EDPB Adopts Guidelines on the Interplay Between Article 3 and International Transfers
On 18 November 2021, the European Data Protection Board adopted Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”). As many will know, international transfers of personal data have been in the spotlight for over a year now with several different issues and topics being discussed.
So why did the EDPB prepare these Guidelines? Well, it is believed that the EDPB disagreed with, or at least thought it should clarify, the following statement from the European Commission in the Decision 2021/914 on the new Standard Contractual Clauses: “The standard contractual clauses may be used for such transfer only to the extent that processing by the importer does not fall within the scope of Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof)…”.
This statement was not elaborated on by the Commission and has been subject to significant questions and scrutiny since its publication in June as it seemed to suggest that if an importer was subject to the GDPR pursuant to Article 3(2), the relevant exporter and importer did not have to comply with Chapter V of the GDPR.
What is the EDPB’s view?
In the latest Guidelines, the EDPB has established three cumulative criteria that demonstrate a qualifying transfer:
- A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
Criterion 3 confirms that the EDPB does not consider the importer being subject to the GDPR as a carve-out for compliance with international transfers provisions. The EDPB reinforces criterion 3 by highlighting that the geographical location, or international nature, of the importer is the key element of whether Chapter V is triggered. Whether the processing at hand by the importer falls under the scope of the GDPR is irrelevant when assessing the application of Chapter V. The EDPB also provides a worked example of when this scenario could apply (Example 7 of the Guidelines).
It is the EDPB’s view that even though an importer could already be subject to the GDPR, other laws to which the importer is subject could seek to undermine the GDPR, for example laws allowing for government access to data that go beyond what is necessary and proportionate in a democratic society. Therefore, imposing Chapter V obligations on transfers to such importers counters the potential risk of such local laws undermining the GDPR. The EDPB notes that when using Chapter V safeguards to protect personal data, these need to be “customized” to the particular transfer and, when such transfer is to a controller in a third country that is already subject to the GDPR for the given processing, “less protection/safeguards are needed”. The EDPB goes on to confirm that in an Article 3(2) situation such as being discussed, the parties should avoid duplicating the GDPR obligations but instead, “address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU”.
Anything else to note?
In addition to clarifying the interplay between Chapter V and Article 3, the EDPB also opined on and clarified an area which has caused confusion for some when considering the application of Chapter V generally. The EDPB confirms, using Example 1 in the Guidelines, that criterion 2 cannot be “considered as fulfilled” where a data subject chooses “on his/her own initiative” to disclose their data to a recipient located in a third country. In this instance, there is no controller or processor sending or making the data available: this does not constitute a restricted transfer and thus, Chapter V does not apply.
Upon publication of the new SCCs back in June of this year, the controversial statement from the European Commission quickly became a topic for debate as it seemed to undermine the approach taken to date by many organisations in complying with Chapter V. The latest Guidelines are therefore to be welcomed as the EDPB has helpfully clarified the confusion caused. The message in relation to international transfers remains clear: any organisations wishing to transfer personal data outside the EU in a compliant manner must ensure the personal data is provided equivalent protection to that which it is provided in the EU and that means complying with Chapter V of the GDPR.