Practical implications on international data transfers as the aftermath of Schrems II
Lately a lot has been going on in the field of privacy. Especially personal data transfers have stolen attention as data protection authorities in the EU have issued their decisions. The latest news is from 10 February 2022: The French data protection authority (CNIL) published that it had issued an order against a French website operator to comply with Chapter V of the General Data Protection Regulation (GDPR). It argued that transfers of personal data to the US carried out by use of Google Analytics were not compliant with Article 44 of the GDPR.
The European Court of Justice emphasized by the Schrems II judgement that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. As a result, new sets of Standard Contractual Clauses (SCCs) for third country transfers were issued by EU Commission. Furthermore, the Court ruled that controllers or processors acting as exporters are responsible for verifying if the law or practice in the third country impinges on the effectiveness of the appropriate safeguards in the Article 46 GDPR transfer tools. Therefore, also a transfer impact assessment should be carried out to ensure the EU level of data protection.
To be able to apply these requirements in the different situations of data transfers, there must first be a common understanding of the definition of a data transfer. The European Data Protection Board (EDPB) adopted new guidelines on 18 November 2021 on the interplay between Article 3 (Territorial scope) and Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR. These guidelines aim to clarify the answer to the question: what constitutes a personal data transfer.
What elements constitute a transfer?
According to the EDPB, a transfer is in place when the controller or processor (exporter) subject to the GDPR discloses by transmission or otherwise makes personal data available to another controller, joint controller, or processor (importer) who is in a third country or an international organisation, irrespective of whether the importer is subject to the GDPR with regards to its territorial scope.
The definition of a data transfer consists of three thresholding elements:
controller or processor (exporter) is subject to the GDPR; and
exporter discloses or otherwise makes the personal data available to a controller or processor (importer); and
the importer is in a third country.
To bring this all to a practical level, I picked up three case examples that I found interesting from the EDPB guidelines.
Three case examples
1) Controller collects data directly from a data subject in the EU
Maria, who lives in Italy, inserts her contact details at a website form of an online clothing store operated by a company established in Singapore. This company has no presence in the EU. At this case, since there is no exporter (controller or processor) passing the data to the third country, there is no transfer. The case argues that when the data is passed directly on data subject’s own initiative, and without an exporter, it does not constitute a transfer. Thus, Chapter V does not apply to this case, even if the Singaporean company will need to ensure whether its processing activities are subject to Art. 3(2) GDPR.
This case provides a practical introduction to the topic reminding that a data transfer under chapter V of the GDPR occurs only if there is a data exporter (controller or processor) who passes the personal data to the third country or to an international organization.
2) Processor in the EU sends data back to its controller in a third country
XYZ Inc. is a controller without an EU establishment. XYZ sends personal data of its employees/customers (non-EU residents) to the processor ABC Ltd. ABC is established in the EU and is therefore covered by the GDPR for processor specific obligations pursuant to Article 3(1). As XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and thus, Chapter V applies.
This instance might surprise as either the controller or the data subjects are subject to EU law as they are located outside the EU/EEA, but the processor is. Why there should be a transfer tool according to GDPR when sending data of non-EU residents back to a controller of a non-EU country? The processor is the exporter who passes the data (back) to the importer acting as data controller. Article 44 of the GDPR envisages that a transfer may not only be carried out by a controller but also by a processor. Hence, such a transfer is possible where a processor sends data to another processor or even to a controller as instructed by its controller.
3) Employee of a controller in the EU travels to a third country on a business trip
George, employee of A (a company established in Poland), travels to a meeting to India. During his stay, George uses his computer and accesses remotely personal data on his company’s databases. Does this remote access from a third country constitute a transfer? Since George is not another controller, but an employee of the company acting as an integral part of the same controller (A), it is not considered as a transfer as the disclosure is carried out within the same controller. The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company subject to Article 3(1) of the GDPR.
The lesson here is to remind that the sender and the recipient must be different controllers or processors for the disclosure to be regarded as a transfer in terms of Chapter V GDPR. However, it should be noted that entities that form part of the same corporate group may qualify as separate controllers or processors. Consequently, these kinds of intra-group data disclosures may constitute transfers of personal data. Finally, EDPB highlights that in the context of this case it should be kept in mind that controllers and processors are obliged to implement technical and organisational measures in accordance with Article 32 of the GDPR when considering the risks with respect to their processing activities.
To sum up, there probably are many different levels of situations where your organisation or its sub-contractors transfer personal data outside the EEA. Each and all these situations should be recognized. It is ultimately the controller’s responsibility to ensure that whenever there is a transfer, it occurs according to the GDPR and other currently applicable requirements according to EU law.