They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR
On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Background
One of the most debated issues under EU data protection law has been what constitutes a data transfer, and whether the General Data Protection Regulation’s (GDPR) data transfer requirements apply if a company located outside of the EU falls within the GDPR’s extraterritorial provisions1 and directly collects personal data from data subjects in the EU.
The GDPR does not define the notion of “data transfer” and case law on this topic is scarce or outdated. In addition, market practice was to consider that a “data transfer” occurs where a non-EU company collects personal data directly from individuals in the EU. This interpretation was developed under the EU Data Protection Directive (the predecessor of the GDPR). U.S. companies that performed such direct data collection could register for the former Safe Harbor or Privacy Shield frameworks to legitimize their “data transfers” to the U.S.
However, in recent years, the EU legal landscape has changed substantially. The GDPR, with its broad extraterritorial scope of application, applies not only to EU companies but also to non-EU companies targeting EU individuals by offering them goods or services or by monitoring their behavior. For example, a U.S. company targeting EU individuals and collecting personal data about those individuals via its website or app is subject to the GDPR. However, U.S. companies without an EU establishment have faced a conundrum over the last few years as no data transfer mechanism was available: both the Safe Harbor and Privacy Shield frameworks were invalidated by the Court of Justice of the European Union (CJEU), and the derogations are only available in limited cases and often do not offer legal certainty.
Three Cumulative Criteria for a “Data Transfer”
The Guidelines define a “data transfer” as the disclosure of personal data by an organization subject to the GDPR to another organization located in a “third country” (i.e., a non-EU country). The Guidelines identify three cumulative criteria to define a “data transfer”:
- A controller or a processor is subject to the GDPR for the processing of personal data;
- This controller or processor (exporter) makes the personal data available to another controller, joint controller, or processor (importer); and
- The importer is in a third country (or is an international organization), irrespective of whether this importer is directly subject to the GDPR in respect of the given processing.
Consequences of New “Data Transfer” Definition
While the practical consequences will only emerge with time, the Guidelines have a number of direct implications:
- No data transfer if the individuals provide data on their own initiative. The EDPB considers that there is no data transfer when individuals disclose their personal data directly to an organization on their own initiative. For instance, if an individual purchases a product from a non-EU company via a website and thereby completes an online order form, the disclosure of personal data to the non-EU company via that form would not constitute a data transfer. However, this suggests that if the data is collected at the initiative of the non-EU company (in other words, passively or not at the initiative of the individuals), the data transfer rules apply. The exact scope of what constitutes a disclosure at a data subject’s own initiative is unclear and likely to spark debate.
- Data disclosure within the same organization is not a data transfer. The Guidelines provide that there is no transfer when the data remains in the hands of the same organization in and outside the EU. For example, where employees of an EU company travel to a third country and access their company’s system remotely, this does not constitute a data transfer. However, there will be a data transfer where personal data is disclosed to another entity within the same corporate group. The Guidelines explicitly affirm that entities that form part of the same corporate group may qualify as separate controllers or processors.
- EU processor sending data back to a non-EU controller. The Guidelines state that when an EU processor processes data on behalf of a non-EU controller and sends the data back to that non-EU controller, it must comply with EU data transfer restrictions. This aligns with the new set SCCs recently issued by the EU Commission that provides a processor-to-controller module. This scenario covers instances where the processor is directly subject to the GDPR, but it does not mean that a controller-to-processor data transfer now also requires a processor-to-controller data transfer mechanism.
Supplementary Measures Even if There Is No Data Transfer?
Since the Schrems II ruling of 2020, organizations that transfer personal data outside the EU must assess whether and under what conditions foreign governments may access their data post-transfer. If such access does not meet EU standards (e.g., if the access is disproportionate), organizations must adopt supplementary measures to protect the data.
According to the EDPB, if a data disclosure does not constitute a “data transfer,” that does not exempt an organization from assessing the risks related to data disclosures to a non-EU government and implementing supplementary measures as appropriate to protect the data. The Guidelines provide that, in that situation, the remaining GDPR requirements still apply to the data processed abroad. For instance, the EDPB highlights that organizations must implement appropriate data security measures to protect personal data and, in some cases, carry out a data protection impact assessment to assess the data processing risks. The EDPB implies that companies directly subject to the GDPR should assess the risks relating to disclosing personal data to a non-EU government—in a somewhat similar way to that when conducting a Data Transfer Impact Assessment—without clearly reaching this conclusion. The EDPB also suggests that Article 48 applies to these situations (Article 48 prohibits the disclosure of personal data to a foreign authority unless the parties can rely on an international agreement such as a mutual assistance treaty), but Article 48 is only relevant if a data transfer occurs. It is not clear how this confusion will be resolved.
Brace Yourself for Yet Another Set of SCCs
The EDPB would welcome a new data transfer tool for data importers directly subject to the GDPR (e.g., a non-EU company that offers goods or services in the EU market) and transferring EU data to another organization. Such a tool could take the form of new standard contractual clauses (SCCs). The aim would be to i) avoid duplication with GDPR obligations and ii) address conflict of laws issues and the difficulty to enforce and obtain redress against an entity outside the EU. It is unclear whether and when the European Commission would issue such a new data transfer tool.
Conclusions
The Guidelines are open to public consultation until the end of January 2022, and it remains to be seen whether and how the final version of the Guidelines may be modified in particular, as several concepts remain unclear.
However, while not final yet, the Guidelines are a good indication of how EU data protection authorities interpret and apply data transfers restrictions. The practical implications of the Guidelines are significant for companies processing EU personal data and organizations that have no EU presence but are doing business in Europe should assess the impact of the Guidelines on their data protection compliance strategy.
Our privacy and cybersecurity practice routinely advises on EU data transfers restrictions and can help you tackle the challenges raised by this fast-moving area. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
[1]Article 3.2 GDPR provides that the GDPR applies “to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”