Confusion about data transfers after European Commission’s sleight of hand
When publishing the new Standard Contractual Clauses the European Commission (hereafter: Commission) did something remarkable. The Standard Contractual Clauses (SCCs) are meant to enable the transfer of personal data from the European Union (EU), Norway, Iceland, and Liechtenstein (European Economic Area, EEA), to a country outside the EEA that does not guarantee an adequate level of protection to the data. By agreeing on additional safeguards, the exporter and importer can still process the data safely in the recipient country. The Commission has now unexpectedly changed the definition of international transfers. It is no longer the case that every transfer of personal data to a system outside the EU/EEA is qualified as an international transfer. Rather, a transfer only qualifies as an international transfer if the personal data will no longer be directly protected by the GDPR in the recipient (third) country. The Commission states that organisations may only use the SCCs if the GDPR does not already apply to the importer in the third country anyway.
The Commission alters the definition
We always thought that exporting data was similar to exporting goods. As soon as a product crosses a border, we call it an ‘export’. According to the Commission, this is not true when it comes to data. The reason behind this is that the GDPR, unlike other laws, has extraterritorial effect. The GDPR applies to organisations that are established outside in the EU, but who still offer goods or services to persons inside the EU/EEA, and to all organisations who monitor the behaviour of EU/EEA citizens. According to the Commission, processing activities of these establishments are equivalent to processing activities conducted inside the EU/EEA. Therefore, international transfers do not include transfers to recipients who are already subject to the GDPR. The importers with no establishments in the Union only need to designate a representative within the Union. Meanwhile, the exporter of the data does not have to assess the laws in the recipient country that might undermine the protections of the GDPR.
It is very surprising that the Commission has made this sudden shift without any prior consultation. The draft version of the new SCCs had been published, but it did not contain this new definition. And even the new SCCs only indirectly refer to the new definition through an explanatory sentence. This interpretation can however help solve a major issue for the Commission. A problem that occurred in relation to the transfer of data to the United States, after the ruling of the European Court of Justice in the case Schrems-II. In this ruling, the Court declared the Privacy Shield mechanism for transfers to the US invalid and imposed additional requirements for SCCs. The Commission is now circumventing this ruling by changing the definition of international transfer. This allows Facebook and other international companies to continue processing data in the US.
Uncertainty about the new situation
The unexpected move by the Commission has created uncertainty about how the new SCCs should be used. If the Commission’s interpretation stands, and transfers will from now on only qualify as international transfers if the GDPR is not already applicable, it is unclear how organisations can prevent laws in the receiving country undermining the GDPR, and act in accordance with the ruling of the Court. In this situation, it will also be unclear how European DPAs could possibly collect any fines imposed on companies located outside the EEA. Without effective sanction mechanisms, protections granted under the GDPR will not mean much.
The situation is possibly even worse if the Commission’s interpretation does not stand. In most cases, SCCs are the only or easiest option for structural data transfers. The alternatives are very time-consuming. Especially since they must first be approved by a DPA, who are experiencing very long waiting times, because of capacity constraints. If no international transfer exists between parties that all fall under the territorial scope of the GDPR, it is understandable that data importers outside the EU who are still subjected to the GDPR cannot use the new SCCs. But the DPAs or judges could decide that the old definition of international transfer must apply, and then the new SCCs still state that companies may only use them if they do not already have to comply with the GDPR. This could create the undesirable situation that service providers located outside the EU, who are subject to the GDPR, can no longer receive data, while service providers who remain outside the scope of the GDPR could. This would result in an undesirable legal inequality.
The EU’s data protection authorities (EDPB) published their final opinion on international transfers on 18 June. Unfortunately, that opinion does not shed light on their views on the new definition. The document does however contain some suggestions about their position. For example, the DPAs write that the fact that a person outside the EU/EEA can access data stored in the EU already constitutes an international transfer. They also state that if a data controller in the EU uses an international cloud provider, this constitutes an international transfer. Only when a controller is certain that its cloud provider has an office located the EU and that the data remains within the EU, there is no case of an international transfer. This is remarkable, as the presence of an office located in the EU specifically indicates that the cloud provider must already comply with the provisions of the GDPR. According to the Commission’s interpretation, there should be no objection to using the data in another country if the is GDPR still applicable. Apparently, the EDPB disagrees.
How to proceed
Unfortunately, it will take some time before there will be more clarity. The Commission has made a clever sleight of hand to try to magic the problems around international transfers away. However, the new interpretation of the Commission goes against all previous interpretations of data protection authorities (DPAs) and the European Court of Justice. After all, the Court ruled that a transfer of data from Facebook Ireland to Facebook, Inc. in America constitutes an international transfer of data, while the GDPR clearly applies to Facebook, Inc. For this reason it would be better to continue working with both criteria for transfer: both when the data leaves the Union and when sharing data with a party to whom the GDPR does not apply.
So what should organisations do with their current SCCs? They have 15 months to conclude new SCCs. It is recommendable to wait for now and see whether SCCs will still be needed in the future. The national DPAs should provide a solution to the problem. Data protection officers (DPOs) could for example contact the special helpdesk of their DPA to ask for advice. Companies without a DPO could ask their trade associations to contact their data protection authority. The sooner we can get answers, the better.