EDPB Data Transfer Guidance: Draft released for consultation

Many Australian organisations have suffered the double whammy of being caught by the extra territorial operation of the General Data Protection Regulation plus the cross-border transfer provisions (requiring the use of Standard Contractual Clauses). Recent guidance on the interplay between data transfers and territorial scope provisions in the GDPR, confirms that this is to continue.

Even if you are covered by the GDPR, if you’re outside the European Economic Area (EEA) the cross-border transfer provisions apply.  In effect, the EDPB chose a “geographic” approach to defining data transfers (it’s a transfer once data leaves the EU, even if the importer is subject to GDPR) over a “jurisdictional” approach (it’s a transfer only if the importer isn’t subject to GDPR).

EDPB Data Transfer Guidance: What does it say?

In a post-Schrems era, where many uncertainties remain about cross border transfers, understanding what constitutes a transfer of personal data is an important question. Data flows which do not amount to a data transfer under the meaning of Chapter V of the GDPR will not be subject to the cross-border transfer restrictions, including the additional complications deriving from the Schrems II decision.

The Guidance document provides that data importing entities that are already directly subject to the GDPR must also rely on and apply one of the transfer mechanisms listed in Chapter V GDPR when they receive personal data from the EU (e.g. Standard Contractual Clauses, Binding Corporate Rules etc.).  EDPB Chair Andrea Jelinek said the guidance presents “a consistent interpretation of the concept of ‘international transfers.”

The draft guidance offers three “cumulative criteria” that would categorize data processing as a transfer:

  1. The exporting controller or processor must be subject to the GDPR (regardless of whether it is located in the EU or not); and
  2. There must be an ‘exporter’ and an ‘importer’. The exporter (whether a controller or processor) must disclose personal data to another controller / joint controller or processor (the importer); and
  3. The importer must be in a third country outside of the EEA (or be an international organisation) regardless of whether it is itself subject to the GDPR.

European Union flag on europe map

EDPB Data Transfer Guidance: What does mean in practice?

Some organisations may benefit from the lifting of the data transfer restrictions.  However, others may not be so lucky.

Beneficiaries include those collecting data directly from the individual.  The effect of criteria 2 above is to remove collections of data directly from data subjects outside the definition of ‘transfer.’ The board explicitly said it does not consider a transfer to be the “collection of data directly from data subjects in the EU at their own initiative.”

In this context, recipients of personal data will not be ‘importers’ under the data transfer provisions of the GDPR (Chapter V) even though they may be subject to the GDPR under Article 3.2.

Similarly, mere access from a third country will not always amount to a transfer in the meaning of Chapter V GDPR. The transfer must be from a controller / processor to another. So, remote access to EU data by a travelling employee (who is an integral part of the EU-based controller) from outside of the EEA will not qualify as a transfer. In this scenario, the EDPB says the controller needs (only) apply appropriate technical and organizational measures to the data (Article 32 GDPR), but does not need to rely on or apply a transfer mechanism.

Perhaps more interestingly, according to the EDPB, the sharing of data between entities belonging to the same corporate group “may” constitute transfers.  Unfortunately the example provided – where a subsidiary of a corporate group based in the EU shares data with its parent company in the US – is one that qualifies as a transfer.  In the absence of two separate legal entities, there can be no data transfer, the EDPB asserts. However, it is often not clear what “an entity” is from a data protection perspective and where it is located.

Unhelpfully, the EDPB does not provide any examples of data sharing within a corporate group that does not constitute a transfer.

More Standard Contractual Clauses?

Adding to the lack of clarity about transfers is Recital 7 of the new SCCs adopted in June 2021, which states that that the new SCCs may not be used if the data processing by the importer is directly subject to the GDPR.  In this draft guidance, the EDPB suggests that, for these transfers, the existing GDPR obligations do not need to be repeated, so that any SCCs need only provide the missing elements (e.g.  legally binding data disclosure requests).  Accordingly, a new data transfer mechanism for this scenario will be needed

We will get a better idea of what this might look like when new standard contractual clauses are issued by the EU Commission, hopefully sometime in 2022. For many, the Guidance means another change with potentially another set of SCCs o be released.

EDPB Data Transfer Guidance: What happens next?

The Guidance document is still in draft form and there are areas where further guidance would be welcome. For instance:

  • Can data collected automatically (for instance, via cookies) be considered as data obtained ‘directly’ and ‘on the initiative’ of the EU based individual?
  • Would a non-EEA importer be able to benefit from the more flexible interpretation of the concept of transfer if it has a presence (e.g. subsidiaries) in the EU, where such subsidiaries are not involved in the data flows?
  • Would non-EEA importers only benefit from the ‘light’ SCCs if they are subject to the GDPR in relation to the personal data subject to transfer?
  • In the case of the employee travelling outside of the EEA, would we reach the same conclusion where the employee is based permanently outside of the EEA?

The consultation  period closes on 31st January 2022.  Interested stakeholders can submit their feedback here.

EDPB Data Transfer Guidance – link.