In the post-Schrems II era, legitimising international data transfers can be a burdensome and uncertain exercise. As we embark on 2022, it continues to be one step forward and two steps back in the area of international data transfers.
A Step Forward
In a positive move, in late 2021, the European Data Protection Board (“EDPB”) adopted draft guidelines 05/2021 (“the draft guidelines”) on the interplay between data transfers and the scope of the General Data Protection Regulation (“GDPR”), which provide welcome clarification on what constitutes a “transfer” of personal data to a third country or to an international organisation under Chapter V of the GDPR.
Two Steps Back
On the other hand, the European Commission and EDPB also created a new complexity for businesses, by stating that a new data transfer tool needs to be developed to legitimise transfers of data to non-EEA data importers that are already subject to the GDPR (pursuant to Article 3(2) because they offer goods or services to or monitor the behaviour of EU individuals).
In this article, Matheson’s Technology and Innovation partner Davinia Brennan outlines the effect of these developments on data transfers.
One Step Forward – Clarification on what Constitutes a Data “Transfer”
The EDPB, in its draft guidelines, propose the following three-part definition of what constitutes a “transfer” of personal data under the GDPR:
1. The controller or processor (“exporter”) is subject to the GDPR for the given processing (regardless of whether it is located in the EU or not).
2. The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
When the three criteria listed above are met, the data flow is considered a “transfer” under the GDPR, and the controller or processor will need to comply with the conditions of Chapter V of the GDPR. This means ensuring an appropriate level of protection is guaranteed in the third country of destination (e.g. through an adequacy decision in respect of the third country, or a transfer tool such as the Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”), or Article 49 derogations in specific situations).
Situations that will not require SCCs
With regard to the second criterion, the EDPB note that a transfer tool is not needed when an EU individual discloses personal data directly and on their own initiative to an entity based outside the EEA, as there is no controller or processor sending or making the data available (i.e. no exporter).
The EDPB also highlight that the concept of a transfer only applies to disclosures of personal data between two different (separate) parties (each of whom is a controller, joint controller or processor). The EDPB provide an example of a Polish employee travelling to India for a business meeting. The employee uses his computer to remotely access personal data on his company’s database to finish a memo. This remote access from a third country does not constitute a “transfer” of personal data, as the employee is not another controller, but rather an employee of the controller.
On the other hand, data disclosures between entities belonging to the same corporate group may constitute transfers of personal data, to the extent they are separate controllers or processors.
Why was Clarity Needed?
As the GDPR does not provide a legal definition of what constitutes a “transfer” of personal data to a third country or international organisation, EU and/or national regulatory guidance on this issue has been eagerly awaited. Confusion has reigned, in particular, in regard to the interplay between the extraterritorial scope of the GDPR in Article 3, and the transfer rules in Chapter V of the GDPR. The key question has been whether a transfer tool is required when personal data is transferred to an importer located outside the physical territory of the EEA or if a transfer tool is only required if the importer falls outside the jurisdictional scope of the GDPR.
This confusion was exacerbated by Recital 7 of the new SCCs, which were adopted by the European Commission on 27 June 2021. That recital states that the SCCs should not be used for transfers of personal data to non-EEA importers who are already subject to the GDPR pursuant to Article 3(2). The inclusion of this recital implied that a transfer tool might only be required if the importer falls outside the jurisdictional scope of the GDPR.
However, the draft guidelines helpfully clarify that a “transfer" of data occurs when personal data moves from an organisation subject to the GDPR to a separate organisation outside the physical territory of the EEA. Accordingly, the need for compliance with the transfer rules in Chapter V of the GDPR is a territory-based, rather than jurisdiction-based, issue.
This ultimately means that the disclosure of personal data to a non-EEA importer, to whom the GDPR is applicable on an extraterritorial basis pursuant to Article 3(2), should be regarded as a “transfer” of data, and comply with the data transfer rules in Chapter V of the GDPR.
Two Steps Back – the Development of a New Transfer Tool
As highlighted above, the new SCCs are not suitable for use when an exporter is transferring data to a non-EEA importer that is already subject to the GDPR pursuant to Article 3(2). In the EDPB’s view, a new transfer tool needs to be developed for such transfers, as less protection is needed if the non-EEA importer is already subject to the GDPR, and in order not to duplicate the GDPR obligations which the importer is already subject to. The EDPB suggest that the new transfer tool should, for example, address the measures to be taken in the event of conflict of laws between third country legislation and the GDPR and in the event of legally binding requests in the third country for disclosure of data.
The European Commission has confirmed that it intends to develop a new transfer tool – in the form of a new set of SCCs - specifically for transfers to non-EEA importers subject to Article 3(2) of the GDPR. However there is no indication as to when the new SCCs will be finalised. In the interim, companies should exercise caution in regard to such transfers and ensure appropriate safeguards are in place.
The consultation period for the draft guidelines closes on 31 January 2022. The Matheson Technology and Innovation team will be actively keeping abreast of developments as the consultation process progresses. If you would like to discuss this, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact Davinia Brennan, or any other member of the Technology and Innovation Group.