How can a “hybrid” data controller receive and send data?

Can I use Google Analytics for my website? What if I want to chat with my clients on Skype? Use Amazon Web Services to store my data? All these are U.S. service providers but some store their data in Europe. They have access to personal data of Europeans, but are under American jurisdiction. Some types of access imply that they are obliged to comply with European data protection legislation (basically with the GDPR) while in other cases we talk about transfer of data.

Transfer is one of the concepts which are very important but not defined under the – special conditions are applicable when personal data are transferred outside the European Economic Area (the EU and EFTA countries – whenever we talk about the EU, in terms of data protection in means the EEA). Following the publication by the European Commission of the new Standard Contractual Clauses for the transfer of personal data to third countries, the European Data Protection Board issued a guidance about how personal data can move from and to a special type of data controllers: those who are seated outside the EEA but still subject to European data protection rules. Probably because their data protection jurisdiction and their geographical location is different, the guidance also hints to the interpretation of what is and what is not transfer of personal data. The consultation paper can be found here.

National law is usually applicable on the national territory or to citizens and residents of the state issuing them. European law is valid in the EU or – when concerning domains of cooperation within the EEA – in the EU and EFTA countries and under specific conditions, Switzerland. There are two notable exceptions to that in the area of data: the surveillance powers of U.S. authorities and the famous Article 3(2) of the GDPR. The collusion between the U.S. national security surveillance and the GDPR itself gave rise to the Schrems cases before the European Court of Justice whose judgments made transfer of data to the U.S. almost impossible. As U.S. service providers – and most well known informatics providers are from the U.S. – tried to retain their European customer base, they moved their services to their European subsidiaries and the data to European data centres.

No one was sure however, whether storing data in Europe is sufficient to avoid the difficulties of transfer. The main risk is of the extraterritoriality of U.S. surveillance rights: not just subsidiaries of American firms but even companies who are European but have a significant activity in the U.S., may be subject to the PATRIOT act, also in respect of data stored in Europe. Microsoft and Google tried to challenge this, and the result was (after the U.S. Supreme Court was not ready to decide which of the two different results of the court cases against the two companies was valid) the CLOUD Act, which is interpreted differently by different experts. Therefore, the EDPB guidance will not solve everything, but is nevertheless an important step towards clarification.

The immediate background is the extraterritoriality of EU data protection laws, expressed by paragraph 2 of article 3 of the GDPR. Data controllers seated outside the Union, who are subject to the GDPR because they either offer services to EU residents (e-commerce providers, gaming platforms or social media, for example, whether freely or against payment) or they monitor their behaviour in the EU, like ad servers or web analytics or again social media, are at the same time obliged to follow their own national legislation. Therefore they are in a special situation when it comes to transfers of personal data, both as exporters and as importers.

Apparently this special situation required that the EDPB embark on defining transfer. Transfer as a term in data protection is reserved to cases where the exporter is subject to the GDPR while the handling of data at the destination is not. This vague formulation (before the guidance of the EDPB) is due as there are at least two ways to define transfer: physically (however difficult it is in the era of the cloud) or jurisdictionally. The basic question being: if a U.S. company stores data received from a European data controller in Europe, is this transfer or not? Whichever answer we give, we cannot forget the impact of extraterritoriality of American national security law. We say American, as most important ICT service providers are American. And then: what about European subsidiaries of U.S. firms?

The EDPB guidance defines transfer as sending or making accessible data to recipients (importers) seated outside the EEA. Thus, the physical location of data being outside the EU and eventual jurisdiction of extra-EEA (so-called third) countries does not in itself make a moving data to them a transfer. The guidance immediately adds that in any case which is not a transfer but presents risks of access to data without the protection ensured by EU data protection law, these risks have to be explored and mitigated by the controller. Similarly, risks have to be assessed and the protection ensured if data are stored outside of Europe or when a sub-contractor of a European contractor is outside the EEA or is subject to foreign surveillance law. The formal requirements of transfer, however, do not apply.

Of course, the rules do not pinpoint the United States: transfer to other countries or to subsidiaries of companies from other countries with similar surveillance laws, including not just the lack of oversight and redress but also the extraterritorial effects - China’s new data protection legislation also has an extraterritorial feature, for example – also present similar risks. Therefore the transfer impact assessment (TIA) is necessary – but the European Court of justice did this for us in respect of the U.S., with a negative result. For other countries one may ask that when the European Commission takes months or even a year to investigate the legal system of a country to arrive to a conclusion whether the country “deserves” an adequacy decision, what can a simple controller do, and how can the result be positive, if the Commission did not find the country adequate? The first and easy answer is that not all countries have been investigated and there may be countries with adequate protection which do not possess an adequacy decision.

This answer, however, is not the real one. In my opinion, there are two groups of requirements when we transfer data to an organisation: those which can be fixed in a contract, i.e. those which only depend on the recipient and those which are beyond its control. In case of an adequacy decision, most of the first group of conditions are also already contained in the data protection law of the country. If there is no adequacy decision, the Standard Contractual Clauses contain all of these requirements (even a little more, as it refers to the result of the TIA). There are alternatives, like binding corporate rules, certifications or ad hoc contracts, these contain also the obligations not prescribed in the law of the receiving countries and require the (general or occasional) authorisation of a data protection supervisory authority.

The second group contains mostly protection of individuals when there are legal obligations of organisations in terms of access by authorities or, in some cases, obligations to make some data public. The reference to the latter condition is present, for example, in the declaration attached by Turkey to its ratification of the Convention 108 on data protection of the Council of Europe. These obligations carry the risk of infringing the rights of data subjects as complying with the national law cannot be overridden by a contract between the data exporter and the data importer. Thus, the TIA does not have to assess whether there are obligations in the law of the country of the recipient which can be regulated by a contract (as mentioned, which the organisations can comply with without going against their own national law, are just not obliged by law to comply by default) but only those risks which cannot be mitigated by contractual clauses.

The International Association of Privacy Professionals – we may say that the most important professional association – asked the head of the EDPB secretariat, Isabelle Vereecken, to explain the background and implications of the guidance.

Beyond the definition of transfer, the IAPP webinar concentrated on the actual topic of the guidance, i.e. how to transfer personal data by and to organisations which are subject to the GDPR based on Article 3(2), i.e. reside outside the EEAS but offer services to EU (or EEA) residents or monitor their behaviour inside the EEA. As exporters, these organisations are subject to the GDPR and thus have to comply with its requirements. This is also the case when they transfer data to the country where their seat is, as the recipients in the same country are not subject to the GDPR. Ms Vereecken emphasised that under Article 3(2) it is not the organisation but the processing which is subject to the GDPR, therefore compliance is required always when the recipient is an organisation different from the “exporter”. Sending data between different entities of the same group is also transfer – like when an EU establishment and the headquarters in a third country jointly process or exchange the data.

From the obligation of the recipient to comply with its national law follows also that an exporter transferring data to an organisation when the processing will be subject to the GDPR but the recipient is resident in a non-EU country, cannot waive the transfer requirements. Nevertheless, the obligations of the GDPR bind the recipient and therefore no full standard contractual clauses are necessary, the arrangement only has to cover the gaps which the GDPR obligations don’t. The chart below shows the main cases:

It was also emphasised that for a transfer an exporter is necessary, i.e. when a data subject directly provides, at his or her own initiative, his or her own data to a controller abroad like when purchasing directly or when an employee of a European company works on the company computer from abroad, although using a third country provider, this is not transfer. The European Court of Justice also issued an old judgment – we were told – according to which processing of personal data of employees provided to another entity than the employer is not transfer – I guess as there is no offer of services, neither the monitoring of behaviour.

The presenter also offered some clarification about when a processing is subject to the GDPR based on the first subparagraph of Article 3(2): this requires that the controller offers goods or services to the country of the user. Thus, if the user initiates the transaction without the platform (like an e-commerce platform) offering it, the platform does not fall under the GDPR while if the behaviour (like the browsing activity) of the user is monitored during this transaction without the user’s initiative, the conditions of the second subparagraph are fulfilled and the processing has to comply.

Also, the issue of processors within the EU working for a third country controller was discussed: the processors only have to comply with the obligations of the GDPR towards processors. If, however, they transfer personal data back to the controller, that is to their client (i.e. not only sending back aggregated data), they have to comply with Chapter V of the GDPR. The Commission standard contractual clauses even have a separate module to be applied for this.

The EDPB – according to the head of the secretariat – will go deeper into another controversial point of Chapter V, namely that it has to be ensured that the level of protection of natural persons guaranteed by the GDPR should not be undermined. This means that even when the derogations are applied which do not require a formal transfer tool (adequacy decisions, standard contractual clauses or the like), safeguards have to be applied to protect the data subjects. It remains to be hoped that these safeguards will not be as strict as required by the EDPB recommendations on supplementary measures complementing transfer tools, intended to tackle the situations where the transfer impact assessment finds that the standard contractual clauses, for example, cannot guarantee sufficient protection, like in the case of the U.S.

Legal clarity would indeed be welcome but maybe a more practical approach could be the risk-based approach. The above-mentioned recommendations are considered more risk-based and less formalistic than their first draft by the IAPP but there is space for improvement, as this article demonstrates.

László S. Szabó, Szabó Consulting

Cover photo: Getty Images

More in Business

Ingyen repülőjegy a Ryanairnél és az easyJetnél? Nyilván túl szép, hogy igaz legyen
May 24, 2022 08:15

Budapest Airport incurs heavy loss in 2021, pre-pandemic passenger numbers remain far

BudAir survives second COVID-19 year in a row without state aid

bmw debrecen
May 23, 2022 09:13

What would happen to the BMW factory in Hungary if Russian gas supplies halted?

Entire German car industry would grind to a halt if there were no more gas

Lencsés Tamás Marwin Ramcke
May 20, 2022 12:22

It's a matter of time, and loans will default en masse in Hungary

Interview with the Hungarian and international chiefs of EOS

Paks uzemanyag kazetta
May 20, 2022 09:49

EU to help Hungary Paks NPP to do without Russian fuel, U.S. firm shows interest

Westinghouse throws its name in the hat

bankkártyás vásárlás mobil e-kereskedelem
May 20, 2022 08:57

Online shopping habits changing in Hungary

More and more people are buying only at the last minute

May 18, 2022 09:05

Slovakia to tax cheap Russian oil, bad news for Hungary's Mol

Plan yet to be discussed by government, parliament