My views on the EDPB Guidelines on the Interplay between the application of Article 3 and Chapter V of the GDPR
It is a shame that the EDPB has positioned itself in contradiction to what the EU Commission has stated, in the implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, or at least it appears to be so at the first instance.
According to the EU Commission (Recital 7 of the Implementing Decision):
A controller or processor may use the standard contractual clauses to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.
Contrarily, the EDPB states in its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, that:
If all of the criteria that qualifies the processing as a transfer are met, the controller or processor in a “transfer” situation needs to comply with the conditions of Chapter V
According to the EDPB a processing activity qualifies as a transfer if:
A controller or a processor is subject to the GDPR for the given processing.
This controller or processor (“exporter”) discloses personal data, to another controller, joint controller or processor (“importer”).
The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR.
and here, at point 3 of the criteria is where the EDPB somehow contradicts the EU Commission, as according to the EU Commission, the Standard Contractual Clauses to transfer data to third countries shouldn't apply when the Importer is subject to the GDPR.
The EDPB also clarifies that controllers and processors whose processing is subject to the GDPR pursuant to Article 3 always have to comply with Chapter V of the GDPR, when they disclose personal data to a controller or processor in a third country or to an international organisation, however a transfer to a controller in a third country should need less protection /safeguards as the controller is already subject to the GDPR:
"for a transfer of personal data to a controller in a third country less protection/safeguards are needed if such controller is already subject to the GDPR for the given processing.
In line with this, the approved SCC's seem not applicable as they would duplicate the obligations of the GDPR in such scenarios, hence, new SCC's might need to be approved:
Therefore, when developing relevant transfer tools (which currently are only available in theory), i.e. standard contractual clauses or ad hoc contractual clauses, the Article 3(2) situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU."
On the first instance, the EDPB mentions that compliance with Chapter V GDPR can be achieved by implementing appropriate safeguards which include:
Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Codes of conduct
Certification mechanisms
Ad hoc contractual clauses
International agreements/Administrative arrangements
It also mentions that the content of the safeguards needs to be customized depending on the situation, and it seems to support, at the same time, EU Commission intention to exclude the applicability of the recent approved SCC's, at least when a controller, subject to the GDPR and acting as a data importer, is located in a third country.
So, what to do if recently approved SCC´s aren't to be used but other transfer mechanisms such as BCR´s or Ad hoc contractual clauses, may be more complex to implement?
It is still uncertain how controllers and processors would address this, but maybe the easiest way is, until a new set of clauses is released, to rely on the approved Standard Contractual Clauses to transfer data to third countries on a voluntary basis, even if this means having GDPR obligations duplicated.
I truly believe that considering the direct applicability of the GDPR and due to the accountability principle imposed on controllers, when a controller is located in a third country, the adequate safeguards of art. 46 shouldn't apply, or at least not as they are described by the GDPR, but rather the controllers should implement supplementary measures in addition to the security measures they already implement to the processing of personal data from EU individuals, in order to address the elements and principles of the GDPR that could conflict with national laws, to determine how to behave regarding government requests to access personal data in the third country, or how to address the as difficulties to enforce and obtain redress against an entity outside the EU. These measures would be added to the record of processing activities maintained by the controller, which could be submitted to the Data Protection Authorities for audit/inspections. Also, controllers in such scenarios could add these supplementary measures to the contracts raised with EU entities acting as data exporters, in an intent to make such parties more confortable when signing the documents, since obligations on how to transfer data to third countries also apply to them.
Nevertheless, and considering that local data protection authorities in Europe might require transfer tools to be implemented, even when the importer located in a third country is subject to the GDPR, an immediate solution could be, as mentioned above, to rely on SCC's approved by the EU Commission to transfer data to third countries even though recital 7 of the implementing decision states that these do not apply to circumstances where the importer is subject to the GDPR, until a new transfer tool, such as a new set of standard contractual clauses, is issued.
DCA.
