exceeds what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the G
target jurisdiction that grant public authorities access to the personal data at issue and fail to, in essence, satisfy any of the following
principle of legality, i.e. of clear, precise and accessible rules, (2) access is subject to the principle of proportionality, (3) there are ef
to pursue their rights in the target jurisdiction in connection with an access to their personal data, and (4) any access is subject to leg
other forms of independent recourse bodies). For example, in the US, access requests on the basis of Section 702 FISA (Foreign Intellig
fulfilling in particular requirement (3) and (4). Hence, it has to verified how probable it is that there may be access requests on the ba
low that the exporter has "no reason to believe" that such access will occur, the transfer is permitted as per the SCC, the GDPR and th
not provide protection against such requests. The analysis in this section shall be based on the law applicable in the target jurisdiction
courts (including court decisions). The analysis may require obtaining a legal opinion or other forms of legal advice from counsel.
Consider all documented information on applicable legislation, case law, practices of authorities and past experience (including of t
10)
ask the data importer the necessary questions (Clause 14(c) actually requires the data importer to provide "relevant information"). On
01/2020 on supplementary measures (version 2.0 adopted on May 18, 2021, available at https://bit.ly/3rSv07O), the FAQ for company
available at https://bit.ly/2Vozeb7), the Swiss Federal Data Protection and Information Commissioner's guidance (available at https://
example, Alan Charles Raul, "Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers", December 21, 2020, available at http
author at https://bit.ly/2V9veez with the follow-up post "Transferring EU Data To US After New Contractual Safeguards" of May 17, 20
11)
Under U.S. law, the term is broadly understood under Section 702 FISA; it includes telcos, ISPs, email providers, cloud services and "
access to wire or electronic communications either as such communications are transmitted or as such communications are stored." Th
include all companies that otherwise provide their users with the ability to send or receive electronic communications; theoretically, t
services to their employees (even if only for business purposes). NOYB provides a form to ask service providers whether they are ECSPs
12)
For a discussion of the term "possession, custody, or control" see, for example, Justin Hemmings, Sreenidhi Srinivasan, Peter Swire,
Control" for Privacy Issues and the CLOUD Act, in: Journal of National Security Law & Policy, Vol. 10 No. 3 of January 23, 2020 (https:/
of "legal control" (the right to request access to the data in a particular situation) or "day-to-day control" (the ability to access data in
Demystifying the U.S. CLOUD Act: Assessing the law's compatibility with international norms and the GDPR of January 15, 2019 (https:/
US law as to what amounts to "control".
According to Section 702, 50 U.S.C. 1881a(b), the US authorities "may not intentionally target" "any person known at the time of acq
13)
United States person reasonably believed to be located outside the United States." A "United States person" (or "US person") is anybody
lawfully admitted for permanent residence (e.g., green card holder), (iii) an unincorporated association with a substantial number of m
lawfully adminitted for permanent residence or (iv) a corporation that is incorporated in the US (https://www.nsa.gov/about/faqs/sig
Raul, "Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers", December 21, 2020, available at https://bit.ly/3qHNMy7 an
https://bit.ly/2V9veez with the follow-up post "Transferring EU Data To US After New Contractual Safeguards" of May 17, 2021, availab
The doctrine of international comity, as recognized under US law, provides certain standards or rules in resolving conflicts between
14)
Dodge, International Comity in American Law, in: Columbia Law Review, Vol. 115, No. 8, December 2015 (https://bit.ly/3eVzlSq).
15)
An example could be the following case: The importer uses a piece of software for managing the data, which is technically not able
or ERP software with a proprietary database structure), but could be amended to do so. However, in the specific case, doing so would
right to change the software or not the necessary information to do so. If this circumstance is not considered above in connection with
technically barrier, it can be considered here as another (legal) obstacle towards compliance with the lawful access request.
The legal arguments above are useless if it is not ensured that they are complied with in case of a specific lawful access request. Th
16)
requests (which, in turn, can be secured by having a corresponding "defend your data" clause in the contract, which the EU SCC have).
requests, the exporter will depend on the probability of the authorities at issue to comply with their own law, which is usually below 1
and applied to the overall calculation.
17)
Here, we do not assess whether the authorities will be interested in the data of the particular data exporter at issue (e.g. company
the categories of personal data at issue are, based on the practices of the relevant authorities, the subject of their lawful accesses at
because it is a by-catch (= objective view). Do not consider legal arguments here, as they are considered under a) (otherwise this resu
at first sight, but there are sources available, such as the official reports that discuss the monitoring by the relevant authorities. See,
Board (PCLOB) (https://bit. ly/3yeO7us), the NSA's comments (https://bit.ly/3dFalhk), and the decisions of the Foreign Intelligence Su
cases (2019: https://bit.ly/3heBYQB). Also consider the past experience of the data importer, where available (even if not substantiat
requests to the data importer as such does not mean that the probability is 0%, though; depending on the circumstances, the inexisten
* This form and the underlying method was developed by David Rosenthal, VISCHER (Switzerland), with the contribution of Samira Stud
Fennessy (IAPP), Baltasar Cevc (Fingolex), Katharina Koerner, David Vasella (WalderWyss), Josh Edgerly (IAPP) and others. David Rosen
or [email protected] (office).
DISCLAIMER: You are using of this spreadsheet and transfer impact assessment method on an "as is" All rights in this spreadsheet and transfer impac
basis without any implied or express warranties, and entirely at your own risk, as it may contain file is made available under a free Creative Com
errors. It provided you for informational purposes only and does not replace getting professional legal International" (CC BY-SA 4.0) license (https://c
advice. Please report me any errors you find or other thoughts you have, so that I can update the file. The input fields (blue background) and sample t
See also my original work on the topic (incl. a scientific paper in German), which is available at and may be changed and shared. Attribution mu
http://www.rosenthal.ch and the Excel specifically at the original and master version of this file can b
https://www.rosenthal.ch/downloads/Rosenthal_Cloud_Lawful_Access_Risk_Assessment.xlsx. need a different license, contact me at david@r
If necessary, attach documentation
Reasoning
Reasoning
You can d
tion 9)
llowing factors have been drafted for US law; amend as necessary for other jurisdictions. Decision support using
First Round
Probability of possibility
Hide
of a (successfull)
request††
Reasoning sample P1 P2
with "x"
#REF! Reassess at the latest by: 30-Dec-99
Place, Date:
Signed:
By:
ess risks only for the purposes of European data protection law, where foreign lawful
s and freedoms or exceeds what is necessary and proportionate in a democratic society to
ess requests that can be challenged before an independent and impartial court (in a
he aforementioned objectives (such as prosecuting crimes), are undertaken in a
nstance, lawful access by way of the US CLOUD Act is in principle not an issue under
n Council. That said, there may be cross-border transfers of data where any foreign lawful
se use the spreadsheet "Cloud Computing: Risk Assessment of Lawful Access By Foreign
hich provides for a risk assessment also for these types of foreign lawful access. In turn,
nt court, which is what has been the issue in the "Schrems II" decision by the European
sed Swiss Data Protection Act; Recommendation 01/2020 of the European Data Protection
lauses for the transfer of personal data to third countries pursuant to Regulation (EU)
2 final of June 4, 2021), Guide for checking the admissibility of data transfers with
nd Information Commissioner dated June 18, 2021 (as amended on June 22, 2021).
udges assessing the same case, the probability will be 30%. If you conclude that the
u don't know, put in 0%. Of course, nobody can predict the future, but this is also not
following a proper protocol. To avoid noise and bias, we have already split up and
ral knowledgeable people to independently provide their assessment, then have them
values each of them provided after the discussion (this referred to as the "Delphi"
ccur or not (because they are not interested in the company XY or their employees). We
at a lawful access under the relevant laws will occur during the period, but it may still
ter to produce the data at issue given their specific tasks, projects, etc. which we don't
to a non-whitelisted third country (e.g., the US). It has the same meaning as in the EU
ssor or sub-processor. It is not relevant whether the data exporter is itself in Europe, a
GDPR or Swiss DPA to perform a TIA. If the TIA is performed for the purpose of assessing a
exporter" for the purposes of this TIA.
data from a data exporter. The data importer can be a controller, joint controller,
r into the EU SCC (unless there are other grounds for the transfer). If the TIA is performed
ransfer is the "data importer" for the purposes of this TIA.
rter to another party in a non-whitelisted country. If this other party is a processor or
TIA has to be performed for such relevant onward transfer if the recipient is in a non-
at issue to the risk of prohibited foreign lawful access. Since this TIA can be made for
of a relevant onward transfer.
bability of an event at which they "have no reason to believe" that it will occur (which is
ul access). We also found that people are more comfortable in assessing the probability of
s to happen only once in 100 years on average"). We, therefore, use this concept to
h happen in any event) we have set the benchmark at a 50% chance of a lawful access
e of occuring it in our view has become an unacceptable risk. If it, however, takes a long
raise to that level (at which a lawful access is still far from certain statistically), many
eriod is rather theoretical. We then, based on a statistics formula, calculate the
.
assessing the probability of lawful access that results from Step 4. If you wish, you can
the cell). The grey number on the right hand of the percentage figure will tell you what
entage, you can ignore the grey number.
ot have a "defend you data" obligation, i.e. is not obliged to challenge lawful access
he authorities obeying the law even if their lawful access requests are not challenged by
will usually determine whether the legal prerequisites for the lawful access are met). A
ccess request even if the requirements of law are not met. If that happens, the
access will be successful only if the prerequisites set forth by law are met. With this
wful access requests are challenged.
uded it because many data protection authorities will want to know whether the exporter
hey are not pursued+. The response has no impact on the outcome of the assessment but
a manner that does not respect the essence of the fundamental rights and freedoms or
tives listed in Article 23(1) of the GDPR. The analysis only has to assess provisions of the
essence, satisfy any of the following four requirements: (1) Access is subject to the
e of proportionality, (3) there are effective means of legal redress for the data subjects
and (4) any access is subject to legal recourse to an independent and impartial court (or
of Section 702 FISA (Foreign Intelligence Service Act) and EO 12.333 are considered not
re may be access requests on the basis of these two legal grounds. If the probability is so
ed as per the SCC, the GDPR and the CH DPA, even though the SCC or BCR as such would
applicable in the target jurisdiction and the way how it is applied by authorities and
s of legal advice from counsel.
s and past experience (including of the data importer, where available). You may want to
provide "relevant information"). On this topic, see, for the EDPB recommendations
t.ly/3rSv07O), the FAQ for company of NOYB (including forms to be sent to US providers,
oner's guidance (available at https://bit.ly/37bStHs), and private publications, such as for
ecember 21, 2020, available at https://bit.ly/3qHNMy7 and a full paper from the same
ontractual Safeguards" of May 17, 2021, available at https://bit.ly/3l12oHZ.
email providers, cloud services and "any other communication service provider who has
such communications are stored." This also covers social media providers and may even
nic communications; theoretically, this also includes companies that provide e-mail
ce providers whether they are ECSPs (https://bit.ly/3lgsTt5).
, Sreenidhi Srinivasan, Peter Swire, Defining the Scope of "Possession, Custody, or
0 No. 3 of January 23, 2020 (https://bit.ly/3i2xfC9). Control may exist either in the form
ontrol" (the ability to access data in day-to-day business). See also Hogan Lovells'
he GDPR of January 15, 2019 (https://bit.ly/3rLQfbp) with a summary of the standards of
any person known at the time of acquisition to be located in the United States" or "a
s person" (or "US person") is anybody who is a (i) citizen or national of the US, (ii) an alien
ation with a substantial number of members who are citizens of the US or are aliens
ttps://www.nsa.gov/about/faqs/sigint-faqs/#sigint4). See on this argument Alan Charles
ilable at https://bit.ly/3qHNMy7 and a full paper from the same author at
Safeguards" of May 17, 2021, available at https://bit.ly/3l12oHZ.
rules in resolving conflicts between US and foreign laws. See, for example, William S.
r 2015 (https://bit.ly/3eVzlSq).
e data, which is technically not able to comply with a lawful access request (e.g., a CRM
in the specific case, doing so would violate copyright law because the importer has no
considered above in connection with having "control" over the data at issue or below as a
the lawful access request.
a specific lawful access request. This can be ensured by the importer challenging such
e contract, which the EU SCC have). If there is no such obligation to challenge such
eir own law, which is usually below 100%. The relevant percentage is taken from Step 2
ata exporter at issue (e.g. company XY and its employees = subjective view), but whether
e subject of their lawful accesses at issue, either because such data is the target or
idered under a) (otherwise this results in double-counting). This may not be easy to assess
ng by the relevant authorities. See, for example, the Privacy and Civil Liberty Oversight
cisions of the Foreign Intelligence Surveillance Court (FISC) granting accesses in such
ere available (even if not substantiated by independent reports; the inexistence of such
on the circumstances, the inexistence may just be coincidence).
with the contribution of Samira Studer (VISCHER). Thanks for valuable input to Caitlin
gerly (IAPP) and others. David Rosenthal can be reached at [email protected] (private)
ts in this spreadsheet and transfer impact assessment method are reserved. This
made available under a free Creative Commons "Attribution-ShareAlike 4.0
tional" (CC BY-SA 4.0) license (https://creativecommons.org/licenses/by-sa/4.0/).
ut fields (blue background) and sample text therein are not subject to the license
y be changed and shared. Attribution must also include reference to the link where
inal and master version of this file can be obtained at www.rosenthal.ch. If you
different license, contact me at [email protected].
You can delete this after use or if not used
P3 P4 P5 P1 P2 P3 P4 P5 to be used