Scott McGeachy: EDPB’s draft guidelines on data transfers under the GDPR
On Thursday 18 November, the European Data Protection Board (EDPB) published its draft guidelines on the interplay between Article 3 (territorial scope) and Chapter V of the GDPR (international data transfers).
This is an important development for international data transfers under the GDPR (also referred to as the “EU GDPR”).
These draft guidelines have been long-awaited. In particular, the guidelines are required in order to clarify a number of uncertainties and ambiguities in relation to what constitutes a “transfer” for the purposes of Chapter V of the GDPR. This will help multinational businesses to plan ahead and understand when it is necessary to put in place appropriate safeguards for data that is transferred outside the European Economic Area (EEA).
The draft guidelines are broadly in line with what was expected. However, it sets out official clarifications on a number of key points / concepts. We have set out some of the highlights below:
- Criteria for a “transfer”. The EDPB has identified the following three elements that are required for a “transfer” under Chapter V of the GDPR:
- “A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.”
- Disclosures of data within a single company. There will only be a “transfer” of personal data where two different parties are involved. The EDPB has stated that, in order to qualify as a “transfer”, there must be a controller or processor disclosing the data (i.e. the exporter) and a different controller or processor receiving or being given access to the data (i.e. the importer). This means that if an employee of a company discloses personal data to another employee in a non-EEA branch of the same company, this will not qualify as a “transfer” for the purposes of Chapter V of the GDPR. Similarly, if an employee of a company remotely accesses personal data in a non-EEA third country (e.g. during a business trip), this will not qualify as a “transfer”. In these cases, there is not a controller to controller transfer – instead, the disclosure is carried out within the same controller. However, there would be a “transfer” if a company discloses data to a separate non-EEA company in the same corporate group.
Helpfully, for the purposes of compliance with the UK GDPR, the Information Commissioner’s Office (ICO) has already adopted the same position on the issue of disclosures of data within a single company. In particular, the ICO’s guidance states that “the transfer restrictions only apply if you are sending personal data outside your company or organisation.”
- Disclosures by data subjects. The EDPB has confirmed that there will not be a “transfer” if data is disclosed directly by a data subject (who is not a controller) to a non-EEA recipient, and such disclosure is at the initiative of the data subject. For example, if an individual inputs their data on a website in order to purchase products from a non-EEA retailer, this disclosure of data would not qualify as a “transfer” for the purpose of Chapter V of the GDPR. However, if the non-EEA retailer is covered by the scope of the GPDR, then any subsequent onward disclosure by the retailer to a non-EEA controller / processor would qualify as a “transfer”.
- Processor-to-controller transfers. The EDPB has confirmed that Chapter V of the GDPR will apply whenever an EEA processor transfers back personal data to its non-EEA controller in a third country. This was expected, as Module 4 of the European Commission’s new standard contractual clauses (New SCCs) is designed specifically to deal with this type of “transfer”. However, it should be highlighted that the ICO takes a different view / interpretation on this matter. As part of a recent consultation, the ICO has proposed that when a UK processor transfers back personal data to its non-UK controller, this should not qualify as a “transfer” under Chapter V of the UK GDPR.
- Article 3(2) situation. The EDPB has addressed the situation where personal data is transferred to a non-EEA importer in a third country, and that non-EEA importer’s processing falls within the scope of Article 3(2) of the GDPR (the “Article 3(2) situation”). The EDPB has confirmed that, even though the non-EEA importer is directly subject to the GDPR, the Article 3(2) situation would still qualify as a “transfer” under Chapter V of the GDPR. Please note that the ICO has recently proposed that the same interpretation should also apply under the UK GDPR.
The EDPB’s interpretation creates a problem in relation to the New SCCs. In Recital 7 of the of the European Commission’s Implementing Decision for the New SCCs, it is stated that the New SCCs can only be used if the importer’s processing does NOT fall within the scope of the GDPR. As such, the New SCCs cannot be used for the Article 3(2) situation. The EDPB has stated that new data transfer tools will need to be created in order to address the Article 3(2) situation. At present, there are no appropriate safeguards which can be used by exporters to deal with this scenario. The European Commission will therefore be required to publish a new set of standard contractual clauses in order to enable lawful data transfers in the Article 3(2) situation. The EDPB has indicated that any such clauses should be lighter touch than the New SCCs – in particular, they have mentioned that this new data transfer tool should not duplicate the GDPR obligations, but should fill the gaps relating to conflicting national laws and government access as well as the difficulty to take enforcement action against a non-EEA entity. The EDPB has stated that it stands ready to help in developing a new set of standard contractual clauses for the Article 3(2) situation. According to the minutes of a recent EDPB meeting, it appears that the European Commission has already confirmed that it will create a specific set of standard contractual clauses for the Article 3(2) situation. As such, it is likely that multinational businesses will need to carry out another implementation project in relation to this new set of standard contractual clauses.
The EDPB’s consultation on the draft guidelines is open until 31st January.
We have extensive experience of advising businesses on international data transfers and putting in place appropriate safeguards. We would be happy to help if you wish to discuss the impact of the draft guidelines for your business, or if you wish to consider preparing a response to the EDPB’s consultation on this matter.
Scott McGeachy is an associate at Burness Paull