On 18 November 2021 the European Data Protection Board (“EDPB”) released its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”) for public consultation. The Guidelines clarify one of the most vexing issues in European privacy law — what counts as a “transfer” of personal data and in what circumstances are businesses required to implement safeguards to comply with data transfer restrictions under the General Data Protection Regulation (“GDPR”).
- It is not a transfer when a data subject provides personal information “directly and on his/her own initiative” to an organization outside the European Economic Area (“EEA”).
- An EEA controller or processor sharing personal data with a non-EEA controller or processor engages in a transfer, regardless of whether or not the receiving entity is subject to the GDPR. However, the EDPB recognizes that transfers to data importers that are directly subject to the GDPR require fewer protections. The current set of Standard Contractual Clauses (“SCCs”) apply only where the importer is not subject to the GDPR. Businesses should expect a new set of SCCs to govern transfers from the EEA to a foreign data importer who is already subject to GDPR.
- For there to be a “transfer,” there must be “two different (separate) parties (each of them a controller, joint controller or processor).” Access to personal data within the same controller or processor– such as where an employee of a controller or processor travels to a third country with his/her laptop – is not a transfer.
- Even if a data flow is not a transfer, controllers and processors remain accountable for their processing wherever it takes place and must assess the risks of that processing (for example, a foreign government’s access to data) as part of ensuring appropriate technical and organisational measures are in place.
The Guidelines are open to public consultation until 31 January 2022. If you would like to provide feedback on this draft, please let us know.
The GDPR does not define the concept of a “transfer,” but it nonetheless restricts “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization . . . .” GDPR, Art. 44. The intention of this provision is to prevent organizations from circumventing EEA data protection rules merely by transferring personal data to other parties outside the EEA. However, the GDPR also significantly extended the territorial scope of EEA data protection laws by applying directly to organizations outside the EEA that offer goods or services in the EEA, monitor behavior in the EEA, or process personal data in connection with an EEA establishment. For years there has been significant debate about how this broad extra-territorial scope aligns with the provisions on data transfers. Specifically, is a transfer of data from the EEA to an organization that is directly subject to the GDPR a “transfer”? Given that in this context the transfer does not circumvent the GDPR, should the additional protections of the GDPR’s data transfer regime apply nonetheless? And if such a non-EEA entity collects data directly from individuals in the EEA (rather than receiving the data from another controller or processor in the EEA), would that be considered a transfer for GDPR purposes?
The Guidelines answer the first question in the affirmative – disclosure of personal data to non-EEA controllers and processors constitutes a transfer even if the recipient is subject to the GDPR. But helpfully for consumer-facing businesses, the EDPB does not consider the collection of personal data directly from individuals in the EEA to be a transfer.
Defining a “Transfer”
The Guidelines specify three cumulative criteria that must be met in order for there to be an international transfer of personal data under the GDPR:
- The exporter (i.e., a controller or a processor) must be subject to the GDPR in relation to the processing activity in question;
- The exporter must either transmit or make the personal data available to an importer (i.e., a controller or a processor); and
- The importer must be geographically located in a third country or be an international organisation (irrespective of whether they are subject to GDPR or not).
If all of the above criteria are met, the exporter and importer will need to ensure the personal data is protected as required by Chapter V of the GDPR (e.g., transfer under an adequacy decision from the European Commission; put in place and approve binding corporate rules (BCR); implement the European Commission approved Standard Contractual Clauses; or identify another applicable safeguard or derogation for the transfer).
Below we summarize the key takeaways for each criterion.
- The “exporting” controller or processor must be subject to the GDPR for the given processing. Controllers and processors who are subject to the GDPR will need to comply with the transfer provisions under Chapter V of the GDPR when transferring personal data to a controller/processor in a third country. This is obvious where the relevant “exporter” is based in the EEA – a company within the EEA that shares personal data with a third party outside the EEA must comply with the GDPR’s transfer regime. But, as foreshadowed by Recital 7 of the European Commission’s decision in June 2021 implementing the new SCCs, this simple statement has profound implications when combined with the GDPR’s broad territorial scope,:
- Organizations outside the EEA can be “exporters” if they are subject to the GDPR and will need to comply with the GDPR’s data transfer rules. Because the GDPR applies directly to organizations outside the EEA in some circumstances, those organizations will need to have a transfer mechanism to share personal data with another party outside the EEA.
- Sharing personal data with a third party in the same non-EEA country as the “exporter” is a transfer. If an organization based outside the EEA shares personal data with another organization (for example, a service provider), even within the same country, the GDPR’s data transfer rules will apply.
- The exporter must transmit or make available the personal data to the data importer.
- Direct collection from data subject in the EEA is not a transfer. Where data subjects “directly and by his/her own initiative” disclose personal data to a controller/processor in a third country, such a disclosure will not constitute a transfer under the GDPR (e.g., an EEA consumer providing personal data directly to a US ecommerce platform to complete an online purchase). The rationale here is that the data subject is not a controller or processor and only controllers and processors are able to instigate a transfer. This resolves long time uncertainty around the question of whether non-EEA consumer-facing organizations that offer goods or services to consumers in the EEA are required to comply with data transfer rules. In the past, and particularly pursuant to the invalidation of Privacy Shield, such entities struggled to work through Article 49 “derogations” to provide the goods or services requested by their customers, as standard contractual clauses can only be executed against a corporate counterparty. However, the reference to the transfer being at the “initiative” of the data subject raises the possibility that this exception may be limited to personal data that is actively shared by a data subject, rather than, for example, collected through automatic technologies such as cookies.
- Even if no transfer mechanism is required for direct collection, onward transfers will need to be covered. Although organizations outside the EEA that collect data directly from individuals in the EEA may be relieved that the initial collection will not be considered a transfer, any subsequent disclosures to organizations outside the EEA (including to other entities within the same country) will be considered a transfer. For example, a consumer-facing company in the U.S. would not need a transfer mechanism to receive data in the U.S. from EEA consumers; at the same time it will need to put in place a data transfer mechanism in each case it shares such data with a service provider or other third party outside the EEA, even if that party is also in the U.S.
- Transmitting data within the same controller or processor is not a transfer. According to the EDPB, the concept of a transfer “only applies to disclosures of personal data where two different (separate) parties (each of them a controller, joint controller or processor) are involved.” Thus, when an employee of an EEA company travels to a third country (e.g., on a business trip) and has remote access to his company’s databases, that will not be a transfer. Similarly, “remote access and processing” by an employee of the same controller or processor – such as where the controller or processor has employees working from multiple countries – is not a “transfer.”
- Processors sending data back to controllers in a third country engage in a transfer. If a non-EU controller shares personal data of non-EU residents with a processor in the EEA, any personal data sent by the processor back to the controller will qualify as a transfer. The current SCCs already contemplate this scenario and offer a module designed to address such transfers.
- It doesn’t matter whether the importer is subject to the GDPR. The Guidelines clarify that an entity subject to GDPR executes a transfer when it transmits or makes personal data available to an importer in a third country, regardless of whether the importer is subject to the GDPR in relation to that processing. Notably, however, the EDPB recognized that organizations can take into account the fact that the importer is subject to the GDPR when assessing the risk of a transfer. This is important because the direct application of the GDPR to an importer could potentially make up for the absence of “essentially equivalent” laws in the third country, depending on the specific facts of the transfer.
For transfers to data importers directly subject to the GDPR, the EDPB suggested that new data transfer tools will be developed, such as a new set of SCCs, which should focus on only the elements needed to render importers accountable for compliance (rather than on substantive obligations already covered by the direct application of the GDPR), such as the allocation of liability among the parties and requirements to submit to relevant data protection authorities in the EEA.
Risk Assessment is Required Even Where There is No Transfer
The Guidelines emphasise that even if there is no data transfer (e.g., non-EU businesses collecting personal data directly from EU consumers or travelling employees accessing Company systems from third countries), a controller or processor that is subject to GDPR remains accountable for its processing activities generally. This includes ensuring that security practices take into account the risks inherent in any particular situation, including risks arising from conflicting national laws, disproportionate government access or difficulties in enforcing and obtaining redress against recipients outside the EEA. This appears to suggest that the EDPB may view the requirement to conduct transfer impact assessments (TIAs) to be inherent in the GDPR’s security principles, not just for data transfer analysis. Further clarification is needed about the scope of an organization’s obligations to assess third country laws when no transfer takes place.
Key Questions Remain
The Guidelines resolves the question of what is a data transfer under the GDPR by providing that a transfer occurs where personal data is shared from one organization subject to the GDPR to another organization outside the EEA. However, as discussed above, this simple definition does not fully address some of the complexities of how data moves through modern data processing chains.
For example, if a company in the U.S. provides services to enterprise customers in Europe, but in fact, the U.S. company outsources its operations to another company in India and the data is never actually stored in or accessed from the U.S. In that scenario, is there a “transfer” to the U.S. followed by an onward transfer to India, or is this merely a transfer directly to India? The Guidelines don’t offer an answer.
Such questions are not merely academic, as we know from previous guidance that organizations must conduct “transfer impact assessments” for each country that is a recipient of the transfer. If the definition of a transfer follows the path of the data, this assessment would look at the laws of one country (in the example above, India), whereas if we follow the contracting chain, the assessment might need to focus on more than one country (in the example above, India and the U.S.). And, if it’s not a transfer to move data within the same controller or processor, as the Guidelines state, which country’s laws must be assessed where a controller or processor has personnel distributed across multiple countries?
The public consultation will be an important opportunity for impacted businesses to address remaining issues and questions raised by the Guidelines.