Guidance issued by the EDPB on international transfers of personal data
On 18 November 2021, the European Data Protection Board (the "EDPB") adopted guidelines (the "Guidelines") on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation ("GDPR"). The objective of the Guidelines is to assist data controllers and data processors, especially those within the EU, with identifying an international transfer. The Guidelines are also intended to address uncertainties that have emerged following the European Commission's new standard contractual clauses, published in June 2021.
In short, the Guidelines provide "three cumulative criteria that qualify a processing as a transfer" that, if met, will qualify as a transfer to a third country or to an international organisation. Such a transfer must comply with Chapter V of the GDPR. The Guidelines remain subject to a public consultation which ended 31 January 2022, the outcome of which is still pending, but provide some indication of how the EDPB will understand international transfers.
The three cumulative criteria from the Guidelines are as follows:
- a controller or processor is subject to the GDPR for the given processing (the "exporter");
- the exporter discloses, transmits or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (the “importer”); and
- the importer in (2) is in a third country or is an international organisation, irrespective of whether the importer is already subject to the GDPR, in respect of the given processing.
If (1)-(3) are met, the transfer would need to comply with the conditions of Chapter V GDPR even if the importer is subject to the GDPR by virtue of Article 3 GDPR by virtue of its extraterritorial scope. The Guidelines confirm that a data controller in a third country collecting data directly from EU-based data subjects does not constitute a transfer.
The Guidance adds that in a circumstance where there is a data transfer, and the importer and exporter are developing relevant transfer tools (e.g. standard contractual clauses), they should cover areas of contrasts between the two jurisdictions (if any), particularly with respect to conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country. The EDPB has acknowledged that the Guidance creates a new complexity for organisations by creating a need for a transfer tool even when importers are already subject to the GDPR by virtue of Article 3(2). The European Commission confirmed that they intend to develop a new and specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR. Bruno Gencarelli, head of data flows and protection at the European Commission, spoke at the IAPP’s Data Protection Congress in November and termed these to-be-developed supplemental SCCs: “SCCs lite.”1.
Putting the Guidance into practice
1. Controller in a third country collects data directly from a data subject in the EU.
Example: A U.S. based investment bank has an account for a client who lives in the EU. The investment bank has no offices in the EU. They directly collect data on her trading activities and how she interacts with the bank's services.
Does this constitute a transfer? No.
Explanation: The investment bank is subject to the GDPR for the given processing by virtue of Article 3(2) of the GDPR and so criteria (1) is met. However, the investment bank does not disclose, transmit or otherwise make this personal data available to another controller, joint controller or processor and so criteria (2) is not met. Therefore, the example is not an international transfer. Which means that it is not necessary for the bank to put in place additional safeguards such as SCCs. However, as the client is an EU-based data subject the bank does need to ensure that their processing operations are compliant with the GDPR pursuant to Article 3(2).
2. Processor in the EU sends data back to controller in third country.
Example: An EU-based data subject interacts with an advertisement placed on an EU-based social networking site which collects data about the interaction with such advertisements for an American company.
Does this constitute a transfer? Yes.
Explanation: The social networking site is a data processor which is subject to the GDPR for processor specific obligations pursuant to Article 3(1), therefore criteria (1) is met. The social networking site discloses this data to the American company which is deciding the purposes for the processing and is, therefore, the data controller. Criteria (2) is therefore met. Finally, as the American company is in a third country, criteria (3) is met. The disclosure of data from the social networking site to the American company is regarded as a transfer of personal data and Chapter V of the GDPR applies and a transfer mechanism is needed.
Employee of a controller in the EU travels to a third country on a business trip.
Example: An employee of France Consulting S.A., an EU based company, takes a business trip to China. During the trip, the employee does work using the company's database involving personal data.
Does this constitute a transfer? No.
Explanation: Despite accessing data from a third country (which, on the surface may meet criteria (2) and (3)), the data is not passed by an exporter to an importer. Instead, the disclosure of data is carried out within the same controller (France Consulting S.A.) and therefore criteria (2) and (3) are not met. The processing, including the remote access and the processing activities carried out, is performed by France Consulting S.A.; the controller established in the EU. Despite the fact that there is no transfer, the processing will still be subject to Article 3(1) of the GDPR by virtue of the controller being established in the EU.
1 54th Plenary meeting 14 September 2021, Remote 20210914plenfinalminutes_54thplenary_public.pdf (europa.eu)