The EDPB took an arguable position on a few aspects regarding data transfers covered by its draft guidelines on the interplay between Article 3 and Chapter V of GDPR.
On November 19, 2021, the European Data Protection Board (‘EDPB ‘) published its draft Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.
According to the extraterritoriality principle, the Guidelines address a tricky issue as to whether there is an actual data transfer when the GDPR directly applies. To assist with this, the Guidelines provide a set of criteria that qualify data processing as a transfer, alongside examples of specific processing.
These guidelines were eagerly expected after the new Standard Contractual Clauses for data transfers that cover several additional scenarios not previously tackled by the legacy SCCs.
The most interesting takeaways from the EDPB guidelines can be summarized as follows:
- A data transfer does NOT OCCUR where the data are disclosed directly by the data subject (e.g. a social media user) to the non-EU entity, as there is no controller or processor sending or making the data available, and therefore Chapter V does not apply. However, the recipient will still need to assess whether its processing operations are subject to the GDPR according to Article 3(2), and therefore whether any onward transfer by the recipient implies a data transfer subject to Chapter V of the GDPR – This position was an expected view, so nothing new to report ✅
- A data DOES OCCUR when a processor in the EU sends data (including data relating to non-EU data subjects) back to its controller in a third country, through a ‘reverse’ disclosure of data from the EU processor back to the controller – This position was expected, but it risks to discriminate EU service/software providers since they will have to comply with a more stringent regime than non-EU competitors 🆘
- A data transfer does NOT OCCUR if the sender and the recipient are not different controllers/processors. For instance, if an employee of an EU established company travelling overseas and remotely accessing and processing personal data on the company databases will not constitute a transfer, given an employee is an integral part of the controller company and the disclosure is therefore carried out within the same controller. However, due to the conflicting local laws, the company must ensure GDPR compliance also concerning the article 32 GDPR measures – This position was an expected view, so nothing new to report ✅
- A data transfer DOES OCCUR among entities that form part of the same corporate group as they may qualify as separate controllers or processors. Therefore intra-group data disclosures may constitute transfers of personal data – This aspect is often neglected, with infra-group data transfer agreements that either are not in place at all or whose terms are extremely broad and easily challengable. An accurate mapping of data flows is crucial to address this aspect 🆘
- A data transfer DOES OCCUR when the importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3 – This view appears to move away from the ‘GDPR bubble’ concept suggested in the European Commission’s Standard Contractual Clauses at Recital 7, which state that the SCCs “may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of [GDPR]”. The EDPB acknowledges that the current SCCs do not apply to this scenario, even arguing that a new type of SCCs might be necessary. This position is arguable since it is against the whole rationale behind the GDPR and leaves companies without an appropriate tool to address data transfers. I hope that this position will be revised in the final version of the guidelines, but in the meantime, it created a situation of “panic” within corporations 🆘
The Guidelines are subject to a public consultation ending on January 31 2022 and will be applicable following publication. The Guidelines, which are not legally binding, but provide mere guidance. However, practical implementation of certain aspects of the Guidelines may be a challenge.
Maybe these guidelines are among the most controversial that have been issued during the last years. The previous years’ experience shows that the EDPB rarely revised its draft guidelines in a relevant manner. But relevant economic reasons might be in place, so I expect several corporations to join the consultation.
On a similar topic, you may find interesting the infographic that my DLA Piper teammates created to guide on the usage of Standard Contractual Clauses.