Chapter V of the GDPR lays down the requirements for transfers of personal data from the EU to a third country. The requirements are pretty straightforward. The transfer must be based on either:
- An adequacy decision by the European Commission (only a handful of countries have passed muster – most recently South Korea in 2021).
- “Appropriate safeguards,” which include standard contractual clauses, a framework such as the Privacy Shield (no longer “appropriate” per the 2020 Schrems II decision), binding corporate rules, an approved code of conduct or an approved certification mechanism.
But before Chapter V is even applicable, there must be a “transfer.” What constitutes a “transfer” isn’t self-evident, as the GDPR doesn’t provide a definition.
To address this issue, last month the European Data Protection Board (EDPB) issued guidelines.
In the guidelines, the EDPB notes the overlying principle behind Chapter V: to ensure that personal data transferred outside the EU (or to an international organization) continues to be protected. According to the EDPB, a transfer occurs if the following three criteria are met:
- A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
- The exporter transmits or otherwise makes personal data available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organization, regardless of whether the importer is subject to the GDPR.
Concerning the second criterion above, the EDPB helpfully notes that remote access from a third country, even if only by means of displaying personal data on a screen for support or admin purposes, is a “transfer”; but “internal processing” (where the data is not transmitted or otherwise made available to another controller or processor, including where such processing takes place outside the EU) is not a “transfer.” In addition, the EDPB concludes that when there is no controller or processor sending or making the data available (i.e., no “exporter”) to another controller or processor, such as when data is disclosed directly by the data subject to the recipient, there is no “transfer” for Chapter V purposes.
The guidelines provide no fewer than 12 examples, with handy illustrations.
Some of these examples are quite helpful. For instance, the EDPB gives the example of Maria in Rome buying a dress from an online clothing website based in a third country. Maria isn’t a controller or processor, but rather a data subject, so her transfer of personal data via the website isn’t covered by Chapter V. The online clothing company, however, will still need to comply with the GDPR if it either has an EU establishment (GDPR Art. 3(1)) or (in the absence of an EU presence) specifically targets the EU market (GDPR Art. 3(2)).
Other examples are a little perplexing. Building on the example above, the EDPB supposes that the online clothing company engages a non-EEA processor to process Maria’s order. According to the EDPB, the disclosure of Maria’s personal data to the non-EEA processor does constitute a transfer, and thus Chapter V obligations kick in. So while Chapter V doesn’t apply to the initial data transfer from the EU to the third country, it does apply to any onward transfer to a non-EEA entity – even if the non-EEA entity is just down the block.
In that example, it’s hard to square the EDPB’s position with the language of Chapter V, which only concerns itself with transfers “to a third country or international organization.” In this case, since the EDPB concluded that Chapter V doesn’t apply to the initial cross-border transfer (Maria in Rome to the third country), why should Chapter V apply to a further transfer that has no cross-border implications?
In any event, the EDPB’s concrete examples provide ample fuel for future debate, and its guidance is timely as U.S. companies in particular struggle with GDPR compliance in the absence of the Privacy Shield.