EDPB publishes its finalised data transfer guidance

After an unusually long wait and with much anticipation, on 24 February 2023, the European Data Protection Board adopted the final version of its Transfer Guidelines for international transfers under the EU GDPR. As with the UK data protection authority's (ICO) recent update to its UK GDPR data transfer guidelines (for more information, see our RopesDataPhiles post here), the Transfer Guidelines provide useful guidance to assist organisations in assessing whether a transfer of personal data is a Restricted Transfer (and so subject to the EU GDPR’s international data transfer restrictions).

The Transfer Guidelines clarify the key elements of what constitutes a Restricted Transfer (and importantly what will not be deemed to be a Restricted Transfer). The Transfer Guidelines also provide additional rationale for treating transfers of personal data to a third-country data importers who are already subject to the GDPR as Restricted Transfers.

Although the Transfer Guidelines are not strictly legally binding, they reflect the common position taken by all EU supervisory authorities – as a result, the Transfer Guidelines should guide organisations how EU supervisory authorities will assess Restricted Transfers in practice going forward.

Restricted Transfers

The Transfer Guidelines clarify that the following three key cumulative criteria must all be met, in order for a transfer of personal data to constitute a Restricted Transfer:

1) A data exporter is subject to the EU GDPR for the given processing. While all organisations established in the EEA are subject to the EU GDPR in respect of each transfer of personal data they undertake, the Transfer Guidelines remind organisations established outside the EEA that they may still be subject to the international data transfer restrictions under the EU GDPR (in particular when processing personal data in the context of either offering goods or services to, or monitoring the behaviour of, individuals in the EEA. In addition, the Transfer Guidelines reiterate that, for those non-EEA organisations to whom the EU GDPR applies, international data transfer restrictions apply equally to transfers to data importers within the same (third-country) jurisdiction as to transfers to data importers in different third countries.

2) The data exporter discloses or otherwise makes the personal data available to a third-party data importer. In order for a transfer of personal data to constitute a Restricted Transfer, it must be transferred or made available to a third party. Accordingly, the Transfer Guidelines make it clear that there will not be a Restricted Transfer in cases of “internal processing” – for example, when an organisation transfers or makes personal data available to its own employees, even if those employees are located outside the EEA (though, in such circumstances, additional measures may still need to be put in place to ensure the personal data is adequately protected). However, if an organisation transfers or makes available personal data to employees of an affiliate or third party in a third country (even if this is within the same corporate group), then this will constitute a Restricted Transfer if the other criteria are met.

The Transfer Guidelines include several useful examples of what constitutes “making available” personal data to a data importer. These include creating an account, granting access rights to an existing account, confirming or accepting a request for remote access (even if this only involves displaying personal data on a screen incidentally for tech support or troubleshooting), embedding a hard drive or submitting a password to a file.

The Transfer Guidelines also provide the following examples of what will not constitute a Restricted Transfer. In particular:

1. Personal data disclosed or made available by a data subject directly to a third-country data importer will not be deemed to be a Restricted Transfer. For example, an individual in France who provides their name and address to a U.S. clothing retailer that targets individuals in the EEA, in order to purchase a dress online, will not amount to a Restricted Transfer on the basis that an individual transferring their own personal data is not considered to be a data exporter. However, if the U.S. clothing retailer engages a U.S. processor to store that personal data in the cloud, it will be deemed to have made a Restricted Transfer to that processor.
2. A data importer that is not subject to the EU GDPR will not be deemed to have made a Restricted Transfer if it engages a processor located outside of the EEA. Following on from the example above, if the U.S. clothing retailer did not target the EEA (and so was not processing personal data in the context of offering goods or services to individuals in the EEA), the engagement of the U.S. processor would not amount to a Restricted Transfer because the first criteria would not apply (i.e. the EU GDPR would not apply to the U.S. retailer).

3) The data importer is located in a third country or is an international organisation, regardless of whether the data importer is subject to the EU GDPR. The Transfer Guidelines highlight that where processors are subject to the EU GDPR, transfers to their third-country controller customers will amount to a Restricted Transfer. The Transfer Guidelines also identify that in circumstances where an EU processor makes an onward transfer of personal data to a third-country sub-processor, this too will amount to a Restricted Transfer.

The Transfer Guidelines clarify that even if a third-country data importer is subject to the EU GDPR in respect of the personal data it receives, this will still constitute a Restricted Transfer. According to the EDPB, the rationale for this approach is that:

• Such importers could be subject to conflicting legal frameworks by virtue of their establishment in a non-EEA country, and this carries risks (for example, of disproportionate government access to personal data); and
• It may be difficult, from a practical perspective, to enforce compliance with the EU GDPR and to obtain redress against entities located outside the EEA.

Regarding international organisations, the Transfer Guidelines provide an illustrative example where a Danish controller engages an EU processor with a parent company in a third country. The transfer of data from the Danish controller to the EU processor will not be deemed to be a Restricted Transfer. However, a Restricted Transfer may take place if the EU processor is an international organisation and subject to third country legislation with extraterritorial effect (for example, to comply with access requests from a third country’s authorities). This has the following consequences:

• If the EU processor transfers personal data to a third country authority pursuant to an access request, this would amount to a Restricted Transfer. It is not clear which data transfer safeguards will be applicable for Restricted Transfers in this scenario, if there are any applicable safeguards at all.
• If the EU processor complies with such a request in violation of the Danish controller’s instructions, the EU processor would be primarily liable for the Restricted Transfer under the EU GDPR, as the EDPB considers that the processor would be an independent controller in such circumstances.
• The EDPB highlights that controllers should therefore consider the potential extraterritorial application of third country laws when conducting diligence on their processors.

Commentary

Before Brexit, the UK data protection authority (ICO) took the position that if a data importer was subject to the EU GDPR in respect of the personal data it received, then this would not constitute a Restricted Transfer. Although this approach did not garner much support from other EU supervisory authorities, it was pragmatic and made sense – particularly on the basis that EU supervisory authorities could leverage the extra-territorial scope of the EU GDPR, in order to take enforcement action against third-country data importers if they failed to adequately protect the personal data received.

However, the newly aligned position between the ICO and the EDPB on this point indicates limitations on the powers of the ICO and EU supervisory authorities to effectively enforce the UK GDPR and EU GDPR (respectively) against third-country organisations. Importantly, the Transfer Guidelines mark the first explicit acknowledgment by the EDPB that EU supervisory authorities may have practical difficulties in enforcing the EU GDPR in this way. This is a surprising development but may ultimately provide some comfort to non-EEA organisations struggling to ensure compliance with the EU GDPR.

It is also worth highlighting that the EDPB’s position on Restricted Transfers means that organisations have no official standard contractual clauses to lawfully transfer personal data to third-country data importers in circumstances where those data importers are subject to the EU GDPR in respect of the personal data they receive. The European Commission is working on new standard contractual clauses to address this, although organisations have been waiting for these since June 2021 and it’s still not clear when they will be adopted (the current expectation is that they will be published in 2023).

With regards to processor-to-controller transfers, the EDPB differs from the ICO’s approach, which treats such transfers similarly to internal processing under the UK GDPR (with the controller being deemed to effectively transfer personal data to itself). The EDPB’s position here creates a stark divergence in interpretation between substantially the same requirements under the EU GDPR and UK GDPR. In addition, the Transfer Guidelines identify that in circumstances where an EU processor makes an onward transfer of personal data to a third-country sub-processor, this will amount to a Restricted Transfer for which both the controller and the processor will generally be responsible. This diverges from the position taken under the UK GDPR, pursuant to which only the processor would be responsible for the onward transfer.

Next steps for organisations 

It remains to be seen whether the SCCs to cover Restricted Transfers to data importers already subject to the EU GDPR will address the specific risks outlined by the EDPB. As these SCCs are due to be published this year, we are watching this space for developments.