What is a Cross-Border DPIA

Definition: Cross-Border DPIA vs Domestic DPIA

A Cross-Border DPIA is a structured assessment of data protection impact across multiple jurisdictions, international operations and cross-border transfers.

Unlike a domestic DPIA (limited to one country or the EU), Cross-Border DPIA:

Maps requirements of multiple supervisory authorities (CNPD, CNIL, BfDI, ICO, Garante, AEPD, etc.)
Assesses transfers under Article 56 GDPR (One-Stop-Shop) and Article 6 LGPD
Harmonises conflicting regulatory frameworks (GDPR, LGPD, PIPL, CCPA, AI Act, sector-specific laws)
Ensures compliance with adequacy decisions (EU-US DPF, UK, Japan, South Korea)
Coordinates with DPOs, legal teams and multi-jurisdictional compliance

International Transfers and DPIA

Schrems II and Transfer Impact Assessment are cornerstones of modern cross-border DPIA.

Schrems II (CJEU C-311/18)

The Schrems II decision (July 2020) invalidated the EU-US adequacy decision (Privacy Shield) and reconfigured the transfer landscape:

Standard Contractual Clauses — now require continuous assessment of protection in the US
Chain Transfer — data transferred to the US cannot be re-transferred to other jurisdictions without new assessment
Supplementary Measures — encryption, pseudonymisation and other technical protections are mandatory

Transfer Impact Assessment (TIA)

TIA is the specialised assessment of whether data can be protected post-transfer. It includes:

Assessment of state access capabilities in the destination jurisdiction
Analysis of supplementary measures available (Decision 2021/914 EDPB)
Compliance opinion with EDPB 1/2020 (Supplementary Measures)

EDPB 01/2020 — Supplementary Measures

The EDPB Recommendation on Supplementary Measures guides implementation of technical, legal and organisational protections to mitigate risks of state surveillance post-transfer.

BCR and SCC — When They Require DPIA

Binding Corporate Rules and Standard Contractual Clauses do not substitute but interact with DPIA.

Mechanism	What it is	Requires DPIA?	Notes
BCR (Binding Corporate Rules)	Internal binding policies within multinational group	Not mandatory, but recommended	EDPB 80/2018 — BCR must be approved by DPA; DPIA documents compliance
SCC (Standard Contractual Clauses — Decision 2021/914)	Commission standard clauses for intra-EU and extra-EU transfers	Yes — especially post-Schrems II	TIA (Transfer Impact Assessment) is integral part of DPIA when SCC used for third countries
Adequacy (Adequacy Decision)	Commission recognises equivalent protection level	Not mandatory, but DPIA documents local compliance	EU-US DPF (newly agreed), UK (post-Brexit), Japan, South Korea — still require DPIA for structural issues

Adequacy Decisions: Global Landscape

Overview of jurisdictions with adequacy decisions or under negotiation.

Jurisdiction	Adequacy Status	Key Legal Frameworks	DPIA Note
USA	EU-US DPF (2023) — Conditional	CCPA, GLBA, HIPAA, state laws	Requires TIA and supplementary measures; Schrems II applies to stored data
United Kingdom	Adequacy (post-Brexit, 2021)	UK GDPR, UK Data Protection Act 2018	DPIA documents compliance with UK DPA; divergences with EU GDPR at risk
Japan	Adequacy (2019)	APPI (Act on Protection of Personal Information, 2020)	Verify compliance with APPI Article 23 (international transfers)
South Korea	Adequacy (2020)	PIPA (Personal Information Protection Act)	Transfers require assessment under PIPA Article 17
Brazil	No formal EU adequacy	LGPD (2020), RIPD (Transfer Resolution, 2020)	DPIA must map LGPD Article 5 XVII + Article 38 (transfers); Schrems II not applicable, but equivalent protection required
CPLP Markets	No EU adequacy	National laws vary (Angola, Mozambique, Timor-Leste)	Specialised DPIA; EDPB Recommendation on supplementary measures

DPIA vs FRIA vs AICS in International Context

Differentiation with related assessments in the Portuguese ecosystem.

DPIA (Data Protection Impact Assessment)

Article 35 GDPR, Article 38 LGPD

Risk assessment for high-risk operations (international transfers, large-scale processing, sensitive data).

aipd.pt → CNPD Guidance

FRIA (Fundamental Rights Impact Assessment)

Article 27 AI Act

Assessment of fundamental rights for high-risk AI systems (facial recognition, scoring systems).

aidf.pt → AI Act

AICS (Sectoral Compliance Impact Assessment)

Regulated Sectors (Finance, Health, Energy)

Compliance assessment with sector laws (MiFID II, NIS 2, GDPR + sector). Includes DPIA as component.

aics.pt → Sectoral Compliance

Regulatory Impact Assessment

Impact of Public Policies (Transparency Law)

Impact of new public policies or administrative processes on fundamental rights.

impactoregulatorio.pt

Articulation: DPIA + FRIA in Cross-Border AI

When a cross-border AI system is implemented, it is common to execute in parallel DPIA (data protection) + FRIA (fundamental rights) + AICS (sectoral compliance).

Important Caveats

Mandatory documentation per Article 35 GDPR and Article 38 LGPD.

Cross-Border DPIA does not substitute specialised legal opinions
Must be conducted before critical processes are implemented
Requires DPO involvement (if appointed) and supervisory authority engagement in pre-decision contexts
Should be revisited annually or when significant processing changes occur
Data transfer based on SCC without DPIA (post-Schrems II) is considered non-compliant

For National DPIA in Portugal

Consult aipd.pt/obrigatoriedade for complete CNPD criteria on when DPIA is mandatory in Portugal.

Next Steps

Deepen knowledge on multi-jurisdictional obligations and methodology.

Multi-Jurisdictional Obligations →

What is a Cross-Border DPIA?