On November 19 the European Data Protection Board (EDPB) published draft guidelines on the interplay between Article 3 of the GDPR (which establishes the GDPR’s territorial scope), and the GDPR’s international transfer provisions. The draft provides some clarification for companies subject to the GDPR; however, it raises further questions about when a transfer mechanism will be required for other transfers of personal data that originate in the European Economic Area (EEA). Public comments may be submitted to the EDPB until January 31, 2022.

A Brief Refresher

The GDPR applies directly to entities that process personal data in the context of the activities of an "establishment" in the EEA, or to entities outside the EEA where the processing of European personal data relates to (i) the offering of goods or services to data subjects in the EEA, or (ii) the monitoring of their behavior.

Chapter V of the GDPR prohibits transfers of personal data outside the EEA unless certain conditions are met. A data exporter may overcome this prohibition by implementing a valid transfer mechanism with the data importer, such as standard contractual clauses (SCCs).

The new SCCs issued by the European Commission (EC) earlier this year, and the EC's Implementing Decision, seemed to suggest that transfers to importers already subject to the GDPR are not restricted, and therefore the new SCCs do not apply. There has always been some question about whether a transfer mechanism is required for personal data transferred to an entity whose processing of that data is already directly subject to the GDPR. The UK Information Commissioner’s Office had previously issued guidance stating that no transfer protection is needed if the importer’s processing is subject to the GDPR (although it is now reconsidering this position in the context of the UK GDPR as part of its consultation on data transfers).

So, what is a transfer?

The EDPB draft guidelines establish three criteria for a transfer:

1. a controller/processor is subject to the GDPR for the processing;
2. the controller/processor discloses, or otherwise makes available, personal data to another controller/joint controller/processor; and
3. the recipient is in a third country or is an international organisation.

In addition, the guidelines provide some clarity and serve as a helpful reminder on some key points:

• Non-EU controllers/processors who are subject to the GDPR are also required to comply with the GDPR transfer provisions when making an onwards transfer (this includes a transfer to a recipient in the same country in which they are established).
• A disclosure of personal data directly from a data subject; for example, a data subject providing their name and shipping address to receive a product they ordered is not a transfer. In such instances non-EU controllers/processors collecting personal data directly from EU data subjects would not need to implement a transfer mechanism (although they would need to otherwise comply with the GDPR, including having mechanisms in place for onwards transfers).
• There must be two separate parties (an exporter and an importer); remote access by an employee from a different country is not a transfer. The example given by the EDPB relates to a business trip by an employee so it would be helpful if the EDPB could confirm in the final guidance that this principle applies in the case of permanent overseas employees or branches.
• Even where a data flow may not count as a ‘transfer’, the EDPB points out that there may still be risks due to conflicting national laws or government access in the third country. The guidelines state that the controller is accountable for its processing activities, regardless of where they take place, and must consider the requirement to implement appropriate technical and organisational measures. A controller may conclude that extensive security measures are needed or that it may not make the transfer. The EDPB is effectively asking controllers to undertake a Schrems II transfer impact assessment (even where there is no ‘transfer’ under Chapter V of the GDPR).
• It is irrelevant whether the importer is itself subject to the GDPR i.e., a transfer mechanism is still required where the importer is already directly subject to the GDPR.

The EC recently indicated that it will develop a specific set of SCCs for situations where the importer is subject to the GDPR which will presumably better reflect the importer’s existing obligations and focus on filling any ‘gaps’ (i.e., ‘SCCs-lite’).

Transfer Summary

Takeaways

The EDPB’s draft guidelines provide some clarity on international data transfers by entities that are subject to the GDPR. However, the EDPB muddied the waters by appearing to require transfer mechanisms for onward transfers of personal data that originate in the EEA but take place outside the EEA (e.g., by a U.S. company to its U.S. processors). Even even where there is no “transfer” under the draft guidelines, the EDPB effectively requires a Schrems II assessment of the risk of government access to European personal data, including any need to implement supplementary measures. Businesses may want to take advantage of the public consultation by submitting comments on the impacts of the draft guidlines.

We will keep you informed of key developments.

Footnotes

1) In each of these scenarios, we have assumed that there is no adequacy decision in respect of the country of the importer. However, checking for an adequacy decision should generally be the first step.