Glossary · EU-US Data Transfer

Transfer Impact Assessment (TIA)

A documented assessment European data exporters must conduct under Schrems II requirements, evaluating whether destination jurisdictions provide adequate data protection equivalent to GDPR.

## What a TIA actually is A Transfer Impact Assessment (TIA) is a documented evaluation that European organizations must conduct before transferring personal data to non-EU countries that lack EU adequacy decisions. The TIA assesses whether the destination jurisdiction's legal framework provides adequate data protection essentially equivalent to GDPR. TIAs became required following the Schrems II ruling (Court of Justice of the EU, July 2020) which invalidated the EU-US Privacy Shield. The court emphasized that data exporters must assess actual legal protections in destination jurisdictions rather than rely on contractual safeguards alone. ## Why TIAs are required The Schrems II ruling identified two structural problems with US data protection: 1. **US surveillance laws** (FISA Section 702, Executive Order 12333) allow bulk surveillance of foreign nationals without judicial oversight equivalent to EU standards 2. **No effective judicial remedy** for EU citizens whose data is subject to US surveillance The court ruled that GDPR-equivalent protection requires assessment of these factors in actual destination legal frameworks. Standard contractual clauses (SCCs) alone are not sufficient — the data exporter must affirmatively assess whether contractual safeguards can compensate for legal differences. This assessment process is the TIA. ## What a TIA contains A complete TIA typically includes: ### 1. Description of the transfer - Categories of personal data being transferred - Categories of data subjects - Purpose of the transfer - Recipients in the destination country - Duration of processing - Onward transfer chain (if any) ### 2. Assessment of destination country's legal framework - Adequacy decision status (none, full, sectoral, or adequacy with conditions) - Surveillance laws and their scope - Judicial oversight of surveillance - Data subject rights and remedies - Intelligence cooperation obligations - Other relevant national security or law enforcement frameworks ### 3. Assessment of specific risks - Probability that destination country authorities will request data - Type of authorities likely to request access (law enforcement, intelligence) - Effectiveness of legal remedies for affected data subjects - Track record of relevant providers regarding government data requests - Specific transfer scenarios (e.g., cloud storage, B2B data sharing) ### 4. Identification of supplementary measures If the legal framework alone is insufficient, supplementary measures must be identified: - **Technical measures**: encryption with EU-controlled keys, pseudonymization, data minimization - **Contractual measures**: enhanced SCC provisions, audit rights, transparency obligations - **Organizational measures**: access controls, training, incident response ### 5. Conclusion and decision Based on the assessment: - **Transfer permitted with current safeguards** (legal framework + standard SCCs sufficient) - **Transfer permitted with supplementary measures** (specified additional measures required) - **Transfer not permitted** (no combination of measures can achieve adequate protection) - **Transfer permitted with case-by-case data subject decisions** (e.g., explicit consent for specific narrow situations) ### 6. Documentation and review The TIA must be: - Documented in writing - Available for regulator inspection - Reviewed periodically (typically annually or upon material changes) - Updated when destination country legal framework changes ## How TIAs work in practice For most European businesses, TIAs follow standard patterns: ### For US transfers under DPF If the US recipient is certified under the EU-US Data Privacy Framework, the TIA can rely on the adequacy decision. Documentation typically lighter — confirming DPF certification, noting reliance on adequacy decision, identifying any specific risks. ### For US transfers without DPF Where DPF doesn't apply (recipient not certified, or transfer outside DPF scope), full TIA is required: - Document US surveillance laws (FISA 702, EO 12333) and their applicability to recipient - Assess specific recipient's history of receiving government requests - Identify supplementary measures (typically encryption, access controls) - Document why measures are deemed sufficient ### For transfers to other jurisdictions For other non-adequacy countries (China, India, Russia, etc.), TIA assesses each country's specific framework. China-bound transfers face particularly thorough scrutiny given national security law breadth. ### For low-risk transfers Some transfers face simpler TIA processes: - Transfers to adequacy-decision countries (Andorra, Argentina, Canada, Faroe Islands, Israel, Japan, New Zealand, South Korea, Switzerland, UK, Uruguay) - Encrypted data where keys are EU-controlled (TIA may conclude transfer is acceptable due to encryption) - Anonymized data (no longer personal data, falls outside GDPR) ## Common TIA gaps Several patterns produce inadequate TIAs: ### 1. Generic assessments Using generic TIA templates without specific assessment of the actual recipient and processing scenario. Regulators have penalized this pattern. ### 2. Optimistic legal interpretation Some TIAs minimize the scope of US surveillance laws. The honest assessment: FISA 702 and EO 12333 reach broadly. TIAs should reflect this rather than minimize it. ### 3. Inadequate supplementary measures Identifying supplementary measures without verifying their actual implementation. The TIA should document what's actually deployed, not what might be deployed. ### 4. Missing periodic review TIAs that aren't reviewed when destination country law changes. The 2022 EO 14086 (which underpins the DPF) changed the US legal framework — TIAs should have been updated. ### 5. Weak documentation Verbal assessments or undocumented decisions. Regulators require written documentation. ## Practical TIA workflow For European businesses making TIA decisions: ### Step 1: Inventory transfers Identify all data transfers to non-EU countries: - Cloud services (SaaS providers, hosting) - Email and communication services - Analytics and marketing tools - HR systems - Customer support tools - Various B2B integrations ### Step 2: Categorize by jurisdiction Group transfers by destination country and recipient category. Adequacy-decision countries (low complexity); US (DPF or SCCs); other countries (case-by-case). ### Step 3: Assess legal framework per jurisdiction For each non-adequacy jurisdiction, document the legal framework relevant to data protection. ### Step 4: Assess specific transfer risks For each transfer, evaluate specific risks including data sensitivity, data subject vulnerability, and recipient track record. ### Step 5: Identify and document supplementary measures Where legal framework alone is insufficient, identify supplementary measures. Verify implementation. ### Step 6: Document decisions Written TIA per transfer category. Available for regulator inspection. ### Step 7: Periodic review Annual review or upon material changes to destination country law. ## What 2026-2027 brings Several factors affect TIA practice: ### Possible Schrems III A CJEU ruling invalidating the DPF would eliminate that simplification path. TIAs for US transfers would return to full assessment under SCCs. ### EU AI Act intersection AI training data transfers are emerging as TIA-relevant scenarios. The AI Act's data governance requirements interact with cross-border transfer assessment. ### Increased enforcement DPAs are increasingly checking TIA documentation during investigations. Inadequate TIAs are themselves enforcement subjects. ### Tooling maturation Various legal tech tools now help with TIA workflow. [Palqee](/en/alternatives/palqee-vs-onetrust/), Keepabl, and others provide structured TIA templates and tracking. ## Practical implications For European businesses managing transfers in 2026: 1. **Maintain current TIAs** for all non-adequacy transfers 2. **Document supplementary measures actually deployed**, not aspirational 3. **Review TIAs annually** and upon material changes 4. **Plan for DPF invalidation** — have SCC-based fallback TIAs ready 5. **Use specialist tooling** if managing many transfers For most European businesses, the operational answer remains: where possible, choose [EU-resident processing](/en/compliance/eu-data-residency/) to avoid the TIA requirement entirely. Where US providers are necessary, maintain rigorous TIA documentation as ongoing compliance practice.

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary