EDPB Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation on international data transfers
On 14 February 2023, the European Data Protection Board (EDPB) published its Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation (GDPR) on international data transfers (the Guidelines).
By way of recap, Article 3 concerns the extra territorial impact of GDPR, i.e. that non-EU controllers and processors must comply with the GDPR if they target or monitor EU individuals. Chapter V sets out the rules on transfers of personal data to third countries outside of the EU.
The Guidelines note that the GDPR does not contain a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. The Guidelines seek to address this gap and sets out three cumulative criteria to help decide whether a processing operation qualifies as a transfer and triggers the Chapter V requirements:
- A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
The Guidelines expand on these criteria and clarify a number of questions that have previously caused uncertainty. The most notable points are as follows:
1.If an individual discloses their personal data directly to a recipient located in a third country, this is not a transfer for purposes of Chapter V of the GDPR.
The Guidelines provide an example of an Italian resident completing an online form to buy a dress from a website operated by a company in third country. The company has no presence in the EU but specifically targets the EU market. Here, there is no transfer of personal data because the data are not passed by an exporter (controller or processor) but by the data subject herself. However, the website operator would still be required to comply with the GDPR in general since it is targeting the EU market. Conversely, personal data disclosed via cookies are not considered as being disclosed directly by the data subject, but rather as a transmission by the operator of the website that the data subject is visiting.
2.Chapter V of GDPR does not apply to “internal processing”.
In order to qualify as a transfer there must be a controller or processor disclosing the data (the exporter) and another controller or processor receiving or being given access to the data (the importer). Therefore, if an employee of a controller in the EU travels to a third country on a business trip and accesses personal data remotely from that third country, Chapter V would not be triggered. This is “internal processing”. The Guidelines do not go as far as the UK Information Commissioner’s Office’s guidance, which expressly states that a transfer to a third country branch of the exporter entity is not a transfer because the branch is not a “distinct legal entity”. Whilst the Guidelines may be interpreted in a similar way (in particular by reference to the word “another” in the relevant criterion), the requirements set out in point 3 below may just mean that many organisations continue to treat transfers between European establishments and their non-European branches as Part V transfers.
3.Even if there is no transfer for the purposes of Chapter V, if processing takes place in a third country (e.g. because an employee is travelling abroad), it is still necessary to consider risks relating to conflicting national laws or disproportionate government access in order to comply with GDPR obligations more generally.
The Guidelines say when assessing these types of situations against the requirements of GDPR (e.g. the principles under Article 5 and the security principle under article 32), the controller may conclude that employees cannot take their laptops to certain third countries because the risks are too great. The EDPB says it will assess the need for additional guidance to be issued on safeguards on this point.
4.Where an EU controller appoints an EU processor which then makes an onward transfer to a third country, the EU controller still has responsibilities for that transfer.
The Guidelines say in these situations the EU controller “is also responsible and could be liable under Chapter V, and also has to ensure that the processor provides for sufficient guarantees under Article 28”. This highlights that EU controllers should be conducting checks to ensure their processors are complying with the Chapter V requirements and conducting transfer impact assessments where required. The Guidelines do not, however, give clarity on how extensive these checks should be.
5.If an EU controller uses an EU processor that is subject to legislation of a third county (e.g. the US) that would require it to comply with governmental access requests from that country, the EU processor may not be able to provide “sufficient guarantees” as required by Article 28 of the GDPR.
The example cited in the Guidelines is an EU processor whose parent company is in a third country. It suggests that the extra-territorial effect of the third country’s law might mean the EU processor accedes to government access which could result in an unlawful transfer of personal data. Therefore, organisations will need to look at the company structure of a prospective processor before engaging it and document why it believes that “sufficient guarantees” are in place despite this possible risk. Given that so many widely used vendors are US headquartered and potentially subject to the Foreign Intelligence Surveillance Act (FISA) this could create more work for many organisations who may need to go back and review their arrangements with providers that are subject to FISA and similar laws. The Guidelines say that the EDPB is ready to cooperate with the European Commission in the development of an additional set of Standard Contractual Clauses to cover the scenario where an importer is subject to the GDPR under Article 3 but is located in a third country.
The purpose of the new set of SCCs is so that the provisions of GDPR are not duplicated with those in the SCCs (as the importer is required to comply with GDPR in any event), but just to deal with risks associated with conflicting national laws and government access in the third country.
EU-U.S. Data Privacy Framework
The publication of these Guidelines is timely given that the EDPB has also recently published its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework (EU-US DPF). In a press release accompanying the opinion, the EDPB said that it “welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects” whilst also expressing “concerns and [requesting] clarifications on several points” relating to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism. However, tentatively our overall sense is that the EDPB opinion is not attempting to block the adequacy decision. It recognises that important changes have been made and seems to accept that at least some of the improvements can be addressed later down the line at regular reviews.
In terms of next steps, the European Commission could make amendments to the draft decision in response to the EDPB opinion (and, in response to the positions of the European Council and Parliament when we have them). However, it is unlikely that any substantial changes will be made at this late stage given the lengthy legal and political negotiations that have already taken place. Indeed many will be eager to see the adequacy decision finalised, particularly Meta which is expecting to receive an order from the Irish Data Protection Commissioner (enforcing the Schrems II judgment) which may ban its EU-US data transfers.
The Guidelines are welcome because they clarify a number of areas that have previously caused uncertainty. However, some parts mean that organisations will have to conduct further analysis on whether they need to broaden the scope of their transfer impact assessments and require more information on how their processors comply with Chapter V.