The European Data Protection Board has held its latest plenary session. During the session, it adopted Guidelines on the interplay between Article 3 on the territorial scope of the GDPR and Chapter V of the GDPR on international transfers.
The Guidelines aim to help data controllers and processors in the EU to identify if a processing operation is a international transfer, and to provide a common understanding of the concept of international transfers.
The Guidelines specify three cumulative criteria that qualify a processing as a transfer:
- the data exporter (a controller or processor) is subject to the GDPR for the given processing;
- the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); and
- the data importer is in a third country or is an international organisation.
The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR under Article 3 (this is not strictly what the European Commission said in its preamble to the standard contractual clauses). However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.
The consultation on the Guidelines ends on 31 January.
In addition, the EDPB adopted a Statement on the European Commission’s Digital Services Package and Data Strategy. In the statement, the EDPB highlights three overarching concerns regarding the Commission proposals for a Data Governance Act (DGA), Digital Services Act (DSA) and Digital Markets Act (DMA) and the AI Regulation (AIR):
- Lack of protection of individuals’ fundamental rights and freedoms;
- Fragmented supervision; and
- Risks of inconsistencies.
The EDPB and EDPS have already issued joint opinions on the DGA and the AIR and the EDPS has issued opinions on the European Strategy for Data, the DMA and the DSA. In its statement, the EDPB reiterates its call for a ban on any use of AI for an automated recognition of human features in publicly accessible spaces and urges the co-legislator to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking. It also says that the profiling of children should overall be prohibited.
The EDPB further highlights the risks of parallel supervision structures and strongly recommends that each proposal should provide for an explicit legal basis for the effective cooperation and exchange of information between the competent supervisory authorities and the data protection authorities.
In addition, the EDPB says that the European Commission and the co-legislator should ensure that the proposals clearly state that they shall not affect or undermine the application of existing data protection rules and to ensure that these rules shall prevail whenever personal data are being processed. This also applies in the context of the forthcoming proposal for a Data Act.