On Nov. 18, the European Data Protection Board adopted new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation. The guidelines answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer?
In short, the EDPB explains, a transfer occurs when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory.
Simple, isn’t it? The answer seems more than obvious, but the debate behind it and the implications of it are anything but.
Organizations implementing these new guidelines may find they offer a step toward clarity in one area, a step toward complexity in another and a twirl through jurisdictional quandaries in a third. As someone who has followed the issue with interest for years, it feels a bit like dancing in place.
Since the guidelines are open for public comment through the end of January, the debate, the answer and the implications are all well-worth considering. (The United Kingdom too is conducting a public consultation on the question at hand.)
If you are more interested in practical impacts than the policy considerations though, skip to “the answer;” otherwise, read on.
The EDPB has debated what constitutes a “transfer of personal data to a third country or to an international organisation” since the board’s inception. The topic appeared on its second plenary agenda and, in various forms, on many that followed. The core question became whether Chapter V data transfer mechanisms were needed when data left the physical territory of the EU or the jurisdictional scope of the EU GDPR. A related question also cropped up, whether transfer mechanisms were needed when entities based outside the EU collected data directly from EU individuals. These questions gained urgency when the European Commission stated in Recital 7 of its new standard contractual clauses that the SCCs could not be used by non-EU data importers already directly subject to the GDPR, including due to the extraterritorial application of Article 3(2). This left organizations with few options to meet the letter of the law until the debate was settled.
The debate stems from the fact the GDPR expanded the jurisdictional reach of EU data protection law far beyond the EU’s physical borders, while preserving the EU Data Protection Directive’s territory-based conception of data transfers. As a result, data protection authorities, the European Commission and other stakeholders began asking whether Article 3’s provisions on (extra)territorial scope and Chapter V’s provisions on transfer requirements were mutually exclusive or meant to be applied in tandem.
Adherents to the either-or school of thought argued that:
1) Applying a Chapter V data transfer mechanism to a foreign entity already subject to the GDPR is duplicative and in some instances contradictory, where the mechanism imposes equivalent, but not identical, rules. When Article 3 applies to a foreign entity, it imposes on the foreign entity all GDPR rules, rights and protections. It provides EU DPAs jurisdiction and guarantees individuals redress via DPAs. As the EDPB explained, the requirement to designate an EU representative “was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR.” Further, Articles 6 and 23 could be interpreted to circumscribe the situations in which companies are legally allowed to grant governments access to data to the types of necessary and proportionate legal bases prescribed in EU Member State law.
2) Article 28 contractual requirements provide for a continuing level of protection for both domestic and foreign transfers alike. Article 28 stipulates controllers may only use processors “providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of (the) Regulation.” This text is reminiscent of the EDPB’s recommendations that organizations can adopt contractual, organizational and technical measures which may “contribute to reaching EU standards” and prevent foreign government access to data from undermining GDPR protections. Applying equivalent contractual requirements for domestic and foreign transfers would better align with the fact that, as Advocate General Campos Sánchez-Bordona pointed out in an recent opinion, required protections may be lacking in practice within the EU, as abroad.
3) Data transfer mechanisms have become burdensome, a source of costly uncertainty due to frequent court challenges, and lead to mechanism-focused rather than risk-focused compliance and enforcement approaches.
4) Risk is not bound by geographical borders. Attacks by private parties, government actors or an opaque amalgamation of the two do not respect territorial boundaries. Neither does jurisdiction. Government access demands and the conflicts of law they create extend into EU territory, just as Article 3 extends GDPR rules beyond EU shores.
Adherents to the belts-and-suspenders school of thought argued that:
1) The text of the GDPR cannot be ignored and includes a territory-based rather than jurisdiction-based conception of Chapter V requirements. Specifically, Article 44 provides that, “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with …”
2) In practice, it is significantly more difficult for EU data protection authorities and data subjects to enforce GDPR requirements against companies located outside of EU territory when relying on GDPR’s extraterritorial application. Data transfer mechanisms provide additional enforcement and redress tools. Adequacy determinations ensure there is an independent supervisory authority with sufficient powers to enforce essentially equivalent foreign protections. Binding Corporate Rules allow EU DPAs to hold EU data exporters liable for breaches by other members of the group. Standard contractual clauses provide EU data subjects third party beneficiary rights and free and accessible redress options, while binding the data importer to shared liability and confirming EU jurisdiction.
3) Data transfer mechanisms provide a useful compliance tool that helps organizations understand more concretely how to meet GDPR requirements and demonstrate that compliance to their EU partners.
4) Foreign government access rules undercut the application of GDPR abroad and are more easily enforced on foreign territory. The broader suite of EU law and jurisprudence, including the EU Charter of Fundamental Rights and European Court of Human Rights, circumscribes member state surveillance practices, but can not reign in foreign intelligence authorities.
In 2018, the EDPB drafted, but never published, guidelines taking the former viewpoint, but ultimately the latter held sway.
The answer the EDPB provides to the question “what is a transfer” undoubtedly takes a territory-based approach. Still, it gives a hat tip to proponents of both schools of thought. It acknowledges the inherent duplication in GDPR requirements when Article 3 and Chapter V are applied concurrently, but concludes that transfer mechanisms provide necessary additional protections when data moves beyond EU territory. The EDPB reasons these additional safeguards are needed to prevent foreign legislation from undermining the protections afforded by the GDPR and the broader EU legal framework even when the GDPR applies directly. The EDPB focuses in particular on the potential for foreign government access to data which goes “beyond what is necessary and proportionate in a democratic society” and would conflict with organizations’ obligations under the GDPR.
The EDPB’s new guidelines provide that there are three “cumulative criteria that qualify a processing as a transfer.” These are:
"1) A controller or a processor is subject to the GDPR for the given processing.
2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3."
While these seem self-explanatory, it is worth considering their practical implications in three key areas.
A step toward clarity
First, the EDPB provides clarity for organizations by confirming that direct collection of data from EU individuals does not require a Chapter V transfer mechanism. The EDPB’s second criteria specifies that a transfer must involve the transmission of data from one controller or processor to another controller or processor. The EDPB states specifically that, “[t]his second criterion cannot be considered as fulfilled where the data are disclosed directly and on his/her own initiative by the data subject to the recipient.” Stakeholders have expressed confusion on this point for years. Many assumed that when collecting data from individuals in the EU, they had to adopt a transfer mechanism. This was practically complicated since they could not sign SCCs with those individuals, leading many to sign them with their EU offices, even when data was provided directly to the foreign entity by an EU individual. The EDPB alluded to the fact that it did not consider direct collection a transfer in footnote 19 of its June recommendations on supplementary measures. However, this is the first time that the board has been so explicit in writing. This clarification could reduce the previously perceived need for transfer mechanisms considerably.
A step toward complexity
Second, the EDPB acknowledges its guidance creates new complexity for organizations by creating a need for another transfer tool. The guidance states that:
"for a transfer of personal data to a controller in a third country less protection/safeguards are needed if such controller is already subject to the GDPR for the given processing. Therefore, when developing relevant transfer tools (which currently are only available in theory), i.e. standard contractual clauses or ad hoc contractual clauses, the Article 3(2) situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU."
Minutes of the EDPB’s September plenary meeting state, “The EU COM confirmed, that, after the draft guidelines are adopted, they intend to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR.” Bruno Gencarelli, speaking at the IAPP’s Data Protection Congress in November, termed these to-be-developed contracts “SCCs lite.” Organizations are now asking what to do as they await these new contacts. Organizations may no longer rely on the old SCCs for new transfers, nor can they rely on the new ones when subject to Article 3(2). They will also need to swap out old SCCs adopted before September 27, 2021 by December 27, 2022, but don’t know whether these new “SCCs lite” will yet be available. Some stakeholders have stated, what is probably obvious, that many organizations are likely to adopt the new (and existing) SCCs in the interim, having few other options.
The jurisdictional quandaries
Third, the EDPB seems to have adopted a territorial notion of transfers in one respect and a jurisdictional notion of transfers in another. Taken together, the EDPB’s first and third criteria defining transfers mean that organizations located anywhere on the globe and subject to the jurisdiction of the GDPR must adopt a transfer mechanism when sending personal data to a separate organization outside of EU territory. The result is that organizations outside of EU territory, whose processing is subject to the GDPR’s jurisdictional reach are required to adopt transfer mechanisms for domestic and foreign transfers alike, even when receipt of the information from EU territory does not require a transfer mechanism because it is provided directly by EU individuals. For instance, an Australian application developer monitoring user activity globally would not require a transfer mechanism to receive EU data directly from app users, but would need to use SCCs or another Chapter V mechanism to transfer it along with other user data to an Australian processor. This may come as a surprise to some and could increase the circumstances in which organizations are required to adopt a transfer mechanism.
A debate settled. A consultation begun
The debate is settled, though its ramifications remain to be seen. Some will view the EDPB’s new guidelines as a pragmatic compromise which addresses the duplication inherent in Article 3 and Chapter V, confirms the GDPR’s intent, and preserves important compliance tools. Others will deem it a missed opportunity to modernize GDPR’s transfer regime, recognizing that neither data nor risk nor jurisdiction respect the lines drawn on a map. Still more may see it as yet another complication in an already challenging compliance landscape. The consultation process continues.
Photo by Kyle Glenn on Unsplash
If you want to comment on this post, you need to login.