On November 18, 2021, the European Data Protection Board (EDPB) adopted its new draft guidance on the interplay between Article 3 of the European Union’s General Data Protection Regulation (GDPR) and Chapter V of the same law. This new guidance specifies that personal data processing by organizations in countries outside the European Economic Area (EEA) is governed by the transfer restrictions of Chapter V, even when the organization is subject to the GDPR through the law’s extraterritorial applicability. But the EDPB unhelpfully leaves open the question of how to comply with Chapter V in such circumstances, acknowledging that the required transfer tools are currently “only available in theory.”
Article 3 lays out the GDPR’s territorial scope, including extraterritorial provisions that bring organizations not established in the EEA within the GDPR’s scope when they offer goods and services to or monitor the behavior of individuals in the EEA. Meanwhile, Chapter V (Articles 44-50) restricts transfers of personal data to countries outside the EEA unless appropriate transfer tools, also identified in Chapter V, are used to ensure that the personal data transfer does not undermine the level of protection guaranteed by the GDPR.
The long-acknowledged tension between Article 3 and Chapter V exists because it has never been clear whether Chapter V applies to personal data processing that will remain subject to the GDPR after a transfer (due to the receiving organization’s processing falling within the GDPR’s extraterritorial scope). Some have argued that applying Chapter V requirements in this extraterritorial scenario is redundant, but the EDPB has declined to answer the question in prior guidance. The European Commission reignited the issue when it noted, in Recital 7 of its standard contractual clauses for cross-border data transfers, that the clauses may not be used in this extraterritorial scenario:
The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of [the GDPR]. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to [the GDPR] (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.
This led to more debate about the interplay between Chapter V and Article 3 and — more practically — questions about how exactly entities are meant to transfer data when falling within the extraterritorial scenario. The EDPB’s new guidance, which is open for public comment until January 31, 2022, confirms that Chapter V applies regardless of whether the data importer’s processing is subject to the GDPR’s extraterritorial scope. Specifically, the EDPB identifies three “cumulative criteria” for determining what a personal data transfer is:
- A controller or a processor is subject to the GDPR for the specified data processing.
- This data exporter (a controller or processor) discloses by transfer, or otherwise makes the personal data that are subject to the specified personal data processing available, to a data importer (a different controller or processor than the data exporter). Note that this criterion is not met when the personal data are disclosed directly by an individual at the individual’s own initiative to a recipient, regardless of the recipient’s location, as no controller or processor is transmitting the personal data.
- The data importer is not located in the EEA, without regard to whether or not the data importer is subject to the GDPR pursuant to Article 3 for the specified personal data processing.
Recall as well that Article 3 applies to instances of personal data processing rather than to an organization as a whole, so the need to comply with Chapter V should always be assessed based on the specific data processing undertaken. Where these three criteria are met, the cross-border personal data transfer must comply with Chapter V, meaning the transfer must be based on one of the Chapter V transfer tools, such as an adequacy decision or standard contractual clauses, even when the importer is subject to the GDPR with respect to the processing in question.
Addressing criticism that this is an unnecessary and excessively cautious approach when the data processing is already subject to the requirements of the GDPR, the EDPB notes that the additional requirements are necessary not as a duplication of GDPR obligations,
but rather to address the elements and principles that are ‘missing’ and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU. To clarify, such tools should, for example, address the measures to be taken in case of conflict of laws between third country legislation and the GDPR and in the event of third country legally binding requests for disclosure of data.
Unfortunately, the EDPB’s guidance provides no immediate solution for compliant personal data transfers in the extraterritorial scenario. If, as expected, this EDPB guidance stands largely unchanged, we will need additional transfer tools to address this scenario. The EDPB notes that it “encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).” In the meantime, organizations affected by this recent EDPB guidance are largely left attempting to comply with increasingly intricate data transfer guidance while having few practical solutions at hand.