On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here). The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.
In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.
Chapter V of the General Data Protection Regulation (“GDPR”) regulates “transfers” of personal data from entities based in the EU to entities outside of the EU. Such transfers are considered lawful under the GDPR only if a valid transfer mechanism is relied upon and applied to ensure that the personal data is adequately protected in the third country to which it is transferred. Chapter V provides an exhaustive list of transfer mechanisms, including the Standard Contractual Clauses (“SCCs”) approved by the European Commission. In addition, as articulated by the Court of Justice of the European Union (“CJEU”) in the recent Schrems II decision (C-311/18), parties transferring data abroad may also need to apply supplementary measures to ensure an adequate level of data protection in the country of destination.
Meanwhile, Article 3 GDPR defines the geographic scope of the GDPR and provides that, in certain cases, the GDPR may apply directly (i.e., extraterritorially) to entities outside the EU that are processing the personal data of EU residents. This is the case, in particular, if they process personal data in the context of an establishment in the EU, or the processing relates to the offering of goods or services to data subjects in the EU or the monitoring of their behavior taking place in the EU.
Since Chapter V GDPR does not define the concept of a “transfer”, the question has arisen as to whether data importing entities that are already directly subject to the GDPR must also rely on and apply one of the transfer mechanisms listed in Chapter V GDPR when they receive personal data from the EU. Adding to the lack of clarity here is Recital 7 of the new SCCs adopted in June 2021, which states that that the SCCs may not be used if the data processing by the importer is directly subject to the GDPR.
The EDPB’s view is that all personal data transfers to data importers outside the EU must comply with Chapter V GDPR and require a transfer mechanism, even if the importer is already subject to the GDPR pursuant to Article 3 GDPR. Some intra-group activities may, however, fall outside the scope of Chapter V. The EDPB identifies three cumulative criteria for identifying personal data transfers that are subject to Chapter V GDPR, namely:
- a controller or a processor subject to the GDPR for the processing in question;
- the controller or processor (“exporter”) discloses the data by transmission or otherwise makes it available to another controller or processor (“importer”); and
- the importer is located in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR with respect to the given processing in accordance with Article 3 GDPR.
Below, we walk through each of these criteria and key takeaways articulated by the EDPB.
(1) A controller or a processor subject to the GDPR for the processing in question.
The EDPB makes clear that it expects controllers or processors who are directly subject to the GDPR – including those who are located outside the EU – to apply a transfer mechanism if they transfer personal data to a third country or an international organization.
(2) The controller or processor (“exporter”) discloses the data by transmission or otherwise makes it available to another controller or processor (“importer”).
The EDPB confirms that there is no data transfer if the data subject transfers the data (or makes the data directly available) to a controller our processor outside the EU – e.g., by entering information in an online form.
Interestingly, the EDPB states that if personal data is accessed remotely from a third country, this does not necessarily constitute a “transfer” if the data is accessed by an employee who is “an integral part of the EU-based controller” – here, the EDPB gives the example of an employee of an EU-based controller who is only temporarily in a third country on a business trip. In this scenario, the EDPB says the controller needs (only) to apply appropriate technical and organizational measures to the data (Article 32 GDPR), but does not need to rely on or apply a transfer mechanism.
Moreover, according to the EDPB, the sharing of data between entities belonging to the same corporate group “may” constitute transfers. For example, if a subsidiary of a corporate group based in the EU shares data with its parent company in the US, this qualifies as a transfer. Unhelpfully, the EDPB does not provide any examples of data sharing within a corporate group that does not constitute a transfer.
(3) The importer is located in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR with respect to the given processing in accordance with Article 3 GDPR.
The EDPB underlines that the disclosure of data by a controller or processor in the EU to an entity located outside the EU that is already subject to the GDPR under Art 3(2) GDPR constitutes a transfer and thus, requires a transfer mechanism. It illustrates this point with the example of a French company processing data for a controller company outside of the EU. Where the French company sends data back to its customer outside the EU, it is then regarded as a disclosure to a third country, thus requiring an appropriate transfer mechanism.
The EDPB admits that the current SCCs do not fit that particular situation because they partly duplicate GDPR rules, which – per Article 3 GDPR – already apply directly to the entity in the third country. Consequently, the EDPB offers to help develop a new set of SCCs to address this gap.
Last week, during an international privacy conference held in Brussels, representatives of the European Commission publicly stated that the new “slimmed down” version of the SCCs should be released sometime in 2022, potentially in the first half. We will continue to monitor and report on developments in this area.