The GDPR itself, paired with multiple Recommendations and Guidelines issued by the European Data Protection Board (EDPB) and supplemented with the decisions of the CJEU and the EEA national supervisory authorities, contains intricate provisions on what is called “a transfer of personal data to a third country or international organisation”.
To get an understanding of when special data transfer rules apply, it is crucial to figure out what is hidden behind the wording “a transfer of personal data to a third country or international organisation” (hereinafter – international data transfers).
In an attempt to help privacy practitioners, in the Guidelines 05/2021 “On the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” (hereinafter – Guidelines), the EDPB comes up with a ‘three-step’ test of when processing should qualify as an international data transfer (the criteria should apply cumulatively):
- A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
While it may look self-explanatory at first sight, a closer look will reveal multiple questions and contradictions left unsettled and, thus, continuing to pose practical challenges for privacy practitioners. In this blog post, DPOrganizer attempts to highlight those unclarities and suggests how those might be resolved.
1) A mixture of two approaches to the nature of international data transfers.
Theoretically, there might be a concurrence of two approaches to how the notion of international data transfers can be understood: jurisdictional (transfer is something that occurs between different jurisdictions) and territorial (transfer is something that occurs between different territories, regardless of whether or not those belong to the same jurisdiction).
The GDPR Article 44 is clearly inclined to the latter – it sets forth that transfer occurs “to a third country or an international organisation”, ignoring the fact that a data importer in a third country might in some cases belong to the GDPR jurisdiction pursuant to Article 3(2).
As for the EDPB, considering criterions 1, 2, and 3 in their interrelation, it seems to adopt a mixture of both approaches: criterion 1 says about a data exporter being “subject to the GDPR” and disclosing data (criterion 2), while criterion 3 says about a data importer being an international organisation or sitting “in a third country”, irrespective of whether or not this importer is subject to the GDPR.
In practice, this leads to somewhat illogical situations. E.g., a company based in a third country offers goods and services to individuals in the EU and collects personal data directly from those individuals. The company will be subject to the GDPR pursuant to Article 3(2), but there will be no international data transfer because there is no disclosing controller or processor that is subject to the GDPR. So no data transfer rules will apply. If this company then shares the personal data with its data processor in, e.g., the same third country, then data transfer rules will apply to this transfer, due to the territorial position of this data processor. From a logical standpoint, it is hard to explain why the company may, without meeting data transfer standards, obtain and process the data, but may not share it with the data processor.
2) What does “the data are disclosed directly and on his/her initiative by the data subject” really mean?
As for criterion 2 outlined above, the EDPB clarifies that it “cannot be considered as fulfilled where the data are disclosed directly and on his/her initiative by the data subject to the recipient”. However, the EDPB is silent about what if the data are disclosed by the data subject but, in fact, not on his/her initiative.
For example, an EU-based data controller engages a U.S.-based vendor to provide some IT solutions. To perform operations in the vendor’s IT system, a nominated employee of the controller has to create by themselves a user account in the system. Is this a transfer subject to the GDPR Chapter V? It is indeed the data subject who sets up a user account, but they do so because their employer asks for this and not because they make an independent decision. Such a situation is very common nowadays even in small and medium enterprises, let alone big transnational companies.
No understanding can be inferred from the Guidelines, and this seems to be a real gap. However, we believe that in the scenario described above there will be an international data transfer. A clear ‘game changer’ here is that the employee acts as the employer’s representative, rather than in their personal capacity. Thus, inserting user account data in the U.S.-based vendor’s system in this scenario would be something that happens on behalf of the employer. The employer (as the data controller) would qualify as ‘data exporter’, and there will be a clear transfer between it and the U.S.-based vendor (‘data importer’), thus triggering the application of the GDPR Chapter V.
At the same time, as mentioned above, the EDPB is yet to provide its explanation in respect of scenarios like that.
3) Definition of ‘data exporter’ and ‘data importer’.
More interesting, there is still no uniform definition of ‘data exporter’ and ‘data importer’. From the Guidelines it is clear that only controllers, processors, and joint controllers may qualify as ‘data exporter(s)’ or ‘data importer(s)’, and only between exporters and importers a transfer may take place. More or less (with some textual discrepancies) the same understanding may be seen in Annex 1 of the EDPB Recommendations 01/2020 “On measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.
But a different approach is seen in Clause 1(b) of the EU Commission’s Standard Contractual Clauses (SCCs) where the understanding of ‘data exporter’ and ‘data importer’ seemingly bears no relation to controllership issues. Under Clause 1(b), those are the natural or legal person(s), public authority/ies, agency/ies or other body/ies transferring (‘data exporter’) or receiving (‘data importer’) the personal data, directly or indirectly. In other words, unlike the EDPB, the EU Commission does not seem to pay any attention to what data processing roles ‘data exporter’ and ‘data importer’ may take – it is just enough to either transfer or receive personal data to qualify as ‘data exporter’ or ‘data importer’, respectively.
4) Traveling employees. Or external consultants?
Such details may become important in some scenarios – let’s take a look at Example 5 below from the Guidelines. The scenario it employs might be extremely relevant for companies with distributed teams using remote access to the organisation’s information resources.
Example 5: Employee of a controller in the EU travels to a third country on a business trip. George, employee of A, a company based in Poland, travels to India for a meeting. During his stay in India, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR.
This example seems to have been borrowed from the Norwegian DPA’s guidance on the transfer of personal data outside the EEA. Its obvious drawback is that it is pretty much casuistic and provides ‘everyday life’ details with no explanation as to their importance.
For example, will the EDPB’s assessment change if an employee does not travel to a third country but permanently sits there? This remains unclear. However, the answer is probably “No” because whether the employee travels to a third country or permanently sits there may only affect the regularity and routine nature of ‘accesses’, but not the existence of them as such. On top of that, in this specific example, the EDPB clearly focuses on the fact that the employee does not qualify as another controller (and, thus, may not qualify as ‘data exporter’ or ‘data importer’) and not on why the employee is in a third country.
However, in respect of the latter argument, it does not seem to be really solid, given that the EU Commission (see item 3 above) does not take into account data processing roles (controller, processor, joint controller).
Next, many organisations do not employ staff. Instead, they engage manpower based on external consultancy agreements or through staffing agencies. Will the EDPB’s assessment change if in Example 5 the figure of ’employee’ will be changed to ‘external consultant’ or ‘leased employee’? The EDPB is silent about that.
However, the answer may potentially be found in paragraph 88 of the EDPB Guidelines 07/2020 “On the concepts of controller and processor in the GDPR” which refers to the concept of “persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff provided via a temporary employment agency)”. In the context of the GDPR terminology, those should be understood as “persons who, under the direct authority of the controller or processor, are authorised to process personal data” (Article 4(10)).
This gives reasonable grounds to believe that Example 5 includes not only employees but also roles “highly comparable to that of employees”. Whether or not this covers ‘external consultant’ and ‘leased employee’ should be decided on a case-by-case basis, depending on what exactly they do, how they are built into the employer’s business processes, in other words – whether or not they are “under the direct authority” of the employer.
5) What does “geographically in a third country” mean?
In paragraph 18 of the Guidelines, the EDPB says that the “third criterion requires that the importer is geographically in a third country or is an international organisation”, but it fails to explain what “geographically in a third country” means.
It would be fair to say (without, however, references to any ‘hard’ or ‘soft’ law sources) that ‘importer is geographically in a third country’ means that it has an establishment in a third country, in the context of whose activities the transfer is carried out.
The notions of ‘establishment’ and ‘in the context of activities’ have been well developed and interpreted in the EU law (see, e.g., the GDPR Recital 22, the EDPB Guidelines 3/2018 “On the territorial scope of the GDPR (Article 3)”, case of the CJEU C-131/12, Google Spain SL v. AEPD and Mario Costeja Gonzalez, WP29’s Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, case of the CJEU C-230/14 (“Weltimmo”)).
It should be noted that those interpretations were given, strictly speaking, for another purpose – to determine whether a data controller or processor has an establishment in the EEA, thus triggering the GDPR application. However, in this particular case, it would be fair to apply the same test to determine whether the importer is “geographically in a third country”.
Bearing in mind Example 5 (see item 4 above), it might well be the case that an employee (or, e.g., external consultant) of an EU-based company physically sitting in a third country may be recognised as the company’s ‘establishment’. In this case, as mentioned in Example 5, there will be no international data transfer between the company and the employee. However, if, e.g.: (i) this employee is recognised as the company’s ‘establishment’; (ii) the company itself imports personal data from another EU-based company (hereinafter – Company X); and (iii) the employee performs access to the personal data transferred by Company X, i.e., the transfer is carried out in the context of activities of the employee recognised as the importer’s ‘establishment’, – then there will most likely be an international data transfer between Company X (data exporter) and the company which employs the employee (data importer).
There also might be other practical scenarios where the EDPB’s clarification is lacking. E.g., an EU-based data subject registers with an online service offered by the U.S.-based company and submits their personal data directly to it, while at the same time entering into a formal service agreement with an EU-based subsidiary of the U.S.-based parent company. In this case, in DPOrganizer’s view, there will be an international data transfer between the EU-based subsidiary (data exporter) and the U.S.-based parent company (data importer), even though the EU-based subsidiary has never possessed the personal data.
As of August 2022, the EDPB Guidelines 05/2021 still have the status of “version for public consultations”, meaning that we should expect the current text to be amended. From the examples outlined above, it is clear that the current explanations probably fall short of the expectations of privacy practitioners, leaving multiple loopholes and much unclarity when it comes to the practical application of the data transfer rules.