GDPR Transfer Rules vs Rules on Territorial Scope: A Critical Reflection on Recent EDPB Guidelines from both EU and International Trade Law Perspectives
Just last year EU rules governing cross-border data flows made headlines after the European Court of Justice’s (CJEU) judgement in Schrems II (analysed here, here, here, and here in the blog). In that judgement, the CJEU invalidated for the second time the mechanism for personal data transfers from the EU to the United States (this time the EU-US Privacy Shield) because it failed to meet the ‘essential equivalence’ standard previously developed by the CJEU in Schrems I (analysed here in the blog). The court clarified that the same standard applies to all other mechanisms for transferring personal data, including widely used Standard Contractual Clauses (SCC). In practice, this translates into an obligation on data exporters to conduct an assessment of whether the legal system of the country of destination of the data meets that standard and, if not, to either refrain from transfers altogether or adopt so-called ‘supplementary measures’ (analysed here and here in the blog). As readers no doubt know, EU restrictions on transfers of personal data outside the EEA have been contentious in digital trade negotiations in the past years, including the most recent one with the United Kingdom.
As transfer mechanisms, strengthened by the CJEU, have become harder to comply with, it is now crucial to determine the scope of the transfer rules. This is a two-fold inquiry. First, what is a ‘transfer’ that triggers the application of the transfer rules in Chapter V of the General Data Protection Regulation (GDPR)? This notion is not defined in the GDPR, despite calls for this definition from the European Data Protection Supervisor (EDPS) and the European Economic and Social Committee. Second, how do the rules on transfers in Chapter V interact with the GDPR’s territorial scope, which extends to data controllers and processors outside the EU (Article 3 GDPR)? In particular, given that the primary goal of the transfer rules is to prevent circumvention of the GDPR, is the application of transfer mechanisms necessary when a foreign data controller or processor falls under the scope of the GDPR?
Both of the above issues were addressed in much awaited EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (the ‘Guidelines’), that were just published for public consultation. Below I evaluate the Guidelines critically from both an EU data protection and an international trade law perspectives. First, however, a short summary of the main points of the Guidelines is in order.
The Gist of the EDPB Guidance
There are three particularly important points in the Guidelines. First, the EDPB introduces three cumulative criteria to determine whether a data flow qualifies as a ‘transfer’ under the GDPR (para. 7):
(1) A controller or a processor must be subject to the GDPR for the relevant processing,
(2) The controller or processor (‘exporter’) discloses by transmission or otherwise makes personal data available to another controller, joint controller or processor (‘importer’), and
(3) The importer is in a third country or is an international organisation, irrespective of whether or not it is subject to the GDPR under Article 3 GDPR for the given processing.
In relation to criterion (2), the EDPB also explains that it is not fulfilled when personal data is ‘disclosed directly and on his/her own initiative by the data subject to the recipient’ (para. 12). Furthermore, the disclosures of personal data between entities belonging to the same corporate group may constitute transfers if those entities qualify as separate controllers or processors (para. 16).
Second, when personal data is transferred to a foreign controller that is subject to the GDPR, ‘less protection/safeguards are needed’ (para. 23). Therefore, the transfer mechanisms for such cases should not duplicate the GDPR but rather ‘address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access … as well as the difficulty to enforce and obtain redress against an entity outside the EU’. The EDPB also seems to imply that the aim of Chapter V of the GDPR is to ensure continuity of protection offered not only by the GDPR itself, but also to compensate for the inapplicability of the ‘overarching legal framework within the Union’ more broadly (paras. 2 and 3).
Third and finally, even when the data flow is not a ‘transfer’, it can still entail risks for individuals, including foreign government’s access to such data, difficulties to enforce and obtain redress against entities outside the EU (para. 17). Relying on Article 32 GDPR that obliges controllers to take technical and organisational measures to protect personal data, the EDPB concludes that considering ‘the risks with respect to the processing under Article 32 of the GDPR, a controller may very well conclude that extensive security measures are needed – or even that it would not be lawful – to conduct or proceed with a specific processing operation in a third country although there is no “transfer” situation.’ This interpretation suggests that restrictions on transfers of personal data can stem not only from the dedicated provisions of Chapter V, but also from other GDPR obligations for controllers interpreted in light of the EU Charter.
Evaluation from an EU Law Perspective
The Guidelines provide needed clarification of the core concepts related to transfer mechanism under Chapter V and their role in the overall GDPR framework. My critical observations are presented in the order of the three main points of the Guidelines above.
Incoherence of the GDPR framework
Because the Guidelines define a transfer in terms of ‘exporter’ and ‘importer’, personal data is treated differently depending on the technicalities of the data flow. It follows from the Guidelines that direct data flows from individuals to recipients abroad do not qualify as a transfer, irrespective of whether such recipient is subject to the GDPR (para. 12). In example 1, the EDPB demonstrates that when Maria from Italy provides her personal data to a clothing company established in Singapore, Chapter V rules do not apply to the flow of data from Italy to Singapore because there is no ‘data exporter’ (controller or processor). However, if, hypothetically, this Singaporean company had an establishment in Italy, and Maria’s data was first collected in Italy and then passed on to the Singaporean headquarters, Chapter V rules would apply: the Italian entity would be the ‘data exporter’ and Singaporean headquarters the ‘data importer’ (see, for instance, Example 5 of the Guidelines). Although in both cases Maria’s personal data ends up in a third country, and the difference in these two situations may not be even visible to Maria as a consumer, her personal data, and her fundamental rights, receive different protection. The EDPB does not explain the rationale behind this different treatment or anchor this logic in the GDPR provisions.
Nowhere in recitals or Chapter V itself does the GDPR condition the application of the transfer rules on the presence of a data exporter and excludes their application to collection of personal data from individuals directly. Articles 44 and 46 GDPR, for example, merely oblige ‘the data controller and processor’ or ‘a data controller or processor’ to comply with certain rules when transferring personal data, suggesting that there may only be one controller or processor collecting personal data from an individual directly while being outside the EEA. The interpretation of a ‘transfer’ as a data flow between an exporter and importer stems primarily from the interpretation by regulators (for example, EDPB Guidelines on codes of conducts as tools for transfers, para. 7) and the European Commission (for example, SCCs, Clause 1(b)). It must and can change, should the EDPB decide to let go of the definition of transfer in terms of ‘exporter’ and ‘importer’, as otherwise most appropriate safeguards under Article 46 would not be available for direct collection of personal data.
For multinational companies that have establishments within and outside the EU, the EDPB approach offers a way to circumvent the application of Chapter V. For example, the Singaporean clothing company from the previous example may decide that personal data entered by customers on all its European websites should flow directly to its data center in Singapore to which its EU subsidiaries can then have remote access. In these circumstances, the Italian establishment is no longer a data exporter and, therefore, under the Guidelines, Chapter V rules do not apply to any of the data flows from European customers to Singapore. This may also have implications on competition. Larger companies may have more opportunities to reroute their data flows and centralise their data collection abroad, and, as a result, face fewer GDPR compliance obligations and restrictions on data flows than their smaller counterparts.
A proper definition of ‘transfer’ should not depend on a formalistic criterion of presence or absence of a data exporter, but rather on (a) the fact that personal data leaves the EEA borders and (b) the necessity to mitigate the risks to fundamental rights of individuals.
The Goals of the GDPR Rules on Transfers of Personal Data
The Guidelines are based on an implicit assumption that protection provided by the extraterritorial application of the GDPR is lower than the protection offered to transferred data by virtue of Chapter V because, as the EDPB notes, certain ‘elements and principles’ of protection are ‘missing’ (para. 23). This explains why, according to the Guidelines, Chapter V rules should apply even when personal data flows to data importers that must comply with the GDPR.
In its Schrems I judgement, the CJEU held that adequacy decisions under Data Protection Directive 95/46 aim to prevent the circumvention of ‘the high level of protection guaranteed by Directive 95/46 read in the light of the Charter’ by transferring personal data outside the EEA. This goal was later incorporated in Article 44 GDPR, which states that all provisions of Chapter V ‘shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined’. (emphasis added) The level of protection afforded to personal data abroad by virtue of extraterritorial application of the GDPR and by virtue of Chapter V should be the same.
Whether it is the same in reality is an open question. Prior CJEU cases may have raised the level of protection offered by Chapter V. For example, as a pre-condition for transferring personal data on the basis of ‘appropriate safeguards’, data exporters must assess the ‘essential equivalence’ of the legal framework abroad to that of the EU, including the rule of law in a foreign country. This extensive assessment is currently not required in situations where Chapter V does not apply. Christopher Kuner rightly argues that this is the first question that should be researched and answered in order to reconcile the GDPR rules on territorial scope and data transfers. If, after a detailed assessment, some elements end up missing in the GDPR framework as compared to the level of protection for transferred data offered by Chapter V, the next question is whether the simultaneous application of the rules on (extra)territorial scope and Chapter V is the right way forward. As Kuner proposes, perhaps the application of other GDPR provisions should be enhanced to address the risks associated with data transfers outside the EEA. The Guidelines demonstrate one of the ways in which this can be done.
A missed of opportunity?
The Guidelines explain that when personal data is collected directly from individuals and Chapter V obligations do not apply, though the data controller is still accountable for the protection of that data. The EDPB then explains that obligations in 24, 32, 33 and 35 GDPR may require adopting extensive security measures to address the risks of government access in a third country or difficulties to enforce and obtain redress abroad or to prevent the data flow altogether. This resembles the assessment and supplementary measures that data exporters must consider when relying on appropriate safeguards of Article 46 in order to transfer to a jurisdiction without an adequacy decision.
The same logic could apply when personal data is transferred to a data importer that is subject to the GDPR, thus removing the necessity of applying a lighter version of Chapter V as the Guidelines currently suggest.
An International Trade Perspective
Cross-border trade in digital goods and services is increasingly dependent on flows of personal data across borders. Because transfers of personal data are crucial for the production and provision of many online services, the Chapter V GDPR rules could fall under the scope of the General Agreement on Trade in Services (GATS) and, potentially, violate EU commitments under such agreement. From an international trade law perspective, excluding direct cross-border collection of personal data from individuals from the scope of ‘transfer’ and thus Chapter V can be viewed as a positive development. Subjecting foreign service providers collecting data from individuals directly to Chapter V rules could lead to a violation of the national treatment vis-à-vis European service providers, as their opportunities for collection of personal data would be more limited. For example, they cannot rely on legitimate interest for the purposes of transfers, and they would need to obtain two separate consents (both under Article 6 and Article 49) should they decide to rely on consent.
This is, however, not the only instance where GDPR rules on transfers could run afoul of the EU’s trade commitments. The adequacy framework, which treats personal data flows to third countries differently depending on the absence or presence of an adequacy decision could, as the Article 29 Working Party itself acknowledged, be contrary to the principle of most-favoured nation treatment.
As I explained elsewhere, a violation of international trade rules is not in and of itself a reason to cry foul because the GATS contains a so-called general exception in Article XIV(ii)(c) that could justify such violation under certain conditions provided that the ‘necessity test’ and the introductory clause of the exception (the ‘chapeau’) are met. In short, the ‘necessity test’ boils down to whether a less trade restrictive alternative is reasonably available to achieve the same level of protection. Its application by WTO adjudicators has been uneven and particularly hard to satisfy (for further discussion see this article).
A key point, however, is that inconsistency created by excluding direct collection from the scope of Chapter V makes meeting the ‘necessity test’ difficult. The very fact that the Guidelines allow data flows directly from individuals without the application of Chapter V to third country recipients even if they are not subject to the GDPR could be viewed as proof of availability of a less restrictive way of transferring personal data in other cases, especially where the data importer is subject to the GDPR.
The EDPB Guidelines are an important step towards clarity on the scope of Chapter V and its relationship to the GDPR rules on territorial scope. Solving these issues without compromising the level of fundamental rights protection, violating the EU’s trade commitments and disturbing the coherence of the GDPR more generally is a tough row to hoe. The application of Chapter V to all data flows, including those directly from individuals, could be problematic from an international trade perspective. Disapplying Chapter V to data flows to foreign recipients subject to the GDPR might undermine protection of fundamental rights. A fragmented approach proposed by the EDPB is problematic from both perspectives.
The aim of Chapter V to prevent circumvention of GDPR rules should lead it to step in where the GDPR no longer applies. A crucial condition for this to work, however, is that the rest of the GDPR should lead to the same level of protection for transferred data as Chapter V. It could be that, following the CJEU interpretation of various Chapter V provisions especially in light of foreign surveillance risks, Chapter V ends up providing a higher level of protection. Whether this is the case should be the first question to answer before deciding on the scope of Chapter V rules and their relationship with Article 3 GDPR. It is also important to be aware that Chapter V is merely a protection mechanism and not an ‘export’ of EU law. Yet, although in theory this could be beneficial for fundamental rights, in practice it may exacerbate the infamous status of the GDPR as ‘the law of everything‘ by ‘reading’ into the GDPR more rules than it actually provides.