Pages

Friday, 24 February 2023

Key points: EDPB transfers & territorial scope final guidance

We now have the final version of the EDPB's Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

1. Generally, it makes useful clarifications to draft guidance, rather than substantive changes. There are 5 extra examples and new Annex with diagrams for all examples. New Exec Summary. Maria and George remain the same (not Alice or Bob!), but specific third-country names were removed.

2. Most clarifications aren’t surprising e.g. remote viewing/access of/to EEA-hosted personal data from outside EEA whether for support/admin etc. is a “transfer”, including by a processor; EEA platform passing personal data to non-EEA controller is making a “transfer” (“controller” seems a misnomer if the non-EEA entity isn’t subject to GDPR, but the platform is making a transfer whether it is or isn’t)

3. Helpful: controller disclosing personal data to EEA-incorporated processor (with non-EEA parent) – not a “transfer”. If processor discloses to third-country authority, it does so as independent controller. So controllers must assess circumstances for sufficient guarantees before engaging such processors.

4. Also helpful: 

  • when data subjects directly provide personal data to third country controller not subject to GDPR, that’s not a transfer
  • when data subjects directly provide personal data to third country controller that IS subject to GDPR under Art.3(2) offering/monitoring (added: “specifically targets the EU market”), that’s not a transfer but the controller must comply with GDPR (practical enforceability against it is a different issue of course)
  • when data subjects directly provide personal data to third country processor for third country controller, they don’t make transfers, but the controller “transfers” to the processor

5. Note: still not a transfer if EEA company employee travels to third country with laptop or remotely accesses EEA-hosted data – it’s within the same entity. New: if the employee in his capacity as such sends or makes available data to another entity in the third country, then that’s a transfer by the company.

6. Non-“transfers”:

  • New section on safeguards when  processing personal data outside the EEA even if technically there’s no “transfer”. Pay “particular attention” to the third country’s legal framework, as there may still be “increased risks” because “it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in a third country”. These risks must be considered for compliance e.g. Art.5 principles, 24 controller responsibility, 32 security, 35 DPIA, 48 transfers not authorised under EU law: “a controller may very well conclude that extensive security measures are needed – or even that it would not be lawful – to conduct or proceed with a specific processing operation in a third country although there is no transfer situation.”
  • Privacy notices for non-transfers outside EEA!: when a controller intends to process personal data outside the EU (although no transfer takes place), this information should as a rule be provided to individuals as part of the controller’s transparency obligations, e.g. to ensure compliance with the principle of transparency and fairness, which also requires controllers to inform individuals of the risks in relation to the processing”. Non-binding, strictly…

7. Still unaddressed:

  • Not a “transfer” if it’s within the same legal entity, so e.g. EEA branch of US corp sending personal data to HQ isn't making a transfer, but an EEA subsidiary sending to US parent IS. Obviously the EEA branch would be subject to GDPR, with easy enforceability due to its EEA presence.
  • Art.3(1) can apply directly to non-EEA “established” entities e.g. in the Costeja case, but EDPB focuses mainly on 3(2), mentioning 3(1) only in relation to processors used by EEA-established controllers. Presumably direct provision of personal data by data subjects to Art.3(1) non-EEA controllers would also not be “transfers”, but the controller is caught by GDPR? (practical enforceability…?)
  • EEA subprocessor to non-EEA processor – analogy with processor-to-controller transmissions, this must be a “transfer”, but no SCCs exist to allow this… (workaround – adapt P2C SCCs, hey we tried our best!) 
  • The “conflicting laws” issue applies equally to EEA-established organizations that expand to third countries.  Remember SWIFT, where using its own US data center was a “transfer”? Presumably now that use alone is not “transfer”, but disclosure to third-country entities would be.

8. My speculations about possible new options for non-EEA controllers: 

  • will some non-EEA controllers just directly collect personal data from EEA data subjects now? They may still be subject to GDPR under Art.3(2) or even 3(1), but practical enforceability…
  • will some non-EEA groups set up non-EEA subsidiaries to operate branches in the EEA, that can send data “back” outside the EEA without making “transfers”? Of course, those subsidiaries are subject to GDPR, and their disclosure to non-EEA parents will be “onward transfers” that need SCCs etc, but that might be easier for some…

9. Puzzling: most of us share common views on what “made available” involves, but I didn’t follow “embedding a hard drive or submitting a password to a file” – what does that mean, how do they involve “making available” data?