Author: Annalisa Clarizio
Date of Publication: 18/06/2023
The theme of international data transfers is particularly thorny because there is no common and global definition about it. About this theme in 2021 has been published the Standard Contractual Clauses. Criteria for the applicability of the General Data Protection Regulation have also been published.
European Data Protection Board (EDPB) had issued the guidelines n. 5/2021 to identify treatments that constitute international transfers. The guidelines were recently republished, updated with further examples and clarifications. However, there are still problematic margins that have been added some details on the responsibilities of the data controller.
It’s described what happens when the data controller is the data exporter and there are some examples about direct data collection. It’s described the "importer located in a third country" concept too.
1. Article 3 of the GDPR
The General data protection regulation (GDPR) has become a text of global interest for new rules contained in and for the wide scope of the Regulation.
Article 3 of the General data protection regulation governs its territorial scope of application.
Paragraph 1 of the GDPR article
Paragraph 1 of the article states that the EU framework applies “irrespective of whether or not the processing is carried out in the Union”. However, it must take place in a context of the activities of an establishment of the controller or processor in the Union. The concept of "plant" must of course be understood in the broad sense of the guidelines of 2018 also recently revised. Plant can be any real and effective activity, even minimal, carried out through a permanent establishment, regardless of the legal form adopted.
Paragraph 2 of the GDPR article
Paragraph 2 of the article states that the Regulation applies to holders and managers not established in the EU territory. They carry out activities for persons physically present in the territory of the Union. The GDPR establishes a real principle of extraterritoriality. This principle is at the basis of digital sovereignty, the ability to govern digital boundaries.
There has been an expansion within the limits of the international private law for the commercial purposes of the entities processing the data. There has been an expansion for the effects of their activities within the Union too.
Another part of article 3 on the principle of extraterritoriality establishes the principles and guarantees for the transfer of personal data abroad. This part of the article has inaugurated a very special regime that does not make the Rules of Procedure totally applicable.
In a nutshell, cross-border data transfers are lawful in the presence of Standard Contractual Clauses. They are lawful even in the presence of Binding Corporate Rules or certification mechanisms and codes of conduct.
2. The definition of International data transfer
On the meaning of international transfer the Regulation repeats a lack of definition. It’s possible to fill this gap with previous international sources or jurisprudential interpretations. Article 4 of the GDPR in paragraph 23 describes the concept of «cross-border treatment».
Cross border treatment
This definition refers to activities carried out in several establishments by a holder or manager, or to treatments processed in a single establishment but intended to have a substantial effect. This institute should not be confused with the international transfer of data. Infact this second institute provides for a cross-border processing and an element of internationality.
What’s more, the systematic reference to case law or other international sources makes it possible to distinguish the concept of transfer from that of communication. Therefore, this concept of communication involves the simple passage of data through infrastructures not intended for their storage.
Upload of data
The notion of «upload» of data is more complex. This notion was originally excluded from the case law between the cases of transfer but it has been reconsidered by EDPB guidelines no. 5/2021. The correct identification of the notion of «international transfer» is in a part of GDPR defined as "regulation in the Regulation”.
The practical needs of international transfers encourage the non-application of obligations for importers already subject to the GDPR. The GDPR apparatus must be consistent about their objective and subjective application limits.
Schrems I and II cases overwhelmed the adequacy decision in force between the US and the EU. In particular they highlighted the indiscriminate use of CFCs as an international "laissez-passer".
New criterion of interpretation
The evolutionary jurisprudence of the CJEU has in fact introduced an interpretative criterion that overwhelms all international transfers. Operators wishing to lawfully transfer personal data to non-EU States should first make a check. For example they must verify that the destination State has an essentially equivalent legal and administrative apparatus to that of the EU.
The concept of equivalence is certainly not exclusive to GDPR but the practical effect is particularly stringent
It’s imposed on the same individuals who carry out the transfer to carry out continuous monitoring of treatment and transfers to provide additional guarantees. In this way the possible processing of data subjects by the authorities of a third State is reduced to criteria of necessity and proportionality.
3. Guidelines 5/2021
The EDPB is primarily concerned with defining a cross-border transfer. This operation is only intuitive. The EU Body creates roles, such as that of Importer and Exporter of data, not governed by the Regulation.
The criteria for determining whether a transfer exists and is international are three, and cumulative:
1. A controller or processor is subject to the GDPR for data processing;
2. The controller or processor (the Exporter) communicates or makes available the personal data to another controller, co-controller or processor (the Importer);
3. The Importer is located in a third country, regardless of whether or not it is subject to the GDPR pursuant to Article 3 GDPR for the processing in question.
The first criterion refers to the case-law-oriented reconstruction made by the same body, in the framework of Guidelines 3/2018. This is based on the concept of establishment or "supply of goods or services" and "targeting".
With regard to the second criterion, EDBP has accepted one of the main criticisms of the previous version of the guidelines excluding intra-group communications from transfers.
The examples provided in clarification of this criterion are more complex than those of the previous version. Consequently, an arbitrary difference in regime is partially limited.
4. The transfer risk protection regime
The guidelines distinguish two categories of guarantee schemes.
In the first place are the ratios that respond cumulatively to the three requirements above.
The second includes cases where these criteria are partly lacking or that fall under the definition of international transfer. Therefore it involves actors in third states already subject to the discipline of the GDPR.
In fact, the second scheme is common in commercial practice and particularly in the supply of goods and services.
Moreover, it is expected that cross-border data flows should be subject to the empowering safeguards provided elsewhere in the GDPR. Therefore,, the managers and processors subject to the GDPR are responsible for all their processing activities. So, the processing of data in third countries may entail greater risks, including disproportionate access to data by governments.
The objective of the Regulation is to obtain the continuity and uniformity of the protection of the Data Subjects. Risks and measures useful for lawful treatment in an international dimension are difficult for individuals to understand.
The EDPB guidelines lack a practical example of the consequences and actions to be taken in relation to the listed cases.
Thus, the essential principles of the GDPR focus on identifying the concrete risk factors to be taken into account. These principles are assessed in the impact of the transfer and the optimisation of risk management.