21/12/'2021 - On 18 November 2021, the EDPB released the draft Guidelines 05/2021 on the interplay between Article 3 GDPR and the provisions on international transfers as per Chapter V of the GDPR. While these draft Guidelines clarify some contentious issues regarding data transfers, they have also led to additional questions. For example, with regard to its reference to the potential release of an additional set of EU Standard Contractual Clauses (SCCs). Read more about the draft Guidelines and their implications below.
The territorial scope of the General Data Protection Regulation (GDPR) is regulated under Article 3 GDPR, which sets out that the regulation applies to:
Chapter V GDPR includes rules on transfers of personal data to countries outside of the EU, also known as third countries. The aim of Chapter V GDPR is essentially to guarantee that, when personal data is transferred to a third country, such personal data is still ensured a level of protection that is equivalent to that awarded in the EU. Parties are therefore required to put in place an appropriate transfer tool to safeguard their transfer(s). Failing the existence of an EU Adequacy Decision, parties must rely on one of the Article 46 GDPR transfer tools, such as e.g., SCCs. Alternatively, in exceptional circumstances, parties may rely on one of the Article 49 GDPR derogations.
There has been a long-standing debate about the definition of a ’data transfer’ and, in light thereof, when the GDPR’s rules on data transfers would apply. Stakeholders have been debating whether the Article 3 GDPR and the Chapter V GDPR provisions are mutually exclusive or intended to be applied simultaneously. In June of this year, and in light of the broader Schrems II developments, the European Commission re-ignited this debate when it stated in Recital 7 of the new SCCs implementing decision that those SCCs could only be used to safeguard transfers to the extent that the processing activity of the importer did not fall within the scope of Article 3(2) of the GDPR. This led some to question whether Chapter V GDPR would apply at all if a data importer was itself already subject to the territorial scope of the GDPR, in terms of Article 3(2) GDPR. In its draft Guidelines, the EDPB attempts to provide more clarity to this debate.
Firstly, the Guidelines introduce for the first time a definition of a ‘data transfer’ under the GDPR. The EDPB identified the following three cumulative criteria that must be met in order for a data transfer to occur:
Note that the wording under criterion 2 includes not only the wording ‘discloses by transmission’ but adds also ‘or otherwise makes personal data…available’, which includes personal data that is accessed from within a third country through e.g., a Cloud solution even if that data are not hosted in a third country.
It is also important to note that the interplay between Article 3 GDPR and Chapter V GDPR is emphasized explicitly in criterion 3 of the EDPBs new definition for a data transfer. Through this criterion, the EDPB affirms its view that Chapter V GDPR transfer tools and requirements have to be adhered to when transferring personal data to an organization in a third country outside of the EU, even when that organization already falls under the territorial scope of the GDPR under Article 3 GDPR. The Guidelines include several examples, of which Example 7 is a good illustration of what the above-mentioned situation could look like:
Example 7: Processor in the EU sends data back to its controller in a third country
Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.
The draft Guidelines also offer some clarity on direct data transfers. Criterion 2 of the EDPBs data transfer definition determines that transmission cannot constitute a data transfer where a data subject decides on their own initiative to disclose their personal data to a recipient located in a third country. For example, if an individual living in the Netherlands orders shoes online from a company located in South Africa, that individual would likely have to provide the South African store with their personal data (in the form of name and delivery address). However, following the rationale of the EDPB, this situation would not constitute a data transfer under the GDPR because the individual decided, as a data subject and not as a data controller or data processor, to directly transfer their personal data on their own initiative to the store located in a third country.
In June 2021, the European Commission introduced a new set of SCCs, which constitute one of the possible transfer tools under Chapter V GDPR. It is key to remember that the aim of this new set of SCCs was essentially to allow EU protections to travel with personal data that would be transferred to a data importer, the latter being outside of the direct scope of application of the GDPR. Especially in light of the aforementioned Recital 7 of the new SCCs implementing decision, the question at hand was therefore whether that set of SCCs could also be used in cases where a data importer is directly subject to the GDPR under Article 3(2) GDPR. Some argued that using the set of SCCs introduced last summer in such cases would not be required, or even possible, as the GDPR would already apply in full to such data importers.
Yet, the draft Guidelines now hold that Chapter V GDPR transfer tools (including e.g., SCCs) are required in all cases where personal data is transferred to a data importer in a third country, even in the situation where that data importer already falls under the territorial scope of Article 3(2) GDPR. As the EDPB alludes to, this means that, if an organization would like to use SCCs as a transfer tool for such situations, this would likely require new set of SCCs; one specific for data transfers to data importers who are directly subject to the GDPR by virtue of Article 3 GDPR.
Such a new set of SCCs are expected to have a more limited approach as both parties would already be subject to the GDPRs scope of application, meaning a full duplication of GDPR protections is not required as part of the SCCs. Rather, as the EDPB also points out, such a transfer tool should "address the missing elements and principles and, thus, fill the gaps relating to conflicting national laws."
It is likely that this development will bring additional complexity for organizations trying to comply with EU data transfer requirements, who will likely have to familiarize themselves with additional steps and SCCs. However, for now, organizations will have to wait for more information from the European Commission on whether this specific set of SCCs will indeed be published and in what form. We expect more developments on this topic in early 2022.
While there are those that view the EDPB Guidelines favorably for providing clarity, others have not been so complimentary. The position taken by the EDPB regarding the interplay between Article 3 GDPR and Chapter V GDPR has been labelled by some as duplicative, stating that forcing organizations to apply Chapter V GDPR safeguards in such situations, in the form of a specific set of SCCs, is unnecessary and expensive for organizations operating internationally. According to these views, if an organization already falls under the scope of the GDPR by virtue of Article 3(2) GDPR, the protection of personal data should already be accounted for. We will have to wait and see if the final Guidelines bring changes in light of such views.
What is certain at this point is that the EDPBs public consultation of the draft Guidelines are open until the end of January 2022. In light of the debate so far and the far reaching implications of data transfer requirements, it is important to keep an eye out for developments. Considerati will monitor the developments and provide updates accordingly. Should you have questions about the draft Guidelines or about compliance with data transfer requirements, do not hesitate to contact us.
Are you interested in what this means for your organization or what you can do to be involved in the discussion moving forward? Contact Considerati.