The European Data Protection Board (EDPB’S) new guidelines on international data transfers

This year has been anything but uneventful in the world of data protection. Following the public consultation, in February 2023 the European Data Protection Board (EDPB) published finalised guidelines on the interplay between the territorial scope and GDPR’s international data transfer provisions. Recognising that the GDPR does not define the notion of ‘international data transfer’ and the case law on the matter remains limited, the EDPB guidelines seek to dispel uncertainties surrounding this area. 

Notably, the new guidelines are more detailed compared to their draft version published in November 2021. While containing guidance on the typical data transfer scenarios, the finalised guidelines also shed light on some of the more nuanced cases – e.g., those involving transfers by EU-based processors to controllers located in third countries.

Importantly, the EDPB sets out three criteria that need to be met for a processing operation to be considered as an international data transfer under the EU GDPR. While EDPB’s criteria and those set out in the UK’s Information Commissioner’s Office guidance are broadly similar, there are some differences, especially in the treatment of specific transfer cases. We have put together a comparative table that briefly outlines the relevant criteria put forward by the EDPB and the ICO to assess whether a processing activity is considered an international data transfer. 

 

The EDPB’s approach (EU GDPR)

The ICO’s approach (UK GDPR)

Comments

1. The exporter is subject to the EU GDPR for the given processing.

1. The UK GDPR applies to the processing of the personal data being transferred.

The first requirement is similar in both jurisdictions.

The application of GDPR (whether EU or UK) will be governed by articles 2 and 3 on the territorial and material scopes respectively and depend on the circumstances of each case. Organisations located outside the EU/UK can also be subject to GDPR, which means that the rules on restricted transfers will apply to any transfers they make outside the EU or UK respectively.

Finally, we note that both controllers and processors can be an exporter and thus caught by the international data transfer requirements.

2. The exporter discloses by transmission or otherwise makes the personal data available to another controller, joint controller or processor (“importer”).

2. The exporter is initiating and agreeing to send personal data, or make it accessible, to a receiver [located in a country outside the UK].

While the language of the second criterion used in the EDPB’s guidelines and the ICO’s guidance varies slightly, they essentially communicate the same requirement – i.e., the act of sending (disclosing by transmission) or making it accessible (otherwise available)  to a receiver. Examples of what constitutes making data ‘available’ under the EDPB guidelines include creating an account, granting access rights, “confirming” and/or “accepting” an effective request for remote access, etc.

The key takeaway from this criterion is that there must be an exporter that sends or makes the data available to a receiver. Conversely, where a data subject discloses their personal data directly to the recipient, there is no ‘exporter’ and thus no restricted transfer.

3. The importer is in a third country.

[The receiver must be located in a country outside the UK] (as included within criterion 2 of the UK approach above)

The third criterion under the EDPB guidelines requires that the importer be geographically located in a third country. For this purpose, we noted that it is irrelevant whether the importer is subject to the EU GDPR for the given processing. The EDPB highlights that the rationale behind this criterion is to make sure that the level of protection of individuals guaranteed by the GDPR is not undermined when personal data are no longer processed under this framework.

Note: The ICO does not specify this as a separate criterion but includes it in criterion 2 above as shown in the square brackets.

 

3. The receiver is a separate controller or processor and legally distinct from the exporter.

 

The ICO expands on the above criteria by explicitly requiring that the receiver be a separate legal entity. In practice, this means that where a UK entity transfers data to its branch located in a third country, this would not qualify as a restricted transfer because a branch lacks a separate legal personality (i.e., is treated as an extension of the UK legal entity).

The EDPB’s guidelines do not contain any references to a ‘branch’ or a ‘representative office’. However, it appears that this requirement is implied in the language of the EDPB’s second criterion through the use of the word ‘another’ (namely, ‘another controller, joint controller or processor’). More specifically, in Paragraph 20 the EDPB is explicit that the second criterion only applies where ‘two different (separate) parties (each of them a controller, joint controller or processor)’ are involved in a transfer. In other words, the importer must be a ‘different controller or processor’ from the exporter.

 

Indeed, as shown above, the two regimes are fundamentally similar. However, there are a few interesting differences that caught our eye, which we think would be of great relevance for some organisations. For example, under the EDPB’s guidelines, where a processor in the EU sends personal data back to the original controller located in a third country, the EU rules on international data transfers apply. In this case, the EDPB considers the processor to be an exporter for the purposes of the EU GDPR and thus responsible for complying with the attendant transfer-related obligations. Interestingly, this result is achieved despite the fact that the personal data is being returned to the same controller that provided it in the first place. (For more information, see examples 6 and 10 in the guidelines.)

We have noticed that the ICO takes a slightly different approach. According to the current guidance, it is never a restricted transfer when a processor sends or returns data to the same controller. In the ICO’s example, if a Bolivian controller engages a UK processor and then instructs it to return all of the personal data, there is no restricted transfer. The rationale behind this approach is that, in the ICO’s view, the data flow in issue is ultimately the controller’s responsibility, which has already initiated and agreed to the transfer. As a result, the act of sending back the data takes place within the same legal entity – i.e., personal data received from a controller returns to the same controller. For the avoidance of doubt, this applies only to cases where the processor sends data back to the original controller (as opposed to sub-processors or other controllers on behalf of the original controller). 

Why is this significant and what does it mean for me?

In the ever-evolving privacy landscape, international data transfers remain a significant pain point for many organisations. The EDPB guidelines are a response to this on-going compliance challenge and provide much-needed insights on a topic that is often fraught with ambiguities and overlaps.

While the EDPB guidelines do not have any direct relevance for UK businesses, organisations in the UK which have subsidiaries in the EU or are otherwise caught by the EU GDPR would benefit from reviewing their current transfer arrangements in light of these guidelines. This would be a helpful exercise in particular because of the slight differences in the way EDPB and the ICO treat certain nuanced cases (e.g., the case of a processor returning data to the controller).

Falling under the scope of international data transfer provisions means that you will have to put in place the relevant transfer tool and carry out a transfer impact assessment. If you’re unsure about whether the EU GDPR applies to your transfer arrangement, the EDPB guidelines provide other examples of the most commonly encountered transfer cases.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.

Subscribe: Data Privacy Updates

Subscribe: Data Privacy Updates

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.