EU: What is an international data transfer under the GDPR? New draft guidelines from the EDPB explained
The European Data Protection Board ('EDPB') adopted, on 18 November 2021, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR1 ('the Guidelines'). The Guidelines aim to clarify the interaction between Article 3 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Chapter V of the GDPR. Wim Nauwelaerts, Partner at Alston & Bird LLP, provides an overview of the Guidelines, including of the criteria necessary for the qualification of data transfers as an 'international data transfer' ('IDT').
One of the major improvements of the GDPR is that it includes an extensive list of key definitions that are essential for the proper interpretation and application of the GDPR (in Article 4 of the GDPR). One definition that is missing, however, is what constitutes a 'transfer' of personal data to a third country or to an international organisation for purposes of Chapter V of the GDPR. Presumably the legislator wanted to provide data protection authorities with a maximum degree of flexibility when applying the GDPR in practice, hence they decided not to include a definition of 'international data transfer' in the GDPR.
When the Court of Justice of the European Union ('CJEU') issued its decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') in 20202, stakeholders were hoping that the EDPB would offer guidance around the concept of data transfers outside of the EU and explain when the GDPR's rules on international data transfers kick in. Both the Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems3 ('FAQs') and the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data4 that the EDPB published in the wake of the Schrems II Case failed to address the question, 'what is an international data transfer under the GDPR?', leaving controllers and processors with limited insight on this important topic.
Several years prior to the GDPR's adoption, the European Commission had issued its own Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries5 relating to transfers of personal data from the EU, which included the following useful description:
"The term “transfer of personal data” is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail. Other situations also fall under this definition: all the cases where a controller takes action in order to make personal data available to a third party located in a third country. However the Court of Justice has stated that that there is no "transfer of personal data to a third country" where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country" (Case C-101-01, Bodil Lindqvist, ECR, 2003-Page I-12971)".
Acknowledging that more guidance was necessary, particularly in light of the GDPR's new provisions on extra-territorial scope (in Article 3 of the GDPR), the EDPB adopted the Guidelines. The Guidelines, which are open to public consultation until the end of January 2022, should assist controllers and processors whose processing is subject to the GDPR in identifying whether a processing operation constitutes an IDT, and provide a common understanding of the concept of IDTs under the GDPR.
The first part of the Guidelines
In the first part of the Guidelines, the EDPB specifies three cumulative criteria that must be fulfilled in order for a cross-border sharing of personal data to qualify as an IDT, as that concept is used in Chapter V of the GDPR:
The data exporter (a controller or processor) is subject to the GDPR for the given processing.
- The data exporter transmits or makes available personal data to a data importer (another controller, joint controller, or processor).
- The data importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing.
The first criterion includes two conditions: (i) there must be a controller or a processor of personal data; and (ii) that controller/processor's processing must be subject to the GDPR. There is no IDT if personal data is disclosed directly and on its own initiative by data subjects in the EU to controllers/processors outside of the EU. In those cases, there is no controller or processor acting as a data exporter, and therefore, the first criterion is not met. In addition, the data exporting controller or processor must be subject to the GDPR for the given processing. As per Article 3(1), the GDPR applies to the processing by a controller or processor carried out in the context of the activities of an establishment of that controller or processor in the EU. Whether or not the actual processing takes place in the EU is irrelevant. Even if a data processing activity does not meet the establishment criterion in Article 3(1), the GDPR can still apply if the criterion in Article 3(2) is met. Per Article 3(2), the GDPR applies to the processing of personal data by a controller or processor not established in the EU, where that controller/processor 'targets' individuals in the EU by offering them goods or services or monitoring of their behaviour (as far as that behaviour takes place within the EU). In short, a data exporting controller/processor does not have to be established in the EU for purposes of an IDT; controllers and processors not established in the EU but subject to the GDPR pursuant to Article 3(2) will have to comply with Chapter V when transferring personal data to a third country or to an international organisation.
The second criterion requires that there is a controller or processor disclosing personal data by transmission or otherwise making personal data available to another controller or processor. In this context, the EDPB refers to its previous guidance, Guidelines 07/2020 on the concepts of controller and processor in the GDPR6. It also emphasises that a case-by-case analysis of the processing at stake and the roles of the different actors involved will be necessary. An IDT may not only be carried out by a controller but also by a processor i.e. there may be transfer situations where a processor sends personal data to another processor or even to a controller as instructed by its controller.
The second criterion also implies that there can only be a transfer if at least two different (separate) parties (each of them a controller, joint controller, or processor) are involved. If the sender and the recipient are not different controllers/processors - i.e. if the data are processed within the same controller/processor - there is no IDT. For instance, there is no IDT if employees of controllers in the EU travel outside the EU on a business trip and access personal data remotely (via their company's systems). The EDPB considers this to be a disclosure within the same controller i.e. the company in question. Even if there is no IDT in this specific case, under Article 32 of the GDPR, the controller may still decide to implement additional security measures - for example, that the employees cannot bring company laptops or other devices to certain countries outside the EU.
The Guidance clarifies that legal entities which form part of the same corporate group may qualify as separate controllers or processors. Therefore, there may be an IDT if legal entities belonging to the same corporate group exchange personal data (intra-group data disclosures), for instance, to centralise the storage of their HR data with one of the group entities.
The third criterion requires that there is a data importing controller or processor, which is geographically in a country outside of the EU or an international organisation, regardless of whether that controller/processor's data processing is subject to the GDPR.
The Guidance provides the example of a controller (Company A) without an establishment in the EU that offers goods and services to individuals in the EU. A processor located in France (Company B) processes personal data on behalf of Company A in connection with that offering, and subsequently Company B re-sends the processed data to Company A outside of the EU. The processing performed by Company B is covered by the GDPR for processor-specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by Company A is also subject to the GDPR, as Company A offers goods and services to individuals in the EU (Article 3(2) GDPR). Since Company A is established outside of the EU, the disclosure of personal data from Company B to Company A is regarded as an IDT to which Chapter V of the GDPR applies.
The problem, however, is that the European Commission's recently updated Standard Contractual Clauses ('SCCs') for the transfer of personal data to third countries can be used only to the extent that the processing by the data importer does not fall within the scope of the GDPR7. This means that, in the example above, Company B and Company A would not be able to enter into the current SCCs to legitimise their IDT.
The second part of the Guidelines
The second and final part of the Guidelines discusses the legal consequences of an IDT under the GDPR. If the transfer criteria are met, the controller or processor 'exporting' the data must ensure compliance with Chapter V of the GDPR by using one of the instruments listed in the GDPR and aimed at protecting personal data after they have been transferred to a third country or an international organisation. These instruments include:
- 'adequacy decisions' relating to the third country or international organisation to which the data is transferred (Article 45 of the GDPR); or
- in the absence of an adequacy decision, the implementation of one of the appropriate safeguards as provided for in Article 46 of the GDPR (e.g. SCCs, Binding Corporate Rules ('BCRs'), and Codes of Conduct); or
- in the absence of an adequacy decision or an appropriate safeguard per Article 46, one of the derogations in Article 49 of the GDPR.
The Guidelines further highlight that the content of Article 46-type safeguards for international transfers needs to be customised depending on the situation. New transfer tools (e.g. SCCs) dealing with the transfer scenario in which the data importer's processing falls under the scope of the GDPR should not duplicate the GDPR obligations that already apply. Instead, they should focus on the elements and principles that are 'missing' and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU. The EDPB, therefore, seems to suggest that the additional SCCs that the European Commission is reportedly in the process of preparing for data importers subject to Article 3(2) of the GDPR should be a 'light' version of the current SCCs. This makes sense, as many obligations in the current SCCs are already directly applicable to data importers' whose processing is in scope of the GDPR as a result of Article 3(2).
Even if data flows outside the EU may not constitute an IDT under Chapter V of the GDPR, the related processing may still entail certain risks for which data protection safeguards should be envisaged. The Guidelines remind controllers and processors that, regardless of whether or not data processing takes place in the EU, they always have to comply with all relevant provisions of the GDPR, such as the Article 32 obligation to implement technical and organisational measures to keep the data secure.
Wim Nauwelaerts Partner
Alston & Bird LLP, Brussels
1. Available at: https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf
2. See: https://curia.europa.eu/juris/liste.jsf?num=C-311/18
3. Available at: https://edpb.europa.eu/sites/default/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf
4. Available at: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
5. Available at: https://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/12_international_transfers_faq_/12_international_transfers_faq_en.pdf
6. Available at: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf
7. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, OJ L 199, 7.6.2021, p.35. See also: https://www.dataguidance.com/opinion/eu-are-additional-sccs-international-data-transfers