GDPR Refresh: What Is a Data Transfer?

Why Are Data Transfers Important?

The European Data Protection Board (EDPB), the body in charge of the application of the General Data Protection Regulation (GDPR), has just released guidelines to clarify the often asked question, "What is a data transfer?"

This question comes up frequently for businesses around the world as the GDPR has strict requirements where data is transferred out of the European Economic Area to third countries. Businesses outside the European Economic Area must use approved transfer mechanisms if data is transferred to a third country without an adequacy decision. The European Commission has approved an adequacy decision for the following countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea (pending), Switzerland, the United Kingdom, and Uruguay. For all other countries, including the United States, transfer mechanisms must be used. The options for businesses are binding corporate rules, codes of conduct, standard contractual clauses, certifications, ad hoc contractual clauses, international agreements, and derogations for specific situations. Of these options, the standard contractual clauses are most frequently used. 

What Is a Data Transfer? 

The EDPB states that there are three criteria to determine if a data processing activity constitutes a transfer.

1. A controller or processor is subject to the GDPR for the given processing. 

Companies subject to the GDPR generally meet one of the following three criteria: (a) based in the European Economic Area, regardless of whether the processing takes place in the European Economic Area or not; (b) based outside the European Economic Area, but offer goods or services to data subjects in the European Economic Area, or (c) monitor the behavior of data subjects within the European Economic Area. 

2. This controller or processor (the "exporter") discloses by transmission or otherwise makes personal data, subject to the processing, available to another controller, joint controller, or processor (the "importer").

When a data subject directly discloses information to a company, this is not considered a transfer. For example, if an Italian resident submits her information online to make an order on a US retailer’s website, there is no "transfer" of personal data because the company directly received the personal data from the European Economic Area resident. As another example, if the Italian resident submits an order through a local Italian seller acting on behalf of a US retailer, there is a "transfer" of personal data when the Italian seller sends the data to the US retailer.

3. The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

Finally, in order to be considered a "transfer," the importing controller or processor must be in a third country, meaning a country other than the European Union member states and the three additional European Economic Area countries. When this third criterion applies, it creates a transfer scenario. 

Some businesses had questioned whether a transfer exists where a third country business is directly subject to the GDPR, for example, for offering goods and services to European Economic Area residents. The EDPB clarifies that it is indeed a transfer when data is sent to a third country recipient, regardless of whether the importer is subject to the GDPR themselves. That is, even if a US business falls under the scope of the GDPR by offering goods and services to residents in the European Economic Area, it is still a "transfer" of data when the US business receives personal data from a company in the European Economic Area. 

What To Do

Businesses should review potential transfer activities and ensure that the proper transfer mechanisms are in place for GDPR compliance. At this time, these mechanisms include standard contractual clauses (recently updated in June 2021, see here) and binding corporate rules approved by an appropriate regulator. 

For those that have comments and further clarification questions, the EDPB is accepting comments on its guidelines through January 31, 2022. The form to provide feedback is available here. Similarly, the United Kingdom’s Information Commissioner’s Office (ICO) recently accepted comments on its international data transfer agreement, which will replace its current version of the standard contractual clauses. Updates from ICO are likely to be released in the near future as well. 

Arent Fox’s Privacy, Cybersecurity & Data Protection group will continue to monitor this issue. For more information or to otherwise discuss questions involving data transfers, please contact Eva Pulliam, Christine Chong, or the Arent Fox attorney with whom you regularly work.