New EDPB Guidelines Clarify the Scope of “International Data Transfers” But Some Questions Remain
On November 19, 2021, the European Data Protection Board (EDPB) published guidelines on the interplay between the application of Article 3 of the General Data Protection Regulation (GDPR), which concerns the GDPR’s territorial scope, and the provisions on international transfers of Chapter V of the GDPR. The new guidelines (Guidelines) provide some much needed and welcome clarification on whether a disclosure of personal information constitutes a “transfer of personal data to a third country or to an international organisation” within the meaning of Article 44 of the GDPR (Transfer). This clarification will enable controllers and processors to determine if they are making such Transfers and thus whether they need to, and how to, implement a lawful transfer mechanism (e.g., through reliance on an adequacy decision, standard contractual clauses, or an Article 49 derogation) in accordance with Chapter V of the GDPR.
The Guidelines, which are subject to public consultation until the end of January 2022 and thus may be modified thereafter, were eagerly awaited by organizations engaging in transfers of personal data to areas located outside of the European Economic Area (EEA). Undertaking such transfers has been considered somewhat risky since June of this year due to the uncertainty created by the European Commission’s declaration that the new standard contractual clauses for personal data transfers (New SCCs) are applicable only when the processing by the data importer is not subject to the extraterritorial scope of Article 3(2) of the GDPR.1 This statement triggered doubt about whether the New SCCs or any transfer mechanism at all was required under the GDPR when the data importer is subject to the extraterritorial scope of the GDPR (i.e., when the data importer offers goods or services to EEA individuals or monitors their behavior in the EEA). The Guidelines help resolve that uncertainty by making clear that Transfers to data importers only subject to the GDPR pursuant to the extraterritorial scope are subject to Chapter V. The Guidelines also, helpfully, clarify that direct transfers from data subjects to data importers do not constitute Transfers. However, and this is a big however, they underscore that the New SCCs are not designed for use with respect to transfers of personal data to data importers that are subject to the extraterritoriality provisions of the GDPR. While companies can (1) rely on other transfer mechanisms in Chapter V or (2) try to only transfer personal data to data importers not subject to the GDPR, the space between is unclear. In practice, companies may be forced to rely on New SCCs, adding any necessary clarifications in the data processing agreements to address the Guidelines, and to hope that suffices until the New SCCs are further updated to cover this situation.
What Is a Transfer of Personal Data to a Third Country?
In its Guidelines, the EDPB makes up for the remarkable absence of the definition of a Transfer in the GDPR by specifying that the export of personal data constitutes a Transfer if all three of the following conditions are met :
- “A controller or a processor is subject to the GDPR pursuant to Article 3 for the processing of personal data.” The controller or processor could be an EEA company or it could be a non-EEA company offering goods or services to or monitoring data subjects in the EEA (Article 3 would apply in both cases).
- “The controller or processor (data exporter) transmits or makes available the personal data to another controller, joint controller or processor (data importer).” This criterion confirms that two separate parties (controllers/processors) are needed for the transmission of personal data to qualify as a Transfer. For example, if an EEA controller grants one of its employees remote access to personal data in the controller’s database when the employee is travelling outside the EEA, that is not a Transfer, since the employee is an integral part of the controller and not a separate controller. In contrast, an exchange of personal data between two separate entities of the same corporate group, such as the transmission of employee data from an EEA-based subsidiary to its US-based parent company, may constitute a Transfer, because each entity may qualify as a separate controller or processor.
- “The data importer is in a third country or is an international organization, regardless of whether or not this data importer is subject to the GDPR in respect of the given processing in accordance with Article 3.”
If all of the above criteria are fulfilled, the exporting controller or processor performs a Transfer and should, thus, abide by the requirements of Chapter V of the GDPR for lawful international data transfers. By defining “Transfer” in this way, the EDPB has settled what has long been a troubling question; that is, whether a data exporter needs to use a transfer mechanism authorized under Chapter V of the GDPR even if the data importer is itself subject to the GDPR due to its extraterritorial scope. It is now clear that the data exporter should always rely on a transfer mechanism under Chapter V of the GDPR when conducting a Transfer.
Direct Collection of Personal Data From Individuals Is Not a Transfer
In addition, the definition of “Transfer” in the Guidelines clarifies that the collection of personal data directly from data subjects in the EEA and at the subjects’ own initiative does not constitute a Transfer. There is no Transfer in such collection because no controller or processor is sending or making the personal data available to the data importer for collection; instead, the data subjects transmit their own personal data to the data importer. For instance, there is no Transfer where an individual in the EEA enters her personal data into an online form to complete an order on a clothing website operated by a Singaporean company with no presence in the EEA, as this individual shares directly and on their own initiative her personal data with the Singaporean company. It is not clear from the Guidelines, but perhaps may be made clear if the Guidelines are revised following public consultation, whether there might be a Transfer if personal data is provided directly by individuals to a non-EEA company but not at the initiative of the individuals. Presumably this could be where an individual transfers personal data to a processor outside of the EEA at the request of the controller. For example, if an employee was directed to provide information to a travel provider or travel software provider in the United States.
Transfers by Processors Are Also Subject to Chapter V
In the Guidelines, the EDPB recalls that a Transfer can be carried out by processors to non-EEA-based-controllers or sub-processors and, therefore, a processor needs to take into account the safeguards of Chapter V of the GDPR, including the New SCCs’ processor-to-controller and processor-to-processor modules. As an example, the EDPB refers to the scenario where a processor established in the EEA processes personal data of non-EEA employees/customers received by a non-EEA controller. As the processing by this specific processor is subject to the GDPR due to its establishment in the EEA, the disclosure of the personal data by the processor back to the controller is regarded as a Transfer.
Risk Assessment for Non-Transfers
The EDPB also highlights and underscores in the Guidelines that, even if a specific personal data transmission to a third country does not qualify as a Transfer, the transmission may still entail risks that need to be identified and mitigated. Controllers and processors must always comply with all relevant obligations of the GDPR, such as the Article 32 obligation to implement technical and organizational measures depending on the risks associated with the specific processing, irrespective of whether the processing is carried out in the EEA or elsewhere.
The EDPB mentions, in particular, the risks deriving from conflicting national laws, access to the personal data by the government of the country to which the data are transmitted, and deficiencies in enforcing and obtaining redress against entities outside the EEA. Consequently, it seems that the controller would still have the burden to determine and assess any risks that the third country’s laws and practices may pose to the protection of the personal data in question and potentially adopt supplementary measures or suspend the processing operation even when the application of Chapter V of the GDPR is not triggered. Such obligations are similar to those that a data exporter should follow after the Schrems II decision of the Court of Justice of the EU2 when transferring personal data based on a transfer safeguard under Article 46 of the GDPR, such as the New SCCs.
The New SCCs Are Not Intended to Provide a Lawful Basis to Transfer to Importers Extraterritorially Subject to the GDPR
As indicated, the New SCCs should not be used for Transfers when personal data processing by the data importer is, under GDPR Article 3, subject to the extraterritorial scope of the GDPR. The Guidelines make clear that in this scenario, the data exporter would nevertheless need to base its Transfer on another transfer mechanism of the GDPR. However, the EDPB has not yet specified the options of the data exporter in this scenario. Instead, the EDPB states that it “stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).”
In this regard, the European Commission has announced its plan to publish an additional set of SCCs, which will cover transfers to data importers subject to the GDPR. According to the Guidelines, such transfer tool should not duplicate the GDPR obligations already applicable to the data importer. Rather, the transfer mechanism should address issues such as, among others, government access to personal data in the country of the importer and laws of that country that may conflict with the GDPR.
As it stands, companies are left without a contractual mechanism to transfer personal data to data importers subject to the GDPR’s extraterritorial effect. Companies will need to avoid such transfers (unlikely to be feasible in at least some circumstances), rely on another lawful basis (again, difficult), or create an interim solution until the European Commission provides its response to this gap in international transfer mechanisms (a gap likely filled by the New SCCs and some additional provisions in the data processing agreement).
As noted, the Guidelines will be subject to public consultation until January 31, 2022. Interested stakeholders can contribute their comments on the Guidelines here for the EDPB’s consideration. Particularly if they are supplemented based on the feedback received between now and February 2022, the Guidelines should serve as a helpful resource for EEA and non-EEA organizations questioning whether a certain personal data flow is regarded as a Transfer that requires the implementation of GDPR transfer tools and how to ensure compliance with Chapter V post-Schrems II.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.