Regardless of being some of the talked about areas of the GDPR and the topic of a number of CJEU choices, key components of GDPR’s knowledge switch regime are nonetheless open to interpretation. One lingering space of authorized ambiguity is beneath what circumstances switch safeguards are required by the GDPR if a international agency is already topic to the GDPR. The basic knowledge switch situation may contain a international firm not ruled by the GDPR receiving EU private knowledge transmitted by an EU primarily based companion. On this situation, the GDPR knowledge switch safeguards be sure that the GDPR’s excessive stage of safety is just not diminished when the information is moved. Nevertheless, of the GDPR’s extraterritorial impact, companies situated overseas that concentrate on the EU for enterprise may also be topic to the GDPR. For these international corporations beneath the GDPR’s umbrella, making use of the GDPR’s knowledge switch safeguards is just not at all times intuitive.
A latest enforcement motion by the Dutch DPA towards Uber levied a steep 290 million euro high quality for failing to use GDPR’s Chapter V switch safeguards for the corporate’s EU-U.S. knowledge transfers – the biggest to this point from the Dutch DPA. However Uber within the U.S. was topic to the GDPR and was primarily accumulating private knowledge straight from drivers within the EU. This resolution departed from EDPB steerage which might not require the GDPR’s switch safeguards for international companies straight accumulating knowledge from EU knowledge topics. The choice muddies authorized necessities for knowledge transfers, and the CJEU’s ultimate phrase is essential to make clear the connection between the GDPR’s territorial scope and switch regime.
I. GDPR Authorized Obligations: Article 3 and Chapter V
Some background on the GDPR’s territorial scope and switch safeguards is vital to set the stage. Article 3 of the GDPR defines the territorial scope of the GDPR, whereas Chapter V establishes the safeguards mandatory when private knowledge is transferred from the EU to a 3rd nation. A spread of switch mechanisms can be found to assist transfers from the EU to different nations beneath Chapter V – essentially the most well-known amongst them adequacy choices and customary contractual clauses. Nevertheless, the textual content of the GDPR does little to reply how the territorial scope pertains to the switch mechanisms.
Below Article 3(1), entities processing EU private knowledge will be topic to the GDPR if they’ve an “institution” within the EU, Regulation (EU) No 2016/679. Nevertheless, beneath Article 3(2), entities may also be topic to the GDPR if they don’t have an institution within the EU however are they engaged in:
(a) the providing of products or companies, regardless of whether or not a fee of the information topic is required, to such knowledge topics within the Union; or
(b) the monitoring of their behaviour so far as their behaviour takes place throughout the Union.
In apply, this implies the scope of the GDPR is extraterritorial, straight making use of to corporations working overseas with no EU presence however that concentrate on the EU for enterprise.
Chapter V of the GDPR units out required safeguards for knowledge transfers from the EU to a 3rd nation. Below Article 44, a “switch” of information can happen to a 3rd nation provided that the situations of Chapter V are complied with. Based on the CJEU, this requires sustaining an “primarily equal” stage of safety to that within the GDPR, learn in mild of the EU Constitution of Elementary Rights, Case C-311/18 (para. 105). Articles 45-47 of the GDPR articulate switch instruments that entities can depend upon for knowledge flows to a 3rd nation: 1) an adequacy resolution by the European Fee discovering that the third nation ensures an satisfactory stage of safety, or 2) “acceptable safeguards” put in place between the information exporter and importer, similar to customary contractual clauses (SCCs) adopted by the Fee, advert hoc contractual clauses accepted by a reliable DPA, and binding company guidelines for switch inside a multinational company or teams of corporations. Importantly, beneath the latest Schrems II resolution, when relying upon “acceptable safeguards” to switch knowledge, a agency can also be required to independently assess whether or not that instrument will guarantee primarily equal safety or whether or not supplementary measures like encryption must be carried out, Case C-311/18 (para. 105). This requires companies to investigate the proportionality of potential third nation regulation enforcement or nationwide safety entry to the transferred knowledge. Article 49 additionally contains strictly interpreted derogations from the necessities for a switch instrument, like consent or contractual necessity, designed for restricted and irregular transfers.
The textual content of the Regulation is just not express about how Article 3 and Chapter V work collectively: are they utilized concurrently, mutually unique, or some mixture primarily based on the information? Chapter V additionally solely requires safeguards in cases of a “switch”- however switch is just not outlined. These ambiguities begin to trigger points when knowledge is transferred to a international entity to which the GDPR is straight relevant, or the place a international firm ruled by the GDPR is straight accumulating knowledge from EU people. On the one hand, when the GDPR is already relevant to a international firm, layering Chapter V safeguards on high is duplicative. And, if a motivating concern is the potential for disproportionate authorities entry within the non-EU jurisdiction, many fundamental GDPR obligations already present some backstop (e.g. necessities for DPIAs or safety of processing). As such, the burdens of making use of Chapter V is likely to be weighed towards relative threat, taking a narrower interpretation of the switch guidelines. Others contend that the danger of potential non-EU regulation enforcement or nationwide safety entry when knowledge is processed overseas necessitates a broad studying of Chapter V, even when a given firm is already ruled by the GDPR. Chapter V additionally gives oversight, enforcement, and redress alternatives for companies situated overseas, which will be more durable to implement towards.
The latest set of SCCs launched by the European Fee stoked this debate. Based on the Fee’s FAQ, the present clauses solely apply to transfers from entities “topic to the GDPR to switch private knowledge to controllers or processors exterior the EEA whose actions should not topic to the GDPR.” They can’t be used to switch private knowledge to international entities already topic to the GDPR. The European Fee has said that it’s growing customary contractual clauses for transfers the place the importer is topic to the GDPR, however it has but to concern any extra SCCs.
With out apparent textual solutions in regards to the interaction between the GDPR’s territorial scope and its switch obligations, the difficulty requires for clarification by Europe’s establishments. This want has turn into extra urgent as enforcement round knowledge transfers will increase following the Schrems I and Schrems II judgments.
II. EDPB Tips on the Relationship Between Article 3 and Chapter V
In 2021, the European Knowledge Safety Board (EDPB) launched steerage on the connection between GDPR Article 3 and Chapter V to resolve these lingering ambiguities. Whereas not binding, these extremely authoritative tips each outlined the idea of a “switch” and concluded that in cases of direct assortment of non-public knowledge from the EU, a international firm already topic to the GDPR didn’t must put in place Chapter V safeguards.
The EDPB started by defining “switch” for the primary time. As famous above, Chapter V safeguards are solely implicated in cases of a “switch” to 3rd nations, however the GDPR doesn’t outline that time period. The EDPB concluded {that a} switch happens when:
1) A controller or a processor (“exporter”) is topic to the GDPR for the given processing.
2) The exporter discloses by transmission or in any other case makes private knowledge, topic to this processing, out there to a different controller, joint controller or processor (“importer”).
3) The importer is in a 3rd nation, regardless of whether or not or not this importer is topic to the GDPR for the given processing in accordance with Article 3, or is a world organisation
Tips 05/2021 (para. 9)
Below this definition, Chapter V is required for transfers from an EU entity (controller or processor) to a international entity already topic to the GDPR. The second criterion does require that there be two separate entities transmitting and receiving the information, however this will embrace joint controllers, Tips 05/2021 (para. 20). However, critically, beneath this definition a switch doesn’t happen when knowledge is straight disclosed by a person within the EU to a agency in a 3rd nation, Tips 05/2021 (para. 18) (“…this second criterion can’t be thought-about as fulfilled when there isn’t any controller or processor sending or making the information out there (i.e. no “exporter”) to a different controller or processor, similar to when knowledge are disclosed straight by the information topic to the recipient”).
EDPB additionally took pains to notice that even when there isn’t any switch requiring Chapter V safeguards, corporations topic to the GDPR ought to nonetheless assess doable third nation authorities entry in relation to their different GDPR obligations. The EDPB said that corporations processing knowledge exterior the EU are answerable for reviewing the danger of disproportionate authorities entry, Tips 05/2021 (Instance 12). Firms situated within the EU which are topic to 3rd nation legal guidelines on authorities entry, similar to an EU subsidiary of a international multinational, should additionally take into account this threat. Whereas Chapter V might not apply, a number of different GDPR obligations may nonetheless be triggered, similar to safety of processing (Article 32), knowledge breach notification (Article 33), Knowledge Safety Influence Assessments (Article 35), and others, Tips 05/2021 (para. 31).
The EDPB tips helped to settle the connection between Article 3 and Chapter V, specifically by making clear that direct assortment from the EU was not thought-about a switch. The Board additionally addressed any potential hole from limiting the attain of Chapter V, concluding corporations should not merely off the hook from contemplating the dangers of third nation authorities entry to knowledge.
III. Dutch DPA Uber Determination
Nevertheless, a latest Dutch DPA enforcement motion towards Uber reopened the talk over the connection between territorial scope and transfers. In coordination with the CNIL, the Dutch DPA introduced in August 2024 that Uber transferred knowledge to the U.S. with out Chapter V safeguards, levying a high quality of 290 million euro. The high quality originated from a grievance to the French CNIL by NGO Ligue Des Droits De L’homme in regards to the switch of French Uber drivers’ knowledge to the US. The switch concerned Uber B.V. (UBV), the Netherlands outpost of Uber, and Uber Applied sciences Inc (UTI), the guardian firm within the US. The Dutch DPA took a extra expansive view of Chapter V than the EDPB. The DPA additionally stopped wanting a crisply articulated different customary for its view on the connection between Article 3 and Chapter V.
Uber traditionally relied upon SCCs when there was no EU-U.S. adequacy resolution out there, as was the case when the CJEU resolution struck down the Privateness Protect in 2020 till the brand new Knowledge Privateness Framework was adopted in 2023, Case No. [Redacted] (para. 42) [hereinafter Uber Decision]. In August 2021, Uber modified interpretations and determined that SCCs had been not mandatory since Article 3 of the GDPR straight utilized to UTI’s processing of non-public knowledge within the U.S., Uber Determination (paras. 43-44). Uber then started to depend upon the Knowledge Privateness Framework in November 2023, however it had no knowledge switch mechanism in place from August 2021until November 2023, Uber Determination (para. 45).
The Dutch DPA concluded Uber transferred drivers’ knowledge to the US in two situations. State of affairs one concerned private knowledge of drivers within the EU collected by way of their Uber app and despatched on to UTI for storage within the U.S., Uber Determination (para. 17). State of affairs two concerned knowledge regarding drivers’ train of rights beneath the GDPR by which UBV and UTI would collaborate; UBV scoped requests and communicated with knowledge topics, whereas UTI processed and made the requested knowledge out there to the requestor straight from UTI within the U.S., Uber Determination (para. 18).
Uber lodged a number of completely different arguments in its protection: that Chapter V was not relevant due to UTI straight collected knowledge from EU knowledge topics; that these knowledge flows which did happen couldn’t be thought-about worldwide knowledge transfers since UBV and UTI had been joint knowledge controllers to which the GDPR straight utilized; and, lastly, that any transfers certified for Article 49(b-c) derogations on contractual necessity, Uber Determination (paras. 46-56). Uber additionally leaned on the truth that the Fee had not supplied SCCs for situations by which the GDPR utilized straight, so they’d no out there SCCs for any transfers from UBV to UTI, Uber Determination (para. 51).
The Dutch DPA didn’t settle for any of those arguments. First, the DPA concluded that transfers between joint knowledge controllers topic to the GDPR and situated in several nations are ruled by Chapter V, Uber Determination (paras. 97-98). This level is in settlement with the EDPB resolution, which acknowledges that knowledge exchanges between joint controllers can nonetheless be a switch, together with entities which are part of the “similar company group: once they “qualify as separate controllers or processors,” Tips 05/2021 (para. 21).
The place the Dutch DPA diverged from the EDPB was in its second conclusion: that each situation one and situation two concerned a “switch,” however the truth that situation one involved EU Uber drivers’ direct transmission of information to UTI within the US. For this, the AP leaned closely on the employment relationship with UBV and the dearth of management for drivers over the phrases of employment and the information collected, Uber Determination (paras. 89, 92-94). The DPA additionally cited coverage pursuits for studying Chapter V’s software this broadly. A international firm to which the GDPR applies operates exterior of all layers of EU regulation, the DPA argued, and given the issue of enforcement towards a international entity, even when the GDPR governs a international firm the extent of safety could also be diminished when private knowledge is processed overseas, Uber Determination (paras. 66-68). The Dutch DPA contended Chapter V was designed to counterbalance these dangers and ought to be learn broadly to provide full safety, Uber Determination (paras. 68-70). As to the EDPB’s view, the DPA said there was no battle between its resolution and the Tips as a result of the EDPB didn’t take into account an instance of an information exporter within the contractual employment context, Uber Determination (para. 91).
Lastly, the Dutch DPA discovered that Uber didn’t have an acceptable switch instrument in place from August 2021-Novemeber 2023, Uber Determination (para. 110). Despite the fact that there have been no SCCs out there for situations by which the information importer is ruled by the GDPR, the Dutch DPA mentioned that Uber mustn’t have concluded that SCCs or different switch devices weren’t mandatory, Uber Determination (para. 109). Uber additionally couldn’t depend on Chapter V’s derogations Article 49(b) or (c) on contractual necessity, for the reason that Uber’s transfers weren’t “incidental,” however ongoing, and weren’t “mandatory,” Uber Determination (paras. 118-26). Consequently, Uber violated Article 44.
IV. Evaluation and Subsequent Steps
Uber is interesting the choice. Given the conflicts between the EDPB and the Dutch place, the Dutch courts are prone to ask the CJEU to weigh in on the connection between Article 3 and Chapter V. Regardless of the Dutch DPA’s take that the EDPB Tips might be reconciled with its view, the EDPB resolution was unequivocal that direct assortment of EU private knowledge by a 3rd nation supplier topic to the GDPR is just not a switch. The Dutch DPA resolution to view Uber’s exercise as an information switch even in such circumstances reaches the other outcome. On this level, readability from the CJEU is crucial.
The Dutch DPA resolution additionally provides to the confusion by failing to put out a transparent authorized customary for when, beneath its different view of Article 3 and Chapter V, a international supplier topic to the GDPR would want to use Chapter V safeguards. The Dutch DPA not solely thought-about the employer relationship between UBV and the drivers, however seemed to quite a lot of different contextual elements that bore on asymmetry of the Uber-driver relationship, the involvement of each entities in figuring out the phrases of that relationship, and the information switch. If the CJEU determines that some cases of direct assortment by third nation suppliers are lined by Chapter V, the CJEU additionally has a chance to determine a concrete customary for when the provisions are triggered.
Till the difficulty is settled, EU entities topic to the GDPR beneath Article 3(2) doubtful of their Chapter V obligations could be sensible to use Chapter V switch safeguards to their exercise.