This post relates to Cooley’s Privacy Talks series – a webinar program featuring Cooley practitioners discussing practical guidance and best practices around managing data protection-related issues. Sessions range from the European General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) – and all the other new data protection frameworks arising in the US, Asia and Latin America. Sessions will occur on a monthly basis in 2022.
In November 2021, the European Data Protection Board (EDPB) adopted its draft Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, which were open to public consultation until the end of January 2022. In this post, as we await publication of the final guidelines, we consider a few of the key questions on data transfers arising out of the current draft. We also look at transfer impact assessments and the implementation of supplementary measures to satisfy the requirements set out in the European Court of Justice decision in Schrems II.
#1: What is a ‘transfer’ for the purposes of the GDPR?
According to the draft EDPB guidelines, for the purposes of the GDPR, a ‘transfer’ occurs where a controller or processor who is subject to the territorial scope of the GDPR for the relevant processing (a ‘data exporter’) transfers, discloses, or otherwise makes available personal data to a controller, joint controller or processor based outside the European Union (a ‘data importer’).
#2: Can there be a transfer where the recipient is already subject to the GDPR?
Yes. The draft EDPB guidelines confirm that the transfer rules apply irrespective of whether the non-EU recipient of the data is already caught by Article 3 of the GDPR.
#3: Can there be a transfer where data is collected by a non-EU organisation directly from data subjects?
Generally speaking, no. The draft EDPB guidelines confirm that there can be no transfer where ‘the data are disclosed directly and on [their] own initiative by the data subject’.
What is meant by direct provision on the data subject’s ‘own initiative’ – and why does the EDPB not consider this to be a transfer?
This is where the data subject takes an active and informed step to provide personal data directly to the non-EU organisation.
The draft EDPB guidelines provide the following example: ‘Maria, living in Italy, inserts her personal data by filling a form on an online clothing website in order to complete her order’.
This is not considered by the EDPB to be a transfer because there is no controller or processor to act as the data exporter.
Does this mean that non-EU organisations falling within this ‘exemption’ can ignore the ‘Schrems question’?
Seemingly, no. The Schrems question – how to resolve issues around conflicting local laws and problematic access to data by public authorities in non-EU countries – is currently a fundamental issue in data transfers.
Although not stated in explicit terms, the draft EDPB guidelines appear to hint at creating a ‘unilateral transfer impact assessment’ requirement, even where there’s no transfer:
‘[even if] there is no “transfer” and Chapter V of the GDPR does not apply … a controller is nonetheless accountable for all processing that it controls, regardless of where it takes place, and data processing in third countries may involve risks which need to be identified and handled (mitigated or eliminated, depending on the circumstances) in order for such processing to be lawful under the GDPR’.
#4: Can provision of personal data from one non-EU organization to another constitute a transfer?
Yes. The 2021 EU standard contractual clauses and the draft EDPB guidelines confirm that a non-EU organization caught by Article 3(2) of the GDPR can be a ‘data exporter’.
#5: What transfer tools are being used in practice to cover transfers where the GDPR already applies to the importer?
The 2021 EU standard contractual clauses state that they should only be used to cover transfers to recipients who are not already caught by Article 3 of the GDPR.
However, in practice, they remain the most commonly used tools to cover transfers to importers who are already subject to the GDPR, due to the absence of workable alternatives in many transfer scenarios and fears around not implementing an approved-form transfer tool.
#6: Can we expect new standard clauses to cover transfers where the GDPR already applies to the importer?
Yes. Officials at the European Commission have confirmed that new standard contractual clauses are in the works. The EDPB has also noted that it ‘stands ready’ to cooperate in the development of such a new transfer tool.
#7: What can we expect these new standard data protection clauses to cover, given that the GDPR already applies to the importer?
These new standard data protection clauses likely will just look to address the key gaps between the provisions of the GDPR and post-Schrems II transfer requirements:
- Rights of redress and enforcement against the importer, including third-party beneficiary rights for data subjects.
- Obligations to resolve issues arising from conflicting local laws and practices.
- Obligations in cases of actual or potential access to transferred data by public authorities.
This means that ‘transfer impact assessments’ and ‘supplementary measures’ will remain relevant for importers, even though they are already directly subject to the GDPR.
#8: What is a transfer impact assessment (TIA), and what is encompassed within the requirement for it?
To address the Schrems question, parties to a transfer need to satisfy an additional requirement beyond just implementing a transfer tool such as standard contractual clauses – i.e., a TIA.
A TIA requires a case-by-case evaluation of whether the transfer tool selected to cover any given transfer is effective in establishing an equivalent level of protection of the transferred personal data to that provided under the GDPR.
This involves an analysis of:
- The conditions of the transfer tool proposed to be used.
- The local laws and practice in the importer’s territory that are relevant to the transfer.
- The risks of actual or potential access to transferred data by public authorities.
- Any protections that may already be in place to mitigate such risks, such as application of pseudonymisation techniques.
In light of the findings resulting from the above, organisations must then determine what supplementary measures are needed to ensure a sufficient level of protection of the transferred personal data (if any).
#9: What types of supplementary measures can be implemented?
Supplementary measures are used to enhance the level of protection of data being transferred and can include:
- Technical measures such as encryption, pseudonymisation, split or multi-party processing.
- Organisational measures such as internal policies for governance of transfers, transparency measures, organisation methods and data minimisation.
- Contractual measures such as obligations to use specific technical measures, transparency obligations and obligations to take specific actions.
#10: Are all supplementary measures equal?
No. In relation to many transfers, the key step that needs to be taken is to ensure that effective technical measures are in place to impede or render ineffective potential access by relevant authorities.
For example, in relation to transfers to the United States, if an importer is subject to Section 702 of the US Foreign Intelligence Surveillance Act (702 FISA), the only really effective supplementary measure would be implementation of technical measures that genuinely impede or render ineffective potential access by relevant US authorities.
Many attempts at implementing technical measures seen in the market, such as encryption in transit and/or at rest, have been found to be insufficient. For example, where the encryption key is within US authorities’ jurisdiction in the same manner as the transferred data itself, encryption is not likely to be judged to be a meaningful supplementary measure.
Even data localisation (i.e., storage of data within Europe) could ultimately be found to ineffective due to potential expansive interpretations of US surveillance laws, such as 702 FISA and the Clarifying Lawful Overseas Use of Data (CLOUD) Act.
In practice, however, organisations acting as importers in ‘problematic’ jurisdictions (such as the US) should aim to ensure that they have addressed and implemented as many supplementary measures as they reasonably can. Despite the issues noted above, having a fleshed out and thoughtful approach to implementing these supplementary measures should be viewed by US providers as a commercial imperative, which is essential to ensuring that they can continue to serve European customer demand.