Businessman and woman looking at laptop in office atrium

Three golden rules to deliver Third Country Law Assessments

Understanding all applicable local data privacy regulations is a challenge that can be addressed by following three key rules.

In brief
  • When conducting cross-border data transfers, understanding regulatory requirements in all applicable countries is a challenge.
  • Third Country Law Assessments help organizations understand their regulatory rights and obligations but can slow business operations.
  • Improvements in process and format and use of technology can help expedite effective Third Country Law Assessments. 

The Schrems II judgment changed the landscape for international data transfer compliance. Almost overnight, organizations were required to re-evaluate data transfers and take into account data protection and surveillance risks arising from the legal environment in the third country (e.g., a country outside the European Economic Area). Third Country Law Assessments (TCLAs) are a necessity designed to protect organizations from risk of noncompliance, but they are also a complex and time-consuming exercise that can erode the value that would have been derived had data transfer and use decisions been made more quickly. Following three golden rules can help organizations streamline the creation and use of TCLAs and expedite the business processes that are reliant on them.

Data is often essential to business growth so it is imperative
for organizations to be able to make well-informed, yet swift
decisions on how and when data may be transferred and
used. Third Country Law Assessments can be both an
enabler and an impediment to the process.

1. Define a clear and consistent process

Following Schrems II, TCLAs are a standard compliance document that organizations must keep up to date. Whatever the size of the organization, working with the increasing volume of international data transfers outside of the European Economic Areas means that assessments are required for an ever-increasing number of jurisdictions.

Organizations invariably need this information at short notice, for example, to close a contract, select a service provider or conclude Standard Contractual Clauses (SCCs). TCLAs are crucial input for Data Transfer Impact Assessments (DTIAs), the process by which the business assesses the risks of a particular cross-border data transfer. A delay with a DTIA can delay business operations and ultimately impact revenue.

Defining the scope and standardizing the process around TCLA creation will help you to manage risk consistently and improve the turnaround time for your TCLAs. In turn, this will help expedite business processes that are contingent on approvals granted based on TCLA data.

When defining the TCLA process, organizations should consider the best approach for mapping foreign legislation and by whom this is done. One way is to identify which legislation applies to a specific data importer on a per-transfer basis. This is very costly and likely to lead to repetitive findings across similar TCLAs.

Other organizations will opt for a more generic assessment of the legislation. Additional time will be spent on determining which sections are relevant for a specific transfer when performing a DTIA, but the re-usability of the TCLA leads to greater consistency and cost efficiencies.

Organizations can rely on their in-house legal teams to conduct the legislative research, or they can utilize lawyers from the local jurisdictions to perform the Country Law Assessment (CLA). The first option gives greater consistency, but less local knowledge could lead to potentially inaccurate assessments. The second option provides robust local knowledge but could result in a lack of consistency across assessments. This could be problematic, as a divergence from your central requirements could impact the applicability of the assessment. Having a defined, standardized process and questionnaire will help prevent such consistency issues.

2. Make the TCLA easy for the business to apply to their DTIA

To be applicable to your DTIA, your TCLA should contain all requirements as stated in:

  • The Schrems II ruling
  • The European Data Protection Board (EDPB) guidelines on supplementary measures¹
  • The EDPB guidelines on the European Essential Guarantees²

These requirements are complex, so designing your assessments to be easily applied by the business will be one of your key priorities and may include the use of technology to make the application process more user-friendly. Business teams won’t want to read extensive analyses, so striking a balance between having sufficient information and avoiding unnecessary “legalese” will be crucial.

Adopting a pragmatic approach, both for your organization’s legal team and for your business, is important.

Given the guidance cited, your TCLA should be:

  • Comprehensive: contain all legislation so that the assessment is applicable for any transfer sent to the country in question
  • Aligned: address privacy principles and European Essential Guarantees
  • Specific: an assessment of a country’s practices
  • Risk based: an assessment of inherent risks involved within the jurisdiction

3. Make the TCLA readily available

To save time and reduce friction in your data transfer process, your TCLAs must be made available to the business when it needs them. They can easily be made available via links within the process documentation your business follows to conclude contracts and SCCs or to carry-out DTIAs. Having the TCLAs readily available offers several advantages.

For example, if sensitive data (such as health or financial data) is involved in a transfer and you already know that relevant governments have far-reaching surveillance powers, then, at a minimum, you can recommend proper encryption for the local control environment or as an enforceable measure in your SCC. This step will allow you to hold the importer accountable.

This information should be available at the pre-contract stage when selecting a service provider. It will help facilitate a deep dive into the data as necessary, as well as into specific jurisdictions, and factor that into the decision.

From a supplier’s perspective, you clearly enhance your chance of being selected by proactively demonstrating that your jurisdiction of processing is meeting the necessary requirements, or that you have provided  mitigation measures.

EY member firms do not practice law where it is not permitted by local law or regulation.

Related articles

How tech and trust transformed a tax operating model

Global pharmaceutical player Boehringer Ingelheim is reimaging its tax operating model to boost quality and efficiency. Learn more in this case study.

30 May 2023 Ute Benzel

Four steps to embed data ethics into your data risk control environment

Data privacy concerns are pushing organizations to consider data ethics in data use decisions. Learn how to incorporate data ethics in the process. Learn more.

19 May 2023 Matt Whalley

What are the main trends in regulatory responses to Schrems II

Given the regulatory uncertainty following last year’s Schrems II decision, transferring personal data to non-EEA jurisdictions remain complicated.

31 Mar 2021 Fabrice Naftalski


    A clear, technology-led process is vital to manage risk and increase efficiency for organizations that regularly conduct cross-border data transfers and rely on TCLAs to make data use decisions.  Organizations that do not have the resources or knowledge in-house to map regulations outside their own jurisdiction may ultimately find the most benefit in utilizing an external resource to manage TCLA work. 

    About this article