The European Data Protection Board (‘EDPB’) has published draft guidance on international transfers of personal data (‘International Transfers’) under the GDPR in an attempt to resolve the historic issues between Article 3 (territorial scope) and Chapter V (international data transfers) and clarify the scope of the International Transfer regime’s applicability.
The International Transfer regime under Chapter V of GDPR has been traditionally silent on the concept of what constitutes a ‘transfer’ of data, which has caused friction with the extraterritorial effect of Article 3 GDPR, which notes that GDPR may apply directly to organisations outside the EEA that are processing EU citizens’ personal data.
The adoption of the EU’s new Standard Contractual Clause regime (‘SCCs’) in June 2021 was accompanied by Decision 2021/914 from the European Commission, which noted that the International Transfer regime would not apply where the processing of data by an importer was subject to Article 3(2) GDPR already. The EDPB guidance has sought to overturn this decision and provide a specific list of criteria for determining where processing falling within Article 3 amounts to an International Transfer of data.
The EDPB has outlined 3 criteria for where the processing of data will constitute a ‘transfer’:
- The exporting Controller or Processor is subject to GDPR in relation to that processing, (regardless of whether the Controller or Processor is located in the EU or not);
- There must be an ‘exporter’ or ‘importer: the exporter (whether a Controller or Processor) must disclose personal data to another Controller, Joint Controller or Processor (the importer); and
- The importer is in a third country outside of the EEA (or is an international organisation), irrespective of whether or not this importer is subject to Article 3 GDPR in relation to that processing.
N.B. The third criterion dis-applies the European Commission decision, noting that it is irrelevant whether the importer is subject to Article 3. The applicability of Chapter V will be based on geographical location, rather than the applicable regime, as the EDPB noted that while an importer may be subject to GDPR, their own national laws may conflict with their obligations, such as allowing governments to access data which goes beyond what is necessary and proportionate in a democratic society.
However, the guidance does note that a case-by-case approach should be adopted in relation each proposed transfer, and where the Importer is already subject to GDPR in relation to the processing activity, then ‘less protection/safeguards are needed’. It is currently unclear what may constitute ‘less protection’, given where an adequacy decision is not already in place, one of the mechanisms in Article 46 GDPR must still be used.
The EDPB also carves-out two important exceptions for what will not fall within the International Transfer regime:
- where data is ‘accessed’ remotely, such as an employee taking their laptop abroad; and
- where data subjects themselves transfer the data to a Controller or Processor outside the EU.
The first carve out mirrors the ICO’s interpretation of ‘restricted transfers’ in their recent Consultation on the UK’s incoming International Data Transfer Agreements regime (‘IDTA’). However, where the ICO notes that transfers between members of the same corporate group will not constitute an International Transfer, the EDPB notes that Chapter V GDPR will still apply to transfers between members of the same group.
The EDPB has provided welcomed clarity on what has been a long-running tension between Article 3 and Chapter V GDPR, which coincides with organisations beginning to get to grips with the new SCCs. This largely replicates the UK’s new proposed approach for International Transfers, as the ICO also consulted on the interpretation of Article 3 UK GDPR in their IDTA proposals, giving recipients the option as to whether Article 3 will inevitably always apply to overseas Processors or Joint Controllers under Article 3, or whether this should be dependent on a list of determining factors. This in turn informs their proposals on restricted transfers, which align with the EDPB guidance and note that the central issue will be whether the Importer is located outside of the UK, regardless of whether UK GDPR applies to that Importer or not. The ICO have also noted that restricted transfers will only occur where a Controller or Processor ‘authorises’ an overseas legal entity to process the data, which provides a higher threshold than the EDPB’s requirement that the Exporter ‘discloses’ data ‘by transmission or otherwise makes personal data available’.
As we await further guidance from the ICO on their IDTA consultation, including the final form regime and timescales for it coming into force, the EDPB guidelines give an indication that this is the route the consultation will follow, and provides a welcomed alignment of regimes which will make it easier for organisations to navigate using either the IDTA or the SCCs for their International Transfers.
The draft guidelines will be open for consultation until 31 January 2022.