What Future for Cross-border Transfers of Personal Data?

• Publication year: 2024
• Author: Paul Lanois
• Citation: Vol. 1

WHAT FUTURE FOR CROSS-BORDER TRANSFERS OF PERSONAL DATA?

Written by Paul Lanois

In today's globalized world, cross-border data transfers have become a routine aspect of virtually every business operation. However, organizations that do business internationally are likely to be subject to the General Data Protection Regulation (GDPR). As a result, the organizations must comply with certain requirements, which are laid out in Chapter V of the GDPR. Since the Court of Justice of the European Union (CJEU) issued what is now known as the 'Schrems II' decision in July 2020¹ invalidating the EU-US Privacy Shield Framework (which was used by thousands of organizations to transfer data from the EU to the US), many organizations are struggling to figure out how they can continue to transfer personal data outside the EU while still complying with the GDPR's requirements.

Following the 'Schrems II' decision, many organizations have relied on the EU Standard Contractual Clauses (SCCs)² to perform their data transfers-but the SCCs are not "magic bullets" and do not automatically make a data transfer legal.

Notably, in May 22, 2023, the Irish Data Protection Commission (DPC) held that Meta Platforms Ireland Limited infringed GDPR Article 46(1) (the rules requiring appropriate safeguards for international data transfers in absence of an adequacy decision) by continuing to transfer personal data to the US following the 'Schrems II' decision. This is even though Meta used the latest 2021 EU SCCs for the transfers and had put in place additional supplementary measures. Specifically, the DPC "found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment."³

This article will provide an overview of GDPR's regulations for cross-border data transfers and discuss best practices for managing these transfers while ensuring compliance with the GDPR's requirements.

WAIT . . . WHAT EXACTLY IS A 'DATA TRANSFER'?

The GDPR applies to any "transfer of personal data to a third country or to an international organization." However, such term is not defined in the GDPR. Regulatory guidance from the European Data Protection Board (EDPB)⁴ indicates that there is a 'transfer' within the scope of Chapter V of the GDPR if each of the following three criteria are met:

1. The data exporter (whether a controller or a processor) is subject to the GDPR for the given processing;
2. The data exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor; and
3. The data importer is in a country outside the European Economic Area, irrespective of whether such data importer is itself subject to the GDPR for the given processing.

The EDPB's above second criteria specifies that a transfer must involve the transmission of data from one controller or processor to another controller or processor. Importantly, the EDPB's guidelines specifically indicate that this "second criterion cannot be considered as fulfilled where the data are

[Page 43]

disclosed directly and on his/her own initiative by the data subject to the recipient."⁵ The term "on their own initiative" seems to cover situations where individuals, of their own accord, complete online forms or make a purchase from an online store established outside the EU.

There was previously a lot of confusion on this point, as some commentators had assumed that the collection of personal data directly from individuals located in the EU required the organization to have in place a valid transfer mechanism. Since SCCs could not be signed with individuals, those organizations turned to their EU offices to transfer the data, relying on the SCCs to do so.

DOES CHAPTER V OF THE GDPR COVER INTRA-GROUP TRANSFERS?

In case there was still any doubt, intra-group transfers of data must also be considered: the EDPB confirmed that "data disclosures between entities belonging to the same corporate group (intra-group data disclosures) may constitute transfers of personal data."⁶

What constitutes a 'transfer' is particularly broad, since according to the European Data Protection Board, "examples of how personal data could be "made available" are by creating an account, granting access rights to an existing account, "confirming"/"accepting" an effective request for remote access, embedding a hard drive or submitting a password to a file. It should be kept in mind that remote access from a third country (even if it takes place only by means of displaying personal data on a screen, for example in support situations, troubleshooting or for administration purposes) and/or storage in a cloud situated outside the EEA offered by a service provider, is also considered to be a transfer,"⁷ provided of course that the three criteria outlined above are met.

However, not all transfers are necessarily in scope: employees who travel on business to a country outside the EU and who bring with them their laptops to work remotely would not be deemed transferring data, since employees are not separate controllers, but rather integral parts of their organization.

WHEN PERSONAL DATA CAN BE TRANSFERRED UNDER THE GDPR?

Article 44 GDPR prohibits transfers of personal data outside the European Economic Area (EEA) unless the transfer fits within one of the narrow...