Since the new SCCs were published in the summer, there have been frantic puzzlings over Recital 7, which clearly states that the new SCCs may only be used where the recipient in the third country is not directly subject to the GDPR. Many of us wondered what this meant for transfers to controllers or processors based outside the EU but who have establishments in the EU, offer goods and services into the EU, or monitor data subjects in the EU. What safeguards could be put in place if not the SCCs? Or was this not a data transfer at all?
The EDPB have now released guidance clarifying their position. Here are the key takeaways:
- There are three elements to a data transfer: (1) a controller or processor in the EU, subject to the GDPR, acting as “exporter”; (2) the disclosure of data (by transmission or otherwise making available) to another controller, joint controller or processor; and (3) that receiving “importer” is in a third country (or is an international organisation).
- It makes no difference whether the importer in the third country is directly subject to the GDPR or not; in either case, Chapter V will apply. Since the new SCCs can’t be used in these circumstances, this creates an obvious gap. Consequently, the EU Commission have confirmed they are working on a new set of SCCs (presumably a new module?) which will be released soon. The EDPB’s view is that these new clauses can be considerably shorter, as they don’t need to duplicate any of the GDPR obligations; they only need to address the issues of conflicting laws and government access to data, and redress. It’s not clear what exporters in this situation are meant to do in the meantime – but it is presumed that most will keep using the (existing) new SCCs, on the basis that something is better than nothing.
- Perhaps news to many of us, there is no data transfer where a controller (or processor) in a third country collects data directly from a data subject, even if the controller/processor is subject to the GDPR. So a website based in the US, for example, collecting data from users in the EU, does not need to comply with Chapter V. This feels like something of a change of approach by many Supervisory Authorities (SAs), but will make life easier for many online businesses. One note of caution, however, is that the guidance emphasises the recipient’s other GDPR obligations in these circumstances, such as accountability and data security. The implication from the guidance is that many of the SCCs’ obligations (e.g. to push back on law enforcement requests) can be ‘read into’ those GDPR provisions.
- There is also no data transfer where an employee of an organisation accesses personal data outside the EEA, for example if they are travelling for work. This is because the recipient ‘importer’ must be a separate entity to the transferring ‘exporter’, i.e. there must be a disclosure. The guidance doesn’t discuss whether this is still the case where the recipient is a branch office or, in today’s world of remote working, a single employee based permanently in the third country.
As a final point, it is worth noting that the UK ICO has previously taken the slightly different position that, if the receiving data importer is directly subject to the UK GDPR, there is not a “restricted transfer”, and so no safeguards are needed. However, this point has been left open in the UK’s new draft ‘International Data Transfer Agreement’, and so potentially may change when we see the final document.