EU Transfer Impact Assessments Are Far From Obsolete

In a decision that may have gone under the radar for some, the Spanish Data Protection Authority (La Agencia Española de Protección de Datos) (AEPD) issued its third-largest fine ever of EUR 6.1 million against Endesa Energia SA (a gas and electricity provider) (Endesa) following a data security incident.

While the AEPD took issue with the security measures that Endesa had implemented before the data security incident and its subsequent response, notably, the AEPD also levied a fine because it determined that Endesa’s transfer impact assessment (TIA) was not sufficiently detailed.

The decision is an important reminder that a data protection authority (DPA) may expand its investigation into any aspect of a business’ data protection compliance program after it begins investigating a specific issue like a data security incident, including specifically a company’s TIAs.

What Happened?

Endesa had used service providers to carry out sales and marketing campaigns on its behalf. These service providers had access to customer databases that contained personal information about Endesa’s six million customers.

Endesa identified advertisements on a social media platform purportedly selling access to Endesa’s customer databases in August 2021. According to the AEPD’s decision, some of the advertisements offered individuals all information about a consumer’s gas and electricity supply for the purpose of assisting a call center representative’s sales. Initially, Endesa determined that no unauthorized third party had, in fact, accessed its databases. After a subsequent investigation, it found that employees at its service providers had been selling credentials to Endesa’s databases online and that 760 individuals were registered with Endesa accounts without their knowledge. Endesa notified the AEPD of the security incident in February 2022 (six months after Endesa had first identified the social media posts).

The AEPD’s findings about Endesa’s response to the security incident will likely not come as a surprise to privacy and cybersecurity professionals. For example, the AEPD determined that Endesa should have deployed multifactor authentication, maintained detailed user activity logs, and carried out password resets promptly after becoming aware that accounts were potentially compromised.

The AEPD also found that Endesa’s communications to individuals about the security incident were misleading, as Endesa stated that the confidentiality and integrity of personal information had not been compromised, even though Endesa had evidence that unauthorized third parties had, in fact, accessed its databases.

Don’t Forget About Your TIAs Just Yet

However, the AEPD’s findings with regards to Endesa’s TIAs are noteworthy too.

Following the Schrems II decision, to rely on EU Standard Contractual Clauses (EU SCCs) or Binding Corporate Rules (BCRs) as a transfer mechanism to countries not deemed “adequate” for data protection purposes, organizations should also complete a TIA to ensure that, in the specific circumstances of that transfer, there are appropriate safeguards against any residual risks to individuals’ rights that may arise in the third country that are not adequately covered by the transfer mechanism.

In its guidance, the European Data Protection Board (EDPB) outlines that a TIA should be focused on the legislation in the countries relevant to the transfer as well the practices of the public authorities in the country. The EDPB provides a (non-exhaustive) list of sources that businesses may check, such as reports from intergovernmental organizations, national case law, reports of independent oversight or parliamentary bodies, and reports from providers of business intelligence services, as well as information from the data importer itself regarding its access requests from government authorities.

As we outlined in our client alert at the time of the Schrems II decision, putting the onus on businesses to assess foreign countries’ legal systems is a huge burden. Over the last four years, many businesses, particularly those with a global footprint, have found it difficult to complete TIAs to the standard expected by the EDPB guidance.

After the EU-U.S. Data Privacy Framework (DPF) was finalized, many businesses breathed a sigh of relief. Following the DPF, TIAs for data transfers to the U.S. no longer have to consider the actual laws and practices of the U.S. and can rely on the European Commission’s adequacy finding in respect of the DPF. This is the case even where the business receiving the personal information in the U.S. is not certified under the DPF and the transfer has been concluded on the basis of EU SCCs or BCRs (see our client alert for more information).

However, this decision shows that the AEPD is paying attention to transfers of personal information to non-adequate jurisdictions outside of the United States. During the course of the AEPD’s investigation into the security incident, the AEPD sought additional information from Endesa, including the EU SCCs and TIAs it had concluded when transferring personal information to non-adequate countries (the countries in question are redacted in the AEPD’s decision).

The AEPD only requested information about Endesa’s data transfer mechanisms in June 2023, which is 16 months after Endesa notified the AEPD of the incident. The AEPD noted that Endesa’s TIAs merely noted the existence of a data protection authority in the third country and did not analyze the functions and powers of the local data protection authorities. In addition, the AEPD states that Endesa’s TIAs did not sufficiently analyze the laws and practices of the third countries (including any rules that require the transfer of personal information to public authorities).

On this basis, the AEPD concluded that Endesa failed to comply with Article 44 of the GDPR (which sets out the general prohibition on restricted transfers) because Endesa had not met the requirements of Clause 14 of the EU SCCs. Clause 14 addresses the requirements of Schrems II by requiring the parties to warrant that they have no reason to believe that the laws and practices in the destination country prevent the data importer from fulfilling its obligations under the EU SCCs. It also requires the parties to declare that they have taken due account of the specific circumstances of the transfer, the laws and practices of the destination country, and any relevant contractual, technical, and organizational safeguards in place to supplement the EU SCCs.

The decision includes Endesa’s arguments to challenge the AEPD’s finding on this issue—including on the bases that such a fine would be disproportionate and that there is no consensus on how to carry out a TIA under EU law. However, the AEPD rejected these arguments and ultimately apportioned EUR 500,000 of its EUR 6,100,000 fine for Endesa’s inadequate TIAs.

Will We See More TIA Enforcement?

This is difficult to predict. One could have anticipated that the topic of cross-border transfers in generally, and TIAs in particular, would be addressed at EU level by the EDPB (or, in any event, in consensus with other EU DPAs). However, the AEPD’s action underscores that it’s indeed well within a national DPA’s competence to review transfers, including TIAs. In particular, where a DPA is reviewing a company’s privacy compliance practices generally, there is a distinct possibility that transfers and TIAs will now be included in scope.