Keypoint: The EDPB takes the position that geographical boundaries – and not GDPR’s jurisdictional reach – govern the restricted transfer determination.
On November 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the application of GDPR Article 3 and its provisions on international transfers in Chapter V.
The draft guidelines answer the question of whether a transfer of personal data occurs when the data leaves GDPR’s jurisdictional scope or when it leaves the European Union’s geographic scope. The draft guidelines also provide three criteria and a number of illustrative examples to guide controllers and processors to identify restricted transfers.
Restricted transfers are of heightened focus in light of the Court of Justice of the European Union’s decision in Schrems II, the European Commission’s issuance of new standard contractual clauses, and the EDPB’s recommendations on supplementary measures for cross-border data transfers. The guidelines – once finalized – will provide entities with further guidance on how to navigate this complex legal issue.
The draft guidelines will be open to public comment until the end of January.
Below is a summary.
Geography Not Jurisdiction
The need for guidelines stems from the interplay between GDPR’s extraterritorial application as set forth in Article 3 and its Chapter V requirement that transfers of personal data to a third country or international organization shall take place only if certain conditions are met (e.g., adequacy decision or standard contractual clauses).
For example, if a French company uses a U.S. company to process personal data, and the U.S. company is subject to GDPR’s jurisdiction based on Article 3’s extraterritorial reach, has a “transfer” subject to Chapter V taken place? Or, rather, does the fact that the U.S. company is required to comply with GDPR trump its geographic location?
The EDPB takes the position that geography – and not GDPR’s jurisdiction – is the determinative factor. This is because “[w]hen personal data is transferred and made accessible to entities outside the EU territory, the overarching legal framework provided within the Union no longer applies.” Therefore, it must be ensured that personal data transferred to a third country is given the essentially equivalent treatment as it would receive in the Union such as through the use of supplementary measures. So understood, Chapter V “complements” the territorial scope of GDPR.
Criteria for Identifying a Chapter V Restricted Transfer
The draft guidelines identify three criteria for determining whether there is a “transfer of personal data to a third country or to an international organization”:
- A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
If any of these three criteria is not met, there is no “transfer” and Chapter V does not apply. As discussed more fully below, the draft guidelines provide a number of examples applying and interpreting the criteria for specific situations.
Direct Collection from Data Subjects Not a Transfer
The draft guidelines state that a restricted transfer does not occur when a data subject discloses her personal data directly to the recipient. The guidelines provide an example of an Italian woman who orders clothes online from a Singapore website. The EDPB explains that “this does not constitute a transfer of personal data since the data are not passed by an exporter (controller or processor), since they are passed directly and on her own initiative by the data subject herself.” A data subject cannot be an “exporter” of their own personal data.
This is significant for U.S. companies that operate websites in the EU and are subject to GDPR through Article 3(2). Such companies do not need to find a legal basis to effectuate the transfer of personal data outside of the EU, which would have been difficult (if not impossible) given the Guidelines on Article 49 derogations adopted in May 2018.
Use of EU-Based Processors
Example 3 of the draft guidelines presents a situation in which an entity that is not established in the EU, and thus not subject to GDPR through Article 3(1), uses a processor located in the EU to process the personal data of non-EU residents. The EDPB states that the transfer of the data by the EU-based processor back to the non-EU-based data controller is a restricted data transfer subject to GDPR Chapter V.
Example 3 logically builds on Example 7 from the EDPB’s Guidelines on GDPR’s territorial scope, which provides that in this scenario the EU-based processor must comply with GDPR’s processor obligations. The risk to the data controller is tempered by the fact that it is not subject to GDPR. Nonetheless, if the controller is in a country that has not achieved an adequacy decision, using the EU-based processor presents this additional hurdle as compared to using a processor in, for example, its own country.
In Example 7 of the draft guidelines, the EDPB analyzes this same data flow but the non-EU-based controller is subject to the GDPR’s jurisdiction through Article 3(2) because it offers goods and services to the EU market. As in Example 3, the disclosure of data from the EU-based processor to the controller is a restricted transfer subject to Chapter V. More on this scenario below. Through these examples, the EDPB reaffirms that geography – and not jurisdiction – is the determinative factor for whether the transfer is subject to Chapter V.
Employee Access from Third Countries
The draft guidelines also tackle the issue of remote access by company employees who are in third countries. The draft guidelines note that “[i]n order to qualify as a transfer, there must be a controller or processor disclosing the data (the exporter) and a different controller or processor receiving or being given access to the data (the importer).” The example provided is an employee from a Polish company traveling to India for a meeting and using his computer to remotely access the company’s database to finish a memo. The EDPB states that this remote access “does not qualify as a transfer of personal data, since [the employee] is not another controller, but an employee, and thus an integral part of the controller.”
The EDPB’s comments should be read in conjunction with its comments in its Recommendations on supplementary measures that “remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered a transfer.”
The EDPB emphasizes that regardless of whether a transfer occurs, controllers are still subject to GDPR’s other requirements, like implementing technical and organizational security measures. In that regard, “a controller may conclude that employees cannot bring their laptops, etc. to certain third countries” because of the risks associated with processing personal data in those countries.
The draft guidelines note that “entities which form part of the same corporate group may qualify as separate controllers or processors. Consequently, data disclosures between entities belonging to the same corporate group (intra-group data disclosures) may constitute transfers of personal data.” The EDPB provides an example of an Irish subsidiary of a U.S. parent company that transfers the personal data of its employees to the U.S. parent company for storage in a centralized human resources database. The EDPB states that this is a restricted transfer subject to Chapter V.
Transfers to Article 3(2) Controllers: More to Come
There are currently no standard contractual clauses for situations in which the importer is subject to GDPR pursuant to Article 3(2). The EDPB states that such transfer tools are “only available in theory.”
Indeed, while the European Commission issued new standard contractual clauses in July 2021, Paragraph 7 of the Implementing Decision states that the “standard contractual clauses may be used for [transfers to processors or controllers in a third country] only to the extent the processing by the importer does not fall within the scope of” GDPR. Paragraph 7 specifically notes that this includes transfers where the processing is subject to GDPR pursuant to Article 3(2).
To that end, the Minutes from the EDPB’s September 14 meeting foreshadow that standard contractual clauses are forthcoming to address this type of transfer: “The EU COM confirmed, that, after the draft guidelines are adopted, they intend to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR.”
As mentioned, the guidelines are subject to public comment until the end of January 2022.