DP News – Week 9. After public consultations, the EDPB adopts final versions of three guidelines. Further to this, the Opinion on the EU-US Data Privacy Framework is published.

Following the public consultation lasting throughout 2022, the European data protection board (EDPB) has adopted the final versions of three guidelines:

– Guidelines 05/2021 on the interplay between territorial scope (Article 3) and international transfers (Chapter V);

– Guidelines on certification as a tool for transfers;

– Guidelines on deceptive design patterns in social media platform interfaces.

This set is further supplemented by the Opinion 5/2023 on the EU Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. In this Opinion, the EDPB rather takes a balanced approach, highlighting, on one hand, substantial improvements and progress (in relation to the principles of necessity and proportionality, additional safeguards for the new redress mechanism and the Executive Order 14086 on the government access to the data in the U.S.) and, on the other hand, drawback and rooms for improvement (in relation to key definitions, application of the framework principles to data processors, rules on automated decision-making and profiling, work of the dedicated Data Protection Review Court, etc.). That would be intriguing to see how those issues identified by the EDPB are addressed until the adequacy decision is taken (it that will eventually happen).

As for the guidelines adopted, then the one on the interplay between territorial scope (Article 3) and international transfers (Chapter V) deserves, first of all, an in-depth assessment.

The EDPB increased the number of examples clarifying the data transfer rules, explained when the GDPR will not be applicable at all (thus making the transfer rules inapplicable as well), confirmed (as a side note and with respect to the location in the EU, but still) that the concept of “geographical” location is connected to the place of establishment (see Example 11).

The EDPB also explained that there would be no Chapter V data transfer scenario when the data is transferred to a EU-based data importer which is a subsidiary of the company located outside the EEA. In practice, this often happens when using various cloud services from Microsoft, AWS and other US-based big techs which put forward their EU-based subsidiaries as contracting parties for customers from the EU. However, a EU-based company transferring personal data to such an EU-based subsidiary will be responsible for making sure that the engaged subsidiary puts in place technical, organisational and contractual measures preventing improper onward data transfers (in particular, disclosure of data to authorities of third countries).

At the same time, the issues with the definition of ‘data exporter’ and ‘data importer’, traveling employees or external consultants (as highlighted by DPOrganizer previously) have not received proper attention and remained unresolved.