The European Data Protection Board (EDPB), the body which represents EU data protection authorities, has adopted guidelines (Guidelines) confirming when transfers need to be “safeguarded” in accordance with the GDPR (and importantly when they do not). In particular:
- A non-EU controller or processor that is subject to the GDPR (e.g., because it offers goods and services to the EU market) must comply with GDPR international transfer restrictions when transferring or making available EU personal data to an entity outside of the EU. This means, for example, standard contractual clauses (SCCs) (or another transfer mechanism) are required where a controller or processor based in the U.S., transfers EU personal data to another organization based in the U.S. or other non-EU country (that does not have an adequacy decision from the EU Commission). That is to say, the “exporter” does not have to be established in the EU for international transfer restrictions to bite.
- Personal data disclosed directly by a data subject to a non-EU entity does not require safeguards, e.g., if an EU-based data subject provides their personal data to a website operated by a company established in the U.S., SCCs (or another transfer mechanism) are not required.
- International transfer restrictions only apply to disclosures of personal data between two distinct parties. To qualify as a transfer, there must be an entity disclosing the data (the exporter) and a different entity receiving or accessing to data (the importer) (each acting as either a controller or a processor). Therefore, where an EU company shares personal data with employees travelling outside the EU (e.g., in the U.S.), no transfer has occurred. That said, reasonable security measures would need to be maintained and the organization will need to undertake a risk assessment of the jurisdiction(s) where employees are located to confirm data is adequately protected. Note, data disclosures between different entities belonging to the same corporate group (intra-group data disclosures) will constitute transfers of personal data requiring safeguards.
- International transfer restrictions apply equally to controllers and processors. The Guidance states that safeguards are required for the EU-processor to transfer data back to the non-EU controller.
In light of the Guidance, non-EU companies using EU-based vendors may be required by those vendors to include processor-to-controller standard contractual clauses within their services agreement, i.e., applying to the return transfer of data from the EU vendor back to the non-EU customer. Although this will not mean that the GDPR will be directly applicable to the non-EU entity simply because they are using an EU-based vendor, it does mean that certain obligations set out in the SCCs will apply, e.g., security of processing (Clause 8.2), documentation and compliance (Clause 8.3), complaints procedures (Clause 11), notification of public authority access requests (Clause 15.1), etc. Non-EU customers could also be liable for an EU-based vendor’s breach of the SCCs under Clause 12. This is perhaps a surprising result and could potentially discourage non-EU organizations from engaging EU-based vendors for services which involve the processing of personal data. Non-EU entities should closely review any SCCs provided by EU vendors to ensure they are comfortable with the requirements set out therein.
The Guidelines also highlight a gap in the current safeguards available to parties seeking to safeguard their data transfers. As set out above, where an EU-based processor sends personal data to a non-EU controller this will constitute an international transfer and a safeguard must be implemented. The “go-to” safeguard for most transfers would typically be the SCCs. However, Recital 7 of the EU Commission’s decision implementing the new SCCs clearly states that the SCCs may be used “only to the extent that the processing by the importer does not fall within the scope of [the GDPR].” When read in conjunction with the Guidelines, the result is clear—transfers to a party established in a third country but subject to the extraterritorial scope of the GDPR are international transfers that must be safeguarded but cannot be covered by the existing SCCs. This undesirable conflict is borne out of a difference of opinion between the European Commission (who were of the view that no appropriate safeguard was required when transferring personal data to a party otherwise subject to the GDPR) and the EDPB (who consider a safeguard to still be required). Hopefully, this gap should soon be addressed. The European Commission confirmed in the minutes of its September 14 meeting with the EDPB that it would develop a supplemental set of SCCs to cover these scenarios. Unfortunately, the EDPB has not taken this opportunity to advise organizations what they can do until this supplemental set is released.