Exploring the Awkward Secret of Data Transfer Regulation: the EDPB Guidelines on Article 3 and Chapter V GDPR
If an awkward secret is something that is known but not discussed because it is too difficult or embarrassing, then the interplay of territorial scope and data transfer rules in data protection law certainly fits this description.
For over 20 years since the enactment of the EU Data Protection Directive 95/46 and subsequent adoption of the EU General Data Protection Regulation 2016/679 (GDPR), confusion has reigned about the relationship between rules delimiting the territorial scope of the law and its application to data processing by parties established outside the EU (currently governed by Article 3(2) GDPR), and those dealing with transfers of EU data to non-EU parties (currently governed by Chapter V). The Court of Justice of the EU (CJEU) has never opined on this topic, even when the opportunity to do so was present. For instance, in its judgment in Case C-210/16 Wirtschaftsakademie the Court did not deal with it, despite the fact that the Opinion of Advocate General Bot established that both online monitoring of EU individuals via cookies and international data transfers were being carried out (see paras. 50 and 81 of his Opinion).
On 18 November 2021 the European Data Protection Board or EDPB (the body established under the GDPR comprised of DPAs from Member States and the European Data Protection Supervisor (EDPS)) adopted its Guidelines 05/2021 (the Guidelines), which mark the first time the DPAs have opined on the interplay between territorial scope and data transfer rules. The topic is of significant importance, since the coherence and consistency of EU data protection law require clarity about the interaction of the two sets of rules governing its extension outside EU borders. From a practical point of view, their interaction helps determine the GDPR’s effectiveness in providing protection for cross-border activities such as data processing by social media, data transfers by international companies, and international data sharing by public authorities. The Guidelines deal with issues that are important for individuals who want to know how their data are protected internationally; data controllers and processors that must implement protections for international data processing; and DPAs that enforce the law regarding data transferred to and/or processed by parties in third countries.
The Guidelines raise a number of complex legal issues that cannot be dealt with in detail here; for more extensive discussion, I refer readers to my recent Research Paper on this subject. All I can do within the limits of a blog post is to make a few observations about the Guidelines, and draw some conclusions about their implications. Svetlana Yakovleva has also published on this blog an insightful analysis of some of the EU and international trade law issues raised by the Guidelines.
Nature of the relationship
In its Implementing Decision on the new standard contractual clauses for data transfers (SCCs) issued in June 2021, the Commission seems to disallow their use for transfers to non-EU parties that offer goods or services to individuals in the EU or monitor their behaviour and are thus subject to the GDPR under Article 3(2) (see Recital 7 and Article 1(1) of the Decision); a similar position is taken in the Commission’s proposed decision on the adequacy of data protection in the Republic of Korea (see Recital 7). However, the Guidelines retreat a bit from the Commission’s view, stating that the need to ensure that data transfer tools provide essentially equivalent protection under the GDPR ‘applies also in situations where the processing falls under Article 3(2) of the GDPR…’ (p. 4). This may lead to confusion as to whether use of appropriate safeguards for data transfers under Article 46 GDPR such as the SCCs is possible in situations where the party receiving the data is also subject to the GDPR.
The Guidelines clarify the nature of the data transfer restrictions under Chapter V, stating that they are intended to ensure that the level of protection provided by the GDPR is not undermined (p. 3), which is the same rationale that underlies territorial scope rules (see Recital 23 GDPR). However, although the two sets of rules are complementary, there are important differences in their standards of protection and enforcement.
Data transfer rules mandate that the mechanisms of protection be essentially equivalent to EU law, while territorial scope rules result in application of the GDPR itself. However, the GDPR cannot operate outside of the EU as it does within its borders, since it is based on the EU’s legal framework in areas such as the recognition and enforcement of judgments, the rule of law, and the independence of the DPAs that by their nature do not apply directly in third countries. Application of the GDPR under Article 3(2) occurs without regard to the standards of the legal system of the country where the processing takes place, while data transfer mechanisms contain special protections that are fine-tuned for the differing standards that apply outside the EU. This means that relying solely on Article 3(2) may result in a lower standard of protection than when the processing is also covered by a data transfer mechanism under Chapter V.
The Guidelines recognise this risk, but fail to provide a convincing response as to how it should be addressed. In particular, they suggest that new SCCs be developed ‘in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2)’ (p. 9), but this does not seem to make sense, since in such cases ‘there is no controller or processor sending or making the data available’ (see p. 5) and thus no party capable of signing the SCCs as data exporter. It may be that here the EDPB is proposing a new set of SCCs to cover data transfers from non-EU parties subject to the GDPR that receive EU data and then transfer them on to third parties, but the language used is confusing.
There are also differences in enforcement. Data transfer rules contain mechanisms that help compensate for the difficulty of enforcing obligations under EU law against parties in third countries. For example, in issuing an adequacy decision the Commission must ensure that data protection in the third country provides for ‘effective and enforceable data subject rights and effective administrative and judicial redress’ (Article 45(2)(a)), and the SCCs contain clauses giving data subjects extra redress mechanisms against data importers (see Clauses 10-11 of the new SCCs).
By contrast, when the GDPR applies to data processing in a third country it does so regardless of the possibility of enforcement. The GDPR’s territorial scope rules are designed more to put non-EU actors on notice that entering the EU market or processing the data of EU individuals carries consequences than to threaten a high risk of legal enforcement. Thus, while it is true, as the Guidelines state (p. 6), that the processing of personal data by a non-EU company that is not subject to data transfer rules may still receive protection under the GDPR pursuant to Article 3(2), this is likely to result in a lower possibility of enforcement than under the data transfer rules of Chapter V.
Definition of international data transfer
The Guidelines break new ground by defining an international data transfer (p. 4) as involving 1) a controller or processor subject to the GDPR for the given processing, 2) disclosure of the data or making them available by this party to another controller or processor, and 3) a data importer located in a third country or an importer that is an international organisation.
They base this definition on the findings of the CJEU in its judgment in Case C-101/01 Bodil Lindqvist from 2003, which was the CJEU’s first one dealing with international data transfers. However, the Court’s holding in Lindqvist was limited to determining that the upload of data to a web site stored with a hosting provider established in the EU did not constitute an international data transfer under the former Directive 95/46 (see para. 71 of the judgment), which is a thin reed on which to base a comprehensive definition of international data transfers under the GDPR. Moreover, that case was decided before the Charter of Fundamental Rights was raised to the status of primary law in 2009 under Article 6(1) TEU. Since then the CJEU has relied on the Charter to emphasize the need for a high standard of protection for international data transfers in the context of international agreements of the EU (Opinion 1/15, paras. 119-231), Commission adequacy decisions (Case C-362/14 Schrems, paras. 38-40), and the EU standard contractual clauses (Case C-311/18 Schrems, para. 99). In light of these judgments applying the standards of the Charter in an international context, any definition of international data transfers must surely be based on the necessity of providing a high level of protection for data processing outside the EU, not on a single judgment decided many years ago under different circumstances.
Data disclosures by individuals and gaps in protection
Based on the above definition, the Guidelines conclude that an international data transfer does not exist ‘where the data are disclosed directly and on his/her own initiative by the data subject’ (p. 5), since ‘in such case, there is no controller or processor sending or making the data available (‘exporter’)’ (ibid.). This conclusion is not logically compelling and may create gaps in protection.
The Guidelines illustrate this conclusion by describing several imaginary cases, one of which involves a company established in Singapore without an EU establishment that sells clothing online to EU individuals via its web site (pp. 5-6). In such a situation, the Guidelines conclude that no data transfer has occurred, since the data subject has disclosed the data to the web site on her own initiative, and there is no controller or processor sending or making the data available (p. 5). This conclusion seems questionable, since the company in Singapore controls the technical means by which the individual is sending her data to it (i.e., the company’s web site). Thus, it could be said that the company is as much in control of the actions that result in the data being processed outside the EU as is the individual. While in such a situation some of the data transfer mechanisms contained in Chapter V may be unavailable (for example, the standard contractual clauses or SCCs under Article 46(2)(c) could not be used since the same company could not sign them as both exporter and importer, see p. 7), other ones could be used, such as if the company were to join an approved code of conduct or certification mechanism under Article 46(2)(e-f).
It is difficult to understand why parties that ‘reach into’ the EU to interact with data subjects via the Internet and control the technical means by which data are provided to them could never be considered as instigating an international data transfer, and should be allowed to avoid implementing the protections that the GDPR has provided for transfers. This interpretation could create incentives for parties in third countries to monitor the behaviour of individuals in order to fall under the territorial scope rules of the GDPR (see Article 3(2)(b)) rather than have to implement a data transfer mechanism, given that the means of enforcement under the former are more limited than under the latter (see above). Indeed, this may be the reason that some multinationals have long advocated the position that the EDPB has taken. Moreover, it is not uncommon for data processing by non-EU parties to both fall under the GDPR and involve the import of EU data, but in light of the Guidelines it is not clear what legal duties apply in such a situation.
The way forward
The Guidelines are not the EDPB’s finest hour. They are unclear on some important points and allow gaps in protection, and it is unlikely that they will put an end to the confusion that has long plagued this topic. They apparently took several years to finalize and were the subject of heated disagreements among members of the EDPB, and it shows.
They also illustrate how the EDPB is increasingly acting as a quasi-legislator as it interprets key data protection issues, but without the transparency that applies to the legislative process. Although it is commendable that it has launched a public consultation on the Guidelines (comments are welcome until 31 January 2022), there should also be greater openness earlier in the EDPB’s deliberations.
It is time to break a taboo and suggest that, in addition to its practice of launching public consultations, the EDPB would benefit from a standing group of outside experts made up of representatives from academia, NGOs, and data controllers that could provide expertise and feedback on difficult issues, as other DPAs and groups of them have established. For example, the EDPS established an Ethics Advisory Group that has provided input into its work on data ethics, and the Global Privacy Assembly has appointed a Reference Group to provide expert knowledge and practical expertise. If set up with the requisite transparency and accountability, such a group need not affect the EDPB’s independence.
Finally, the Guidelines illustrate that the interplay of territorial scope and data transfer rules has become too complex to be dealt with solely through ad hoc actions such as Commission decisions and EDPB Guidelines. What is needed is for the rules of Article 3 and Chapter V to be merged into a single set of provisions dealing with the protection of EU data processed by and transferred to non-EU parties (some ideas in this regard are described on pp. 33-35 of my Research Paper), which can only be done by the EU legislator in the course of revision of the GDPR. This would be the best way to provide consistency and clarity in this important area of EU data protection law, and to meet the standards set by the CJEU.