The European Data Protection Board (EDPB) recently published minutes of its last plenary meeting held in September 2021, which (in paragraph 2) shed light on how the EDPB may address one of the biggest open issues regarding data transfers from Europe — whether under General Data Protection Regulation (GDPR), Chapter V data transfer restrictions apply even where a foreign data importer is subject to the extraterritorial reach of Article 3(2) GDPR. According to the minutes, the EDPB is likely to adopt guidelines requiring Chapter V data transfer mechanisms to be put in place even in these cases. The minutes further reveal that pursuant to the adoption of such guidelines, the European Commission will develop a new set of Standard Contractual Clauses (SCCs) to specifically address this situation, i.e., a transfer from the European Economic Area (EEA) to a foreign data importer who is already subject to GDPR under Article 3(2).
Notably, the new SCCs adopted by the European Commission on 4 June 2021, explicitly exclude implementation by data importers who are already subject to GDPR. This means that when all is said and done, companies will need to determine whether a data importer is subject to GDPR or not, and based on that determination adopt the appropriate set of SCCs.
As we described in a recent post, the EDPB previously announced that it was working on guidance to clarify the interplay between the GDPR territorial scope and the GDPR’s rules on international transfers.
The EDPB statements suggest that there will be two sets of SCCs — one applicable to importers who are not subject to the GDPR (the SCCs released by the European Commission on June 4, 2021), and the other applicable to importers who are subject to the GDPR, yet to be developed by the European Commission. We anticipate that the latter set of SCCs will include a more limited set of obligations, given that the importer will already be subject directly to the GDPR, and will likely focus on regulating conduct in the case of requests by public authorities (similar to Section III of the new SCCs).
One key challenge that this development may or may not resolve is that of direct engagement by non-EU companies with European consumers. A U.S.-based company, for example, that has no physical presence in Europe but targets European consumers and collects their personal data, is likely subject to the GDPR under Art. 3(2). There has long been a position that such direct data collection is not a “transfer” under the GDPR, and therefore does not require a Chapter V transfer mechanism. The invalidation of the Privacy Shield put this use case at the forefront because U.S.-based companies collecting data directly from European consumers could no longer adhere to the Privacy Shield, but at the same time are incapable of entering into SCCs absent a corporate counterparty in Europe. If the EDPB views such direct data collection as a Chapter V transfer, it is not clear how companies will be able to comply in the absence of a replacement to Privacy Shield. It remains to be seen if, and how, the European regulators will address this use case in the proposed new guidelines.
The EDPB clarification on the interaction between Article 3(2) and Chapter V is welcome, as a cloud of uncertainty continues to hang around the adoption of SCCs in the context of transfers to importers who are subject to GDPR. However, it now looks like businesses will face the further legal and administrative burden of assessing and implementing the correct documentation for data transfers, possibly managing different sets of SCCs depending on the activities of the importer.
The EDPB statements also come at an interesting time for businesses, as they are still grappling with transfer impact assessments and managing their transition to the new SCCs. Businesses engaging in cross-border transfers of European data should be on the lookout for the final EDPB guidelines on this issue and be prepared to review their data transfer strategy.