News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | GDPR conundrums: Data transfer Related reading: Reducing risks and valuing compliance with the European Data Protection Seal under the GDPR 

rss_feed

""

5, 10, 18

The data transfer regime for processors does not make sense and requires clarification

Under the GDPR, certain provisions become directly applicable to EU processors, including the data transfer requirements. Article 46 of the GDPR provides that controllers and processors may only transfer personal data to third countries that do not provide for an adequate protection (non-adequate countries), if the controller or processor has provided "adequate safeguards," and on condition that individuals are provided with enforceable rights and effective legal remedies. But is it correct to impose the same regime that applies to controllers also to processors?

I think not. The transfer requirement should only apply to processors when they transfer data to a sub-processor in a non-adequate country (and not when they transfer data to a controller, whether back to the original controller or to a subsequent third-party controller) and then in respect of their own data processor obligations only – and not the full scope of the GDPR. The regime should therefore neither apply when the processor transfers the data back to the original controller on whose behalf the processor is processing the data nor when transferring to subsequent controllers if the processor is instructed to do so by the original controller.

The issue may only be understood if we discuss the background on why the GDPR now imposes direct obligations on processors. The reason for this is interlinked with the ‘long arm’ applicability regime of the current Data Protection Directive, which has as an unforeseen result that EU data protection law applies also a controller in a non-adequate country (for example, the U.S.) without establishments and activities in the EU, that involves an EU processor – all while the original data processing by the U.S. controller is not governed by EU data protection law.  

Outsourcing by US controller to EU processor

Article 4(1)(a) of the directive contains the main provision for the application of EU data protection law. The directive applies to the processing of personal data “in the context of the activities of an establishment of the controller on the territory of a Member State.” To avoid circumvention of the directive, article 4(1)(c) provides that the directive also applies in the event that the controller is not established in the EU, but processes personal data making use of “equipment” situated in a member state unless this equipment is used for transit purposes only.

An example of potential applicability of Article 4(1)(c) that was totally unforeseen by EU legislators is when a U.S.-based company (without establishments and activities in the EU) outsources its data processing activities to an EU data processor (or locates its own processing activities in the EU). As a consequence, U.S. data will be stored and processed on servers located in the EU (the servers qualifying as equipment) whereby such data processing cannot be considered merely for transit purposes. As a consequence, EU data protection law is applicable while the data processed concerns (in this case) U.S. data only, which falls within the EU scope only because the data is exported to the EU and transferred back again to the U.S.

This is confirmed by the WP29 in its Opinion on applicable law (p. 20 and 25). Many EU DPAs have indicated that insofar as the relevant data is indeed coming from outside the EU and transferred back again, EU data protection law applies and therefore also the EU data transfer rules, but that enforcement of these rules “will not be their priority.”According to the WP29, the result that EU law applies to these data processing activities has “unsatisfactory consequences” and is also not satisfactory in that “European data protection law is applicable in cases where there is a limited connection with the EU,” which “may have undesirable consequences in terms of economic impact and enforceability” (Opinion on applicable law, p.21 and 24).

Replacing the “equipment” criterion by the criterion of article 3(2) the GDPR, whereby the processing activities should be related to: (i) the offering of goods or services to such data subjects in the EU; or (ii) the monitoring of their behaviour in the EU,  however, would have in its turn as a consequence that EU data protection law does not apply to a U.S. controller with an EU processor. Also the data security requirements under EU data protection law would not apply, which might lead to inadequate security in EU territory potentially exposing the EU to cybercrime. Further, it creates an inherent risk that the EU will be used as a digital haven as there will be no legal basis under EU data protection law to act against these data processing activities in EU territory – even if the relevant data processing would be considered unethical to EU standards. In the words of the WP29: “There is a need to prevent situations where a legal gap would allow the EU being used as a data haven, for instance when a processing activity entails inadmissible ethical issues.”

However, rather than applying the full scope of the directive also to EU data processors, the WP29 suggested as an option (Opinion on applicable law, p. 31 – 32) that the data processor becomes subject to  specific EU data protection provisions only, such as in any event the EU data security provisions (as inadequate security in EU territory may expose the EU to cybercrime). The GDPR indeed now solves this issue by limiting the scope of the GDPR (by dropping the equipment criterion) and imposing certain direct obligations on processors.

The EU legislators therefore made the choice that the GDPR only triggers the limited processor obligations when a U.S. controller (not subject to EU law) involves an EU processor rather than impose the full scope of the GDPR upon such U.S. controller. They clearly rejected the alternative (in the current directive) whereby any data transferred by a U.S. controller (or another non-adequate country) to the EU processor and subsequently transferred back to the U.S. (or another non-adequate country) would attract the full scope of EU data protection law. With this background, an interpretation of the transfer rules under the GDPR, which would require EU processors to yet impose the full scope of protection of the GDPR on the U.S. controller when transferring data back to such controller or to a third-party controller, would be in contradiction with the choices made by EU legislators when drafting the GDPR. This would mean that via the backdoor of the transfer requirements, the full scope of the GDPR would yet be imposed on such controllers, which was clearly not the intention of the EU regulators. 

As the above may be somewhat abstract, here are three situations whereby a controller in a non-adequate country (again, let's take the U.S. as an example) involves an EU processor, which subsequently transfers personal data (i) to a sub-processor established in a non-adequate country; (ii) back to the original controller in the U.S.; and (iii) to a third-party controller in a non-adequate country.

Situation A. US data controller with EU data processor that transfers the data to a sub-processor in a non-adequate country

There are two options. The first is when the data processing by the U.S. controller is not governed by the GDPR and the second is when the data processing by the U.S. controller is governed by the GDPR. 

1. Processing by a US controller not governed by GDPR 

In this situation the original data processing by the U.S. controller is not governed by the GDPR, e.g. the controller does not have establishments in the EU and further the data processing is not related to (i) the offering of goods or services to data subjects in the EU; or (ii) the monitoring of their behaviour. The EU processor is subject to the GDPR and has to comply with the processor obligations that are directly applicable to processors under the GDPR. Pursuant to Article 28(3) GDPR, the EU processor should process data only based on a contract governed by EU law that contains a number of mandatory processing provisions. Pursuant to article 28 (2) GDPR the processor further requires the prior written authorization of the controller to involve a sub-processor and pursuant to article 28 (4) GDPR the processor has to impose the samedata protection obligations on such sub-processor as agreed by such processor in its contract with the controller.

Article 28 GDPR therefore does not require the EU processor to impose further requirements on the sub-processor than such processor itself has under its data processor agreement with the controller. This should also apply when the processor involves a sub-processor in a non-adequate country.

The fact that the data is transferred to a non-adequate country should not suddenly trigger an obligation to impose on the sub-processor the full material scope of the GDPR. The data transfer provisions in the GDPR, however, do not reflect this. Rather, they require processors (like controllers) to implement “adequate safeguards,” which seems to refer to the full scope of the GDPR rather than just the obligations of the processor.

This seems a drafting mistake rather than a purposeful decision to deviate from this system. The way to solve it is to interpret this requirement to mean that processors should provide “adequate safeguards” insofar as their own obligations are concerned only. This is also in conformity with the draft Standard Contractual Clauses for Processor to Processor transfers as proposed by the WP29 These proposed Processor SCCs also impose only the processor obligations on the relevant sub-processor in the non-adequate country (such as the security obligations, data breach notification obligations, etc.) and not the full scope of the GDPR. The same applies for the requirements set by the WP29 for authorization of Binding Corporate Rules for Processors. Also, these require that the processor obligations are imposed on the group companies of the processor involved in the data processor services rather than the full scope of the GDPR.

2. Processing by a US controller governed by EU law‎

In this situation the original data processing by the U.S. controller is already governed by the GDPR (e.g., because the data is also processed in the context of the activities of an establishment of the U.S. controller in the EU). In this case the transfer by the processor to the sub-processor also involves a transfer by the controller to the sub-processor (at least this is how many of the DPAs have interpreted this). These DPAs interpret the transfer requirement under the directive as imposing a requirement on the controller “to adduce adequate safeguards.”

The GDPR now imposes a similar requirement on the processor without indicating whether compliance by one (e.g., the controller) releases the other (e.g., the processor) or vice versa. I would assume that if the transfer is to a sub-processor, it should be sufficient that the processor complies and imposes its obligations on such sub-processor. If the data is transferred to a third-party controller, it is the controller who has to impose its obligations (i.e., the full scope of the GDPR) on the third-party data controller.

Situation B. US data controller with EU data processor that transfers the data back to the original controller

Again, there are two options.

1. Processing by US controller is not governed by GDPR 

Now the relevant processing is not governed by EU data protection law, the transfer rules should not apply at all. Otherwise the result would be that a processor should impose requirements (either its own, or the full scope of the GDPR) upon the original controller, while the original processing was not governed by the GDPR. The system chosen by EU regulators is that the GDPR does not apply to such processing and that only a limited number of obligations apply to the EU processor. Requiring that if the EU processor transfers the data back to the U.S. controller the full scope of the GDPR should be imposed on the controller is contrary to the intentions of the EU legislators. The transfer rules should in this case simply not apply.

2. Processing by US controller governed by EU law‎

If the original data processing by the U.S. controller is governed by the GDPR, the full scope of protection already applies to the controller also after the processor transfers the relevant data back to the original controller. Here, imposing additional requirements by the processor onto the original controller is not useful and the transfer rules therefore do not add any value. Also, the transfer rules should simply not apply.

Situation C. US data controller with an EU data processor, which transfers data to a third-party controller

Again, there are two options.

1. Processing by original US controller is not governed by GDPR 

The EU processor may only transfer data to a third-party controller when the processor is instructed to do so by the original controller. As the data is not governed by EU law, the transfer in fact takes place between two parties in non-adequate countries, with an in-between stop at the EU processor where the processor is subject to the direct obligations applicable to EU processors.

Here, the data transfer rules should not apply at all. The system chosen by EU regulators is that the GDPR does not apply to such processing and that only a limited number of obligations apply to the EU processor. Requiring that if the EU processor transfers the data to the third-party controller the processor should impose requirements (either its own, or the full scope of the GDPR) on the controller is contrary to the intentions of the EU legislators. The transfer rules should in this case simply not apply.

2. Processing by US controller governed by EU law‎

The processing activities that the original controller has instructed the EU processor to process on its behalf are already subject to the GDPR. Therefore, the EU data transfer requirements already apply to the U.S. controller when the U.S. controller instructs the EU processor to transfer the data to a third-party controller. 

Imposing the data transfer rules on the data EU processor therefore has no added value. Here the data transfer rules should not apply to the data processor.  

 Conclusion

The transfer rules should only apply to processors insofar as they transfer data to a sub-processor in a non-adequate country and then only in respect of their own legal obligations under the GDPR.

The WP29 already made draft Processor SCCs for this situation, and therefore I think we do not need any other SCCs. It would help if the WP29 could clarify that this is indeed how the data-transfer requirements for processors should be applied. The current provision whereby processors are required to impose “adequate safeguards” in case of transfers to all third parties in a non-adequate country – therefore both controllers and processors – seems incorrect. 

Author
Headshot Lokke Moerel IAPP Member Contributor
Tags
Europe
Privacy Law
Transborder Data Flow
5 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Jun 10, 2016 
    Great article that explains a complex topic.
  • comment Tony Gray • Dec 3, 2016 
    I dont even have say anything, great..
  • comment Dorota Skolimowska • Oct 2, 2017 
    very useful. a perfect summary of processor's obligations
  • comment Emma Butler • Aug 22, 2018 
    I've only just found this article and I agree it explains the topic well and makes sense. However, there is a practical challenge for processors who sell their products and services globally in terms of what standard approach to take, given regulators have not confirmed that what Lokke sets out is also their understanding of the transfer rules. Given the regulator obsession with transfers, it may be too risky to take the common-sense approach set out in this article.
  • comment Alejandra Brown • Aug 13, 2019 
    I just found this article and I found it fascinating. I am currently working with a US-based clinical trial sponsor that is using CROs in the EU to perform the clinical trial with EU patients. The EU CRO (i.e. processor) needs to send the patient data back to the US sponsor (i.e. controller) and we are wrestling with the best approach to handle this transfer. We are looking at Standard Contractual Clauses but the scenario is processor transferring out of EU to controller, which, from what I read is Situation B.2. The CRO refuses to transfer data unless there is a transfer mechanism in place. EU-US Privacy Shield may not apply because section 14.g of the framework establishes that key-coded data does not constitute a transfer of personal data subject to Privacy Shield so that takes us back to SCCs. It seems to me that, since this seems to still be a gray area, I rather have something in place than nothing at all (outside of derogation). So, what would the better approach be? using controller to controller SCCs or controller to processor SCCs? Any comments are appreciated!
Related Stories
Related Stories
Tags
Europe
Privacy Law
Transborder Data Flow
Recent Comments