LSTS/FWO researcher Laura Drechsler reflects on the need for a definition of data transfers for the General Data Protection Regulation.
Four years after the becoming applicable of the General Data Protection Regulation (GDPR), its rules on international personal data transfers remain much discussed by courts, academics and practitioners. One issue that regularly features in these debates is the question of what type of processing operation constitutes an international personal data transfer. While everyone agrees that such transfers must involve at some point someone in a third country (otherwise it would be an internal EU transaction), other qualities of such transfers are disputed, such as whether data transfers need to occur with the intention or knowledge that third countries will be involved or whether individuals can transfer personal data. These debates persist also because, unlike many other terms important to the GDPR, the term of international personal data transfers is not defined in Article 4 (or elsewhere). Nor did the predecessor of the GDPR, the Data Protection Directive (DPD), include such a definition. Despite the absence of a definition of international personal data transfers, the Court of Justice of the EU (CJEU) has been using the rules for international personal data transfers to ensure a high level of protection of fundamental rights as protected in the EU Charter for transfer situations (see for an overview here).
It is against this background that the European Data Protection Board (EDPB) issued guidance in November 2021 including for the first time a definition of international personal data transfers. For the EDPB, a data transfer takes place when a controller or processor within the scope of the GDPR (data exporter) makes personal data accessible to another controller or processor (importer) in a third country. In this context, it is irrelevant whether the data importer is already in the scope of the GDPR due to its wide territorial scope of Article 3(2). While the definition gives some clarification (excluding for example direct transactions between data subjects and entities in third countries from the scope of data transfers), it still leaves some matters unresolved. For example, it is still not clear what processing operations exactly would be a transfer and whether intent or knowledge on the side of the data exporter plays any role. A public consultation on this proposed definition took place, ending in January 2022 and receiving 71 responses, demonstrating further that the proposed definition is not the end of the discussions (see also my paper for Privacy in Germany and our contribution to the public consultation together with Svetlana Yakovleva). One point raised in these discussions is also whether or not a definition is actually needed (see for example the debate at a Meet the Author event of the Brussels Privacy Hub). As noted above, the CJEU has been capable of using the existing transfer rules without a definition to ensure the protection of EU fundamental rights. Ensuring that the level of protection of natural persons is not undermined is the overarching objective of the transfer rules of the GDPR (Article 44). If that objective is achieved, perhaps a definition is superfluous.
I want to address the question whether there is a need for a definition of international personal data transfers, and if so, if the definition of the EDPB can already fill this need. To this end, the rest of this blog post operates in two parts. The first part investigates the question whether international personal data transfers need to be defined considering the case law of the CJEU. The second part then builds on the conclusions that there is indeed a need for a definition and asks whether the one provided by the EDPB is sufficient. It also includes some aspects that based on my research would be important considerations for any definition of data transfers.
1. To define or not to define: Do we need a definition of international personal data transfers within EU law?
To understand whether there is a need for a definition of international personal data transfers, it is important to consider the status quo for data transfers under the GDPR. For the moment, we have strict rules in the GDPR determining essentially that data transfers can only take place when they are aligned with the GDPR as such and based on a specific additional legal basis included in its Chapter V. There are three types of such legal bases: adequacy decisions, appropriate safeguards, and derogations. The objective of these rules is, as noted, to ensure that the level of protection of natural persons provided by the GDPR in terms of their fundamental rights is not undermined by data transfers (Article 44). This has been also confirmed by the CJEU, which has, ever since its Schrems I decision in 2015 (and thus still under the DPD), taken a strong stance on the need for data transfers to ensure a high level of fundamental rights protection for individuals. The CJEU’s decision Schrems II even implies that all legal bases for transfer under the GDPR need to ensure the same high level of fundamental rights protection (para. 92), making no distinction for derogations, which often have been considered as exceptions from the requirement for such a high level of protection.
This strong level of protection required for data transfers by the CJEU raises the question whether a definition for data transfers is needed. On the one hand, the CJEU has managed fine without it, while still mandating a high level of protection for EU fundamental rights. Offering a definition at this point might undermine this case law. After all, any definition, if too rigid, would exclude processing activities that previously could be argued to also enjoy the high protection required by the CJEU. If on the other hand the definition is too wide, no real change to the current situation would occur, and the effort of coming up with a definition would be wasted. That said, however, the absence of a definition makes it more complex for those confronted with the GDPR to know when its transfer rules apply. This concerns in the first place, controllers and processors operating as potential data exporters who must assess whether they have to consider the transfer rules for their processing operations. This however also affects in the second place the data subjects, who might find it hard to understand in absence of a definition (and some guidance translating such definition into normal people language) when such transfers are occurring with their own personal data. Under the GDPR, data subjects must be informed about data transfers (Articles 13(1)(f) and 14(1)(f)). It is difficult for such information to be meaningful if neither controller nor data subject is sure when it has to be provided.
The regulatory system of the GDPR builds on three factors that are listed in recital 11. First, obligations on those processing personal data (controllers and processors). Second, rights for data subjects, for which recital 7 notes that they should enable control over personal data for individuals. Third, supervision and enforcement of these rules, including via data protection authorities (DPAs) and courts. These three factors are interdependent; none of them can by itself guarantee the effectiveness of the GDPR. From the CJEU case law, it is clear that supervision of the rules (at least by the courts) can function in absence of a definition of data transfers. I am however not convinced that the same is true for the obligations on controllers and processors in the context of data transfers or data subject rights. We live in an interconnected and global world. It seems safe to assume that data transfers are a common activity, and there is simply not enough time and capacity to have all potential issues adjudicated at court (or DPAs). Controllers and processors must understand their obligations in the context of data transfers and ideally fulfil them sufficiently without courts or DPAs ordering them to do so. This is the beginning of any protection for natural persons. This task is made unnecessarily complicated without a definition of international personal data transfers that helps to clarify the scope of the transfer rules. Without a definition neither data exporters nor data subjects have sufficient clarity on what rules apply or when they apply, which arguably forms a logical precondition for them to be applied well.
2. To define then, but how?
Accepting that a definition for international personal data transfers would be useful raises the question of whether the proposal by the EDPB can fulfil this function. In my opinion, the answer to this is no. This is for two reasons. First, the EDPB is not the right authority to issue such a definition. EDPB guidance is non-binding. Neither DPAs nor national courts are obliged to follow it. Thus, the proposal by the EDPB lacks sufficient legal force to harmonise the understanding for international personal data transfers for the whole of the EU. Only a harmonised uniform definition however can bring about the clarity both data exporters and data subjects require when confronted with data transfers. Second, the definition by the EDPB is also incomplete, as noted above. While clarifying the actors of a data transfers, the definition of the EDPB leaves out other aspects such as intention or knowledge required for a transfer. Even the clarification of the actors is not without controversy. In his contribution to the public consultation on the guidance, Professor Christopher Kuner notes a number of inconsistencies in the protection of individuals due to the fact that a direct transmission of a transfer to a third country would not be considered to fall under the transfer rules (see here). It remains to be seen whether the EDPB will react to this and other critiques in its final version of the guidance.
If the EDPB is not the right authority to define international personal data transfers, who is? Based on the above, I conclude that this is something that should be included in the law itself. Thus, the GDPR should have a definition for data transfers, for example alongside the other definitions it provides in Article 4. For this to be achieved the GDPR would need to be amended, which admittedly seems politically impractical in the immediate future. Nevertheless, in the long term, changing the GDPR appears to me the best option. In this context, I also want to highlight that a definition of data transfers needs to be carefully drafted for such an amendment. The achievements of the CJEU in its data transfer case law for the protection of fundamental rights of individuals must in no way be undermined. Any definition should therefore fully align with CJEU case law. Moreover, such a definition should work for all data protection instruments of the EU. The GDPR is not the only piece of EU data protection legislation and not the only legislative act with rules on international personal data transfers. Any definition should function for all the different acts, including for example the Law Enforcement Directive (LED). It would be confusing for data exporters and data subjects if the acts that qualify as data transfers differ between the GDPR and the LED.
27 June 2022