Everything is (Somewhat) Illuminated: The EDPB Defines “Transfer”
The concept of a “transfer” under Chapter V of the GDPR has always been a bit like obscenity. We didn’t have an authoritative definition, but with apologies to the late Justice Potter Stewart, we knew it when we saw it. And the law’s lack of clarity on what a transfer is gave rise to some tricky questions for US-based organizations, as we noted in a previous post.
But after keeping us in suspense for over five years, the European Data Protection Board (the “EDPB”) recently issued Guidelines on the interplay between the application of Article 3 and Chapter V of the GDPR (the “Guidelines”). The Guidelines provide helpful guidance on a question that is near and dear to our hearts: What, exactly, is an international data transfer subject to Chapter V the GDPR?
What Does the GDPR Say?
A well-drafted statutory scheme typically defines key terms. Therefore, our first stop should be Chapter I, Article 4 of the GDPR where we see that “transfer” is defined as… well… it’s not. A bit odd given the tremendous impact of the restrictions on transfers and Schrems II.
The rest of the regulation does not give us much more to go on. For example, Chapter V, Article 44 provides:
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
Recital 101 on “General Principles for International Data Transfers” references “[f]lows of personal data to and from countries outside the Union and international organizations” and transfers “from the Union to controllers, processors or other recipients in third countries or international organizations.” Unfortunately, none of this language does much to define the contours of a “transfer.”
The EDPB Fills in the Gap
In the Guidelines, the EDPB set forth three criteria that all must be met for the transmission of personal data to qualify as a “transfer” subject to Chapter V of the GDPR:
- A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
These criteria have important implications for how Chapter V applies to a variety of scenarios, including the following:
- Direct collection of personal data by a US-based organization from an EU-based data subject does not qualify as a transfer subject to Chapter V. The EDPB reached this conclusion because the data subject is not a controller or processor—and therefore cannot be an exporter. And without an exporter, there cannot be a transfer.
- When a processor in the EU transmits personal data back to its controller in a third country from which the personal data originated, that’s a transfer. According to the EDPB, this result follows even if we assume that the personal data is transferred back to a controller that is not subject to the GDPR and the personal data does not pertain to EU data subjects. The EDPB also makes clear that the transmission of personal data back to a controller that is subject to the GDPR (under GDPR Article 3(2) because it targets the EU market) is also a transfer.
- A transfer does not take place when an employee travels to a third country and remotely accesses personal data hosted in the EU. Based on previous EDPB guidance, remote access to personal data can constitute a transfer of personal data. In the Guidelines, however, the EDPB explains that remote access by an employee of an EU-based controller while that employee is abroad does not qualify as a transfer because the employee “is not another controller, but an employee, and thus an integral part of the controller” (the employer). The Guidelines indicate that this example is not limited to remote access. The EDPB explains that, “if the sender and the recipient are not different controllers/processors, the disclosure of personal data should not be regarded as a transfer under Chapter V of the GDPR—since data is processed within the same controller/processor.” The Guidelines also note, however, that transfers among separate corporate entities that form part of the same corporate group may still qualify as transfers.
- The consolidation of EU HR data in a third country is a transfer. The EDPB makes clear that when an EU subsidiary of a US-based parent sends its HR data to the parent company to be stored by the parent in a centralized HR database in the US, the disclosure is a transfer under Chapter V. Here, the parent is the processor, while the subsidiary is the controller. Not a novel application of Chapter V, but perhaps a helpful reminder for multinational organizations seeking to consolidate HR operations.
In our previous post, we covered the challenges that the Schrems II decision and its invalidation of Privacy Shield created for US-based organizations that are subject to the GDPR and collect personal data directly from EU-based data subjects. Many of these organizations had been relying on Privacy Shield to facilitate the flows of personal data from the EU to the US, to the extent they qualified as “transfers” under GDPR Chapter V.
As we explained in that post, the invalidation of Privacy Shield left these US organizations in a tough spot due to the lack of viable transfer mechanisms and skepticism regarding the availability of derogations (e.g., consent) under GDPR Article 49. Fortunately—and correctly, in our view—the EDPB rendered the issue moot, concluding instead that direct collection of personal data by a US-based organization from an EU-based data subject does not qualify as a transfer at all, so that no transfer mechanism is required.
But the Guidelines do not appear to envision a free-for-all once the data has been received in the US, or another third country, by way of direct collection. Instead, the EDPB’s criteria suggest the controller must rely on a transfer mechanism or derogation to transmit the personal data to another organization within the United States.
It is notable that the EDPB essentially adopted what has long been the UK Information Commissioner’s Office (“ICO”) public position on this issue. In its publication “Data protection at the end of the transition period,” the ICO stated that the UK’s restriction on international data transfers does not apply if “you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers.” The alignment between the EDPB and ICO on this issue is good news because it will enable US-based organizations to take a uniform approach vis-à-vis EU and UK residents—on this issue, at least.
It is also notable that the EDPB rejected the “jurisdictional” approach to international data transfers that has been raised by others as a possible approach to this issue. Under that approach, a transfer of personal data from the EU to an organization in a third country that falls under the GDPR’s extraterritorial scope under Article 3(2) would not be a “transfer” insofar as that organization would already be directly subject to GDPR, and additional means of ensuring adequate protection for the personal data received by that organization from the EU would be unnecessary.
In the Guidelines the EDPB took a “territorial” approach, concluding that a transmission of personal data by an exporter to an importer in a third country constitutes a transfer regardless of whether the importer’s processing activities are subject to the GDPR and the importer protects the personal data in accordance with the regulation. The EDPB did point out, however, that for purposes of establishing adequate safeguards in connection with a transfer, “for a transfer of personal data to a controller in a third country less protection/safeguards are needed if such controller is already subject to the GDPR for the given processing.” Therefore, a transfer to a controller subject to GDPR may be easier to facilitate in compliance with the GDPR.
As explained above, the EDPB also took the position that the return by an EU-based processor of personal data regarding non-EU residents to a controller in a third country is a transfer subject to GDPR Chapter V. That is an unfortunate result, particularly for organizations in third countries that may want to engage EU-based processors.
* * *
Organizations with EU–US data flows should keep a close eye on this space. The Guidelines are open for comment until January 31, 2022 and are therefore subject to change. Reach out to a member of our team if your organization requires assistance with international data transfer matters.