On November 18, 2021, the European Data Protection Board (EDPB) adopted its new orientation project on the interaction between Article 3 of the General Data Protection Regulation (GDPR) of the European Union and Chapter V of the same law. This new directive clarifies that the processing of personal data by organizations located in countries outside the European Economic Area (EEA) is governed by the transfer restrictions in Chapter V, even when the organization is subject to the GDPR in because of the extraterritorial applicability of the law. But the EDPB unnecessarily leaves open the question of how to comply with Chapter V in such circumstances, recognizing that the required transfer tools are currently “only available in theory”.
Article 3 defines the territorial scope of the GDPR, including extraterritorial provisions that bring non-EEA organizations into the scope of the GDPR when offering goods and services or monitoring behavior. individuals in the EEA. At the same time, Chapter V (Articles 44 to 50) restricts transfers of personal data to countries outside the EEA, unless appropriate transfer tools, also identified in Chapter V, are used to ensure that the transfer of personal data does not affect the level of protection guaranteed by the GDPR.
The long-recognized tension between Article 3 and Chapter V exists because it has never been clear whether Chapter V applies to the processing of personal data which will remain subject to the GDPR after a transfer (due to the processing of the recipient organization falling within the extraterritorial scope of the GDPR). Some have argued that the application of Chapter V requirements in this extraterritorial scenario is redundant, but the EDPS has refused to answer the question in previous guidance. The European Commission revived the question when it noted, in recital 7 of its Standard contractual clauses for cross-border data transfers, that the clauses cannot be used in this extraterritorial scenario:
The standard contractual clauses can only be used for such transfers insofar as the processing by the importer does not fall within the scope of [the GDPR]. This also includes the transfer of personal data by a controller or a processor not established in the Union, insofar as the processing is subject to [the GDPR] (in accordance with Article 3 (2) thereof), as it concerns the offering of goods or services to data subjects in the Union or the monitoring of their behavior in so far as it takes place in The union.
This has led to more debate about the interaction between Chapter V and Article 3 and, more concretely, questions about exactly how entities are supposed to transfer data when they fall under the extraterritorial scenario. The new EDPB directive, which is open for public comment until January 31, 2022, confirms that Chapter V applies whether or not the data importer’s processing is subject to the extraterritorial scope. of the GDPR. More specifically, the EDPB identifies three âcumulative criteriaâ to determine what a transfer of personal data is:
- A controller or processor is subject to the GDPR for the specified data processing.
- This data exporter (a controller or processor) discloses by transfer, or otherwise makes available personal data that is the subject of the specified personal data processing, to a data importer (another controller or processor as the data exporter). Note that this criterion is not met when personal data is disclosed directly by an individual on his own initiative to a recipient, regardless of the location of the recipient, because no controller or processor transmits the personal data.
- The data importer is not located in the EEA, whether or not it is subject to the GDPR in accordance with Article 3 for the specified processing of personal data.
It should also be remembered that article 3 applies to cases of processing of personal data rather than an organization as a whole, so the need to comply with Chapter V should always be assessed on the basis of the specific data processing undertaken. When these three criteria are met, the cross-border transfer of personal data must comply with Chapter V, which means that the transfer must be based on one of the transfer tools in Chapter V, such as a decision to transfer. adequacy or standard contractual clauses, even where the importer is subject to the GDPR in relation to the processing in question.
Responding to criticism that this is an unnecessary and overly cautious approach when data processing is already subject to GDPR requirements, the EDPS notes that the additional requirements are not necessary as a duplication of GDPR obligations,
but rather to address the elements and principles that are “missing” and, therefore, necessary to fill the gaps related to conflicting national laws and government access in the third country as well as the difficulty of enforcing and ” obtain compensation against an entity outside the EU. To clarify, such tools should, for example, address actions to be taken in the event of a conflict of laws between third country law and the GDPR and in the event of legally binding requests for the disclosure of third country data.
Unfortunately, the EDPB guidance does not provide any immediate solution for compliant personal data transfers in the extraterritorial scenario. If, as expected, these directions of the EDPB remain largely unchanged, we will need additional transfer tools to deal with this scenario. The EDPB notes that it âencourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3 (2). âIn the meantime, organizations affected by this recent EDPB guideline are largely trying to comply with increasingly complex data transfer guidelines while having few practical solutions at hand.