6 Key Things to Know about the New EDPB Guidance on International Data Transfers

November.22.2021

On November 19, 2021, the European Data Protection Board (“EDPB”) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (“GDPR”) and the provisions on international transfers outlined in Chapter V GDPR (“Guidance”). The Guidance aims to clarify various international data transfer questions, including when the provisions for international transfers under Chapter V GDPR apply and, if so, which mechanisms under Chapter V GDPR can be relied on.

These questions became a hot topic when the European Commission stated that the new standard contractual clauses of 2021^[1] (“2021 SCC”) only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR by virtue of Article 3. However, it was left unclear whether in such a scenario no SCCs would be needed (as Chapter V GDPR would not apply) or whether alternative SCCs would be required and what to do in the interim until such new SCCs are adopted.

The FAQs below summarizes and provide recommendations for the key points outlined in the new Guidance. You can also listen to our discussion about the new Guidance or use our complimentary Cross-Border Data Transfer (XBT) Tool to assess your risk during international data transfers.

1. Are data transfers from an EU-based data exporter to a data importer outside the EU subject to the requirements under Chapter V GDPR if the data importer is subject to the GDPR?

Yes. Putting an end to long-running controversy^[2], the EDPB clearly stated that any transfer from an EU-based data exporter (be it a controller or a processor) to a data importer based outside the EU is a transfer within the meaning of Art. 44 GDPR and thus subject to Chapter V GDPR. This applies regardless of whether the data importer is itself subject to the GDPR. As a result, in most cases, data importers will need to enter into SCCs or adopt Binding Corporate Rules.

2. Do the new SCCs issued in June 2021 cover data transfers to data importers who are subject to GDPR?

No. Recital 7 of the 2021 SCC ^[3] stated that the new SCCs may be used “for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.” As a result, where the data importer is a controller or processor and at the same time also itself subject to the GDPR, for example, because of rendering services to individuals living in the EU, the new SCCs would not apply. That does, however, not mean that no additional safeguards are needed. Unfortunately, as shown in the answer to question number 3 below, the EDPB does not give clear instruction on what to do.

3. What should data importers subject to GDPR do in the absence of clarity on the applicable transfer mechanism?

Currently, there is no clear solution for such data importers. The European Commission announced that will work on a new set of SCCs that would address such situations and the EDPB noted that such clauses will focus on the protection from other legislation applicable to the importer. In particular, government access in the third country would need to be addressed and the importer would need to implement adequate security measures.^[4] However, until these newer SCCs are adopted, companies face a great deal of uncertainty. Since the old SCCs of 2001 and 2004 can no longer be used for new data transfers, it seems sensible to use the 2021 SCC for the time being. Companies should also perform a transfer impact assessment as required by the Schrems II ruling of the CJEU.

4. What if a company outside the EU collects data from individuals in the EU?

The EDPB clarified that a so-called “direct collection” of personal data from individuals in the EU does not constitute a transfer within the meaning of Art. 44 GDPR and thus does not trigger the requirements under Chapter V GDPR because there is no transfer from a controller or processor. Companies located outside the EU who offer goods and services to individuals in the EU thus do not need to meet the requirements under Chapter V GDPR. However, the EDPB stressed that companies who are subject to the GDPR need to respect the other principles of the GDPR, in particular, Art. 32 but also Art. 48 GDPR.^[5] Their security measures need to address the collection and storage data risks in a country where such data is subject to access by law enforcement beyond what is justifiable in the EU. Arguably, this could be understood as to require such companies to conduct a transfer assessment like the one outlined in the EDPB guidelines published in June 2021 (updated version).

5. What about transfers between EU and non-EU based establishments of the same entity?

Entities with establishments in the EU and outside the EU were often faced with the question of whether their intra company data transfers from the EU to other establishments of the same entity outside the EU must meet the Chapter V GDPR requirements. The EDPB clarified that a transfer within the meaning of Art. 44 (Chapter V GDPR) requires two parties, a data exporter and a data importer.^[6] Whenever there are data transfers between parts of the same entity, be it, for example, a sharing of data with an employee traveling overseas^[7] or between two establishments belonging to the same entity, the transfer does not fall under Art. 44 et seq. However, since all other requirements under the GDPR must be met, Art. 32 GDPR applies, and the security measures need to reflect the specific risks arising with the exposure of personal data to a third jurisdiction outside the EU (see considerations under question number 4 above).

6. Do the requirements under Chapter V GDPR also apply to processors?

Yes, the Guidance clarifies that processors also need to comply with Chapter V GDPR. The EDPB provides various examples to explain when processors need to take special precautions to meet the Chapter V GDPR requirements:

Example 3: Covers the scenario where a controller located outside the EU sends data to a processor located inside the EU. Even though such data may not relate to EU individuals, the EU-based processor is based on Art. 3 paragraph 1 GDPR subject to GDPR. In line with Art. 44 paragraph 1 GDPR, it needs to secure that the transfer of the processed data back to the controller outside the EU meets the safeguards required under Chapter V GDPR. This situation may often be covered by Module 4 of the 2021 SCCs.
Example 4: Describes the scenario where an EU-based processor engages a sub-processor located outside the EU. This scenario, for example, applies to an EU based SaaS provider who engages a hosting provider located outside the EU. In such a scenario, the EU based processor needs to comply with Chapter V GDPR. Most often, the clauses under Module 3 of the 2021 SCCs can be used.

^[1] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

^[2] See Kühling/Buchner-Schröder, Commentary of the GDPR/BDSG, 3rd. Ed. 2020 –Art. 44 paragraph 16a et seq. with further references to the differing views.

^[3] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

^[4] See paragraph 3 and 23 of the Guidance.

^[5] See paragraphs 5 and 17 of the Guidance.

^[6] See paragraph 7, 15 of the Guidance.

^[7] See example 5 in paragraph 14 of the Guidance.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.