EDPB consults on GDPR guidelines for international data transfers
Published on 22nd Dec 2021
Draft guidelines on how territorial scope and international data transfers interact under GDPR will help create greater legal certainty but raise new questions and leave others unanswered
The European Data Protection Board (EDPB) has published (18 November 2021) its draft Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international data transfers (Chapter V) of the General Data Protection Regulations (GDPR). The draft guidelines are open for public consultation until 31 January 2022.
The international data transfer provisions in Chapter V of the GDPR (under both EU and UK regimes) remain a major issue for organisations navigating a flow of current – and at times conflicting – developments across the EU and UK.
The draft guidelines provide much needed guidance for organisations on when exactly a transfer of personal data is subject to the international data transfer provisions in Chapter V of the EU GDPR. Where Chapter V applies, a data transfer mechanism is required, such as the new EU standard contractual clauses (SCCs) published earlier this year. However, several aspects relating to international data transfers remain unclear.
What are the Chapter V criteria?
The EDPB identifies three cumulative criteria that must apply for the processing to be subject to Chapter V:
- A controller or a processor is subject to the GDPR for the given processing. The EDPB cross-refers to its separate guidance on the territorial scope of the GDPR (EDPB Guidelines 3/2018).
- The controller or processor (the "exporter") transfers personal data, or makes personal data available, to another controller, joint controller or processor (the "importer").
- The importer is in a third country, irrespective of whether the importer is subject to the GDPR.
The draft guidelines set out in more detail what each of these criteria mean in practice.
What are the main takeaways for organisations?
- The "GDPR bubble" concept dismissed as EDPB looks to develop new SCCs. The EDPB has dismissed the concept of a "GDPR bubble" that disapplies Chapter V of the GDPR where the importer is based in a third country but is directly subject to the GDPR (the UK Information Commissioner's Office (ICO) previously advocated this position but it remains subject to consultation). The EDPB views a transfer to a non-EU importer that is subject to the GDPR as still falling under Chapter V. However, it recognises that fewer protections are needed where the non-EU importer is already subject to the GDPR. Instead of duplicating obligations that already apply to the importer by virtue of the GDPR, the EDPB considers that – instead of entering into the currently available new SCCs – a new transfer tool, such as dedicated SCCs, should be developed for instances where the non-EU importer is subject to the GDPR. The European Commission has also confirmed that, once the draft guidelines are finalised, it will develop a specific set of SCCs for transfers to non-EU importers subject to Article 3 (2) GDPR.
- Data obtained directly from a data subject is not a transfer and not subject to Chapter V. The guidelines confirm that data collected directly from a data subject in the EU is not a transfer. For example, where a data subject completes an online form on a website operated by a non-EU company, this will not amount to a transfer subject to Chapter V.
- EU processor transferring personal data back to non-EU controller is a transfer subject to Chapter V. Where a processor in the EU sends back data of a controller in a third country it is subject to Chapter V, even though the data is of non-EU data subjects. This is not surprising given the territorial scope of the GDPR is indifferent as to the data subject's residence and the new SCCs have a specific module applicable to this scenario (Module 4 – processor to controller). Historically, these transfers have previously not been "papered" given the lower risk of enforcement and the lack of available data transfer tools (prior to the new SCCs, there were no processor to controller standard contractual clauses available).
- The transfer has to be to a "separate" party. Chapter V "only applies to disclosures of personal data where two different (separate) parties (each of them a controller, joint controller or processor) are involved". In practice, this means that a situation in which employees of an EU controller or processor travelling abroad and remotely accessing company systems from a third country is not a transfer and therefore not subject to Chapter V. Transfers of personal data between group companies (separate entities) is a transfer subject to Chapter V.
- Transfers by non-EU controller or processor subject to the GDPR within a third country. The EDPB also clarifies that Chapter V will apply to non-EU controllers or processors that are subject to the GDPR by virtue of Article 3(2) where they transfer personal data to a controller or processor "in the same or another third country".
- Additional safeguards to comply with other GDPR requirements when Chapter V doesn't apply. Even if the transfer is not subject to Chapter V, controllers and processors still need to consider compliance with other GDPR requirements; for example, security of processing (Article 32). This means that additional safeguards might be required. For example, in the case of an employee travelling abroad, this may mean not taking company laptops to certain countries.
Do the EDPB draft guidelines apply to the UK GDPR too?
While these guideline will provide more clarity when interpreting requirements under the EU GDPR, following Brexit, the UK is no longer a member of the EDPB. Consequently, while we expect the Draft Guidelines will still be persuasive, they do not necessarily reflect the UK ICO's views when interpreting the same Chapter V requirements under the UK GDPR. In addition, as mentioned above, the UK ICO has been separately consulting on its own international data transfer guidance and UK SCCs, and the outcome of this is still pending.
Osborne Clarke comment
The interpretations set out by the EDPB in the draft guidelines, for the most part, are unsurprising (and are aligned with previous guidance setting out similar positions), but they do help create greater legal certainty for organisations. However, the draft guidelines, in many respects, raise new questions or leave questions unanswered.
While we are waiting for the new SCCs for non-EU importers subject to GDPR, what should companies that are already transferring personal data to a non-EU importer subject to GDPR do in the meantime? In most cases, data transfer tools other than the new SCCs (such as binding corporate rules) are not available. In the meantime, should such companies put in place the new SCCs despite recital 7? The latter is common in practice.
There is also the question of whether Chapter V applies between an EU controller and an EU processor if employees of the EU processor work remotely from a third country and have access to the personal data of the EU controller while in such third country?
And do transfers of personal data from an EU entity to its branch offices in a third country fall within Chapter V and if so how could the new SCCs be concluded with a branch office that does not have a "legal personality"? This is a question that has been explicitly picked up by the ICO in its recent consultation and, therefore, we may receive clearer guidance, at least, from the ICO on this issue.
While it is (in our view) not surprising that data obtained directly from a data subject is not a transfer and so not subject to Chapter V, numerous US companies believed, in the past, that this does qualify as an international data transfer and that they needed to subscribe to the (now invalidated) EU-US Privacy Shield in order to receive personal data directly from EU-based data subjects (as they could not enter into the SCCs with the data subjects as exporters).
The clear statement of the EDPB may have a significant impact for US-headquartered online service providers. At present, EU-based customers are typically required to enter into a contractual relationship with an EU subsidiary in order to enjoy the online services, with the consequence that any onward transfer of the EU customers' personal data to the US-headquarters would be subject to Chapter V.
In the future, global online service providers may well need to reconsider whether a direct contractual relationship between the EU-based customer and the US-headquarters – and a corresponding direct data provision by the EU-based customer to the US-headquarters – is more beneficial to avoid the application of Chapter V.
In addition, many companies have already made significant updates to their commercial contracts in order to implement the new EU SCCs which became mandatory for new transfers from September 2021. It is unhelpful for the EDPB to confirm at this stage that the new EU SCCs don't account for all scenarios and, therefore, that further updates may be necessary.