November 29, 2021
During its plenary session on 18 November 2021, the EDPB adopted draft Guidelines on the interplay between Article 3 (territorial scope) and Chapter V (international transfers) of the GDPR. By clarifying the interplay between these two areas of the legislation, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
The Guidelines set out three cumulative criteria that will qualify a particular act of processing as a transfer: (i) the data exporter (a controller or processor) is subject to the GDPR for the processing in question; (ii) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); and (iii) the data importer is in a third country or is an international organisation.
The act of processing in question will be considered a transfer regardless of whether the importer established in a third country is already subject to the GDPR under Article 3. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.
EDPB Chair Andrea Jelinek added: “These Guidelines provide a consistent interpretation of the concept of “international transfers” and clarify that, when a data importer is subject to the GDPR, the obligations under Chapter V GDPR apply both to the transfer from the EU to the importer and to any further transfer that the importer undertakes.”
The Guidelines will be subject to public consultation until the end of January 2022.
The EDPB also adopted a Statement on the European Commission’s Digital Services Package and Data Strategy. In the statement, the EDPB highlights three overarching concerns regarding the Commission’s Digital Services proposals (made up of the Data Governance Act (DGA), the Digital Services Act (DSA), the Digital Markets Act (DMA) and the AI Regulation (AIR)):
- lack of protection of individuals’ fundamental rights and freedoms;
- fragmented supervision; and
- risk of inconsistencies.
The EDPB and EDPS have already issued joint opinions on the DGA and the AIR, and the EDPS has issued opinions on the European Strategy for Data, the DMA and the DSA. In its statement, the EDPB reiterates its call for a ban on any use of AI for the automated recognition of human features in publicly accessible spaces and urges the co-legislator to consider a phase-out leading to a prohibition of targeted advertising on the basis of online tracking, and a prohibition on the profiling of children.
The EDPB further highlights the risks of parallel supervision structures and strongly recommends each proposal provide for an explicit legal basis for effective cooperation and exchange of information between the competent supervisory authorities and the data protection authorities.
In addition, the EDPB calls upon the Commission and the co-legislator to ensure that the proposals clearly state that they shall not affect or undermine the application of existing data protection rules and to ensure that they prevail whenever personal data are being processed, also in the context of the forthcoming proposal for a Data Act. To read the EDPB’s press release in full and for links to the Guidelines and the Statement, click here.