With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR's original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others.
EDPB Secretariat Head Isabelle Vereecken said during a LinkedIn Live conversation with IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP, the EDPB's decision to act had less to do with answering or creating questions than it did with providing consistency, clarity and legal certainty.
"It really relates to the application of an entire chapter of the GDPR. Whether or not you need to apply this chapter is something important to realize," Vereecken said. "There's also the consideration of the 'Schrems II' ruling that imposes the duty on the data exporter to make the assessment of the level of protection needed in third countries, so that's also embedded here."
Questions from an answer
Vereecken said the EDPB anticipated a rush of queries regarding the seven-page guidance document, noting there were "hidden scenarios that need to be addressed" in relation to when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory.
Among those precarious scenarios are transfers of employee data from the EU to another country or multinational corporations transferring data across its entities. Vereecken indicated procedures around employee data transfers are unchanged by this guidance and can still be addressed with existing standard contractual clauses or binding corporate rules. The same concept goes for similar passing of data within a multinational's walls, but that needs to be done more carefully given the branching of such businesses.
"What's really important to take away here is that a group of companies is not necessarily a place where there is only one controller," Vereecken said. "There are companies sending data, as a controller, to another of its entities that are providing processor services. These are clearly different entities in this group, so a group is not like a family."
Labeling a 'transfer'
At the heart of the new guidance is a three-part definition of what constitutes an international data transfer as the EDPB interprets it under the law. The facets of the definition include identifying whether the processing activity falls under the GDPR, an exporter-to-importer transmission and the geographical location of the importer.
A key point Vereecken highlighted for companies was to keep in mind that the first part of the definition relies not on the nature of a company's business but the processing activity it is executing. This means it is the particular processing and transfer that is subject to the GDPR, not the company as a whole. It also means a company established outside the EU whose processing is subject to the GDPR can become an exporter.
"Sometimes when you're a legislator, you can think about the spirit and the purpose of the legislation. We purely work on the interpretation of a text that is already existing," Vereecken said.
How SCCs fit in
While clarity and consistency were chief among the reasons to draft this guidance, the EDPB's hand was also forced by the European Commission's new SCCs. Vereecken acknowledged "urgent and essential" action was required because the new SCCs had a crucial gap.
"There was a particular recital in the decision that was discussed with the European Commission providing that the SCCs could not be used by non-EU data importers that are already subject to the GDPR due to the external application of Article 3(2)," Vereecken said. "Many questions arose to understand the inclusion of this exemption. Was it because it was needed or because it wasn't a transfer?"
The EDPB acknowledged its guidance creates new complexity for organizations by creating a need for another transfer tool, with the European Commission already committing to the development of a new SCC for transfers to importers subject to Article 3(2). Fennessy noted European Commission Head of International Data Flows and Protection Bruno Gencarelli has said the European Commission is devising a so-called "SCCs-lite" to cure the issue. Additionally, Gencarelli told attendees at the IAPP's Data Protection Congress 2021 that the commission is preparing a Q&A on SCCs for early 2022 that will cover the scope of and modules in the modernized SCCs.
In the interim, Vereecken warned against using existing transfer tools at a company's own risk if it feels it is applicable under Article 3(2), adding that waiting for further tools and guidance is the safer play.
"If there is a contract that says the scope of application does not cover a particular scenario but you nevertheless want to use it, there is a risk it won't fit or be accepted. This risk embedded here needs not to be disregarded."
What's next?
The EDPB guidance is currently under a longer-than-usual consultation period. Normally, its consultations are set for six weeks, but given the holiday and the complexity of the situation, Vereecken said this particular comment period is 10 1/2 weeks. She said stretching the process to the end of January "offers a chance to get the best results" as far as meaningful and thoughtful submissions from all relevant stakeholders.
Photo by fabio on Unsplash