On 18 November 2021, the European Data Protection Board ("EDPB") adopted new guidelines which:
- Set out a three part criteria for identifying whether an action will be considered an international transfer of personal data; and
- Clarify that restrictions on international data transfers do apply to transfers to entities located in a third country, but which are subject to the GDPR under its extraterritorial scope.
Businesses will welcome the clarity on which activities are considered international data transfers, particularly the EDPB's guidance on the use of EU personal data by employees travelling abroad, the direct collection of personal data from individuals located in the EU by foreign businesses and the transfers of non-EU personal data to and from EU based service providers (more details below). However, the guidance confirms that organisations may be required to implement additional tools to ensure that these transfers are adequately protected, even where the recipient is subject to the GDPR.
Restrictions on international data transfers
When personal data is transferred to third countries, the transfer must be carried out in accordance with Chapter V of the GDPR.
Chapter V sets out several tools that businesses can rely on when transferring data to third countries. One of them are the so-called adequacy decisions by the European Commission (Art. 45 GDPR), which approve specific countries as providing an adequate level of data protection. Transfers to third countries that have not received an adequacy decision can be based on "appropriate safeguards"(Art. 46 GDPR) for the protection of the personal data being transferred, including the Standard Contractual Clauses ("SCCs"). When one of these tools is used, it must also be assessed whether additional measures are needed to achieve an equivalent level of protection for the transferred personal data, following the Schrems II decision of the Court of Justice of the European Union and EDPB guidance following this decision (see here). In specific situations and under certain conditions, a derogation pursuant to Art. 49 GDPR may apply.
What is an international transfer of personal data?
In order to assist controllers and processors of personal data in the EU to identifywhen restrictions on international transfers will apply, the EDPB identified three cumulative criteria that if met, will qualify as a transfer:
- A controller or a processor is subject to the GDPR for their processing of personal data.
- This controller or processor (the "Exporter") discloses, transmits, or otherwise makes the relevant personal data available to another controller, joint controller or processor (the "Importer").
- The Importer is in a third country, or is an international organisation (irrespective of whether or not the Importer is subject to the GDPR in accordance with Article 3 GDPR).
If the three criteria are met, the activity is considered a "transfer to a third country or to an international organisation" under the GDPR. Therefore, the parties need to comply with the conditions of Chapter V GDPR.These requirements must also be met by any sub-processors of personal data performing an international data transfer.
The guidance also provides clarity on further specific examples, notably that:
- Where an employee of a company which is subject to the GDPR travels to a third country, and accesses personal data remotely on the employee's computer in that country, this is not considered an international transfer because the employee is seen as being an integral part of the company and not a separate controller.
- Where a business in a third country collects data directly from data subjects within the EU (e.g., data subjects insert personal data into a website operated by a company based in a third country with no presence in the EU), this is not an international data transfer because there is no Exporter;
- a data controller located in a third country instructs a data processor, who is subject to the GDPR because of their establishment in the EU, to process personal data on their behalf; and
- the processor then re-sends the personal data to the controller,
This will be considered an international transfer of personal data, because the controller would be considered an Importer in a third country and the processor an Exporter.
The EDPB further noted that where a data flow is not considered a transfer under Chapter V, such processing can still be associated with risks, for which safeguards must be implemented by the controller or processor pursuant to Article 32 GDPR (obligation to implement technical and organizational measures taking into account, inter alia, the risks with respect to the processing), regardless of whether the processing takes place in the EU or not.
How does Article 3 of the GDPR affect international transfers?
This new guidance confirms that Chapter V GDPR requirements apply to transfers to entities who are located in a third country, but are subject to the GDPR because of its extraterritorial effect. For example, where a company processes the personal data of data subjects who are in the EU, and fulfils other criteria, as set out in Article 3(2).
In relation to such transfers, the EDPB stated that even though the importer is subject to the GDPR, a transfer tool is still needed, because the local law in the third country does not contain the other rules that exist on EU and Member State level aiming at the protection of personal data, as well as the EU Charter on fundamental rights and freedoms. As such, a different transfer tool should be used instead of those which are currently available, in order not to duplicate the GDPR obligations but instead focus on the elements and principles that are "missing" and fill the gaps relating to conflicting national laws and government access in the third country, as well as the difficulty to enforce and obtain redress against an entity outside the EU. The EDPB announced that itencourages and stands ready to cooperate in the development of a transfer tool, such as a new set of SCCs, to apply in this situation. It is currently unclear when such new tool will be adopted.
For further information on the previous guidance issued by the EDPB on international data transfers see here.
Other Author Salome Peters, Legal Intern
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2021. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.