GDPR Brief: what constitutes an “international data transfer”? Recent developments by the EDPB and implications for genomic and health data sharing

14 Feb 2022

The latest GDPR Brief, written by Mikel Recuero Linares, addresses recent developments by the EDPB and implications for genomic and health data sharing.

The latest GDPR Brief, written by Mikel Recuero Linares, addresses recent developments by the EDPB and implications for genomic and health data sharing.

Seasoned readers of the GA4GH GDPR Brief will note that the GA4GH GDPR and International Health Data Sharing Forum have addressed the topic of international data transfers on numerous occasions. However, the concept of ‘international data transfer’ has not yet been examined. The reason for this is that neither the GDPR, nor case law, nor European authorities have so far provided a robust definition of this term.

As an attempt to shed some light on this issue, the European Data Protection Board (EDPB) adopted its ‘Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR’ and opened a public consultation period, which ended on January 31st, 2022.  

What constitutes an ‘international data transfer’? 

According to the EDPB, an international data transfer will exist when the following three criteria are cumulatively met:

1. The controller or processor exporting the personal data (‘exporter’) is subject to the GDPR for the given processing, i.e. meets the requirements of Article 3 GDPR on the territorial scope. Therefore, the exporter does not necessarily have to be established in the European Union (EU) for an international data transfer to exist. 
2. The exporter discloses by transmission or otherwise makes personal data available to another controller, joint controller or processor (‘importer’). As a result, two separate parties need to be involved: the controller or processor disclosing the data and a different controller or processor receiving or obtaining access to such data. The foregoing entails three main consequences in the EDPB’s view: 
   • The data disclosed directly by the data subject on their own initiative to a controller or processor outside the EU does not qualify as a transfer since the data subject cannot be considered a controller or processor exporting the data. 
   • The data accessed remotely from a third country by an employee of a controller or processor does not qualify as a transfer since such employee is an integral part of the very same controller or processor, i.e., there are no two separate parties.
3. The controller or processor importing the personal data is in a third country or is an international organisation, regardless of whether the processing falls under the territorial scope of the GDPR. In other words, it is sufficient for the data to leave the geographical boundaries of the EU. Overall, criteria 1) and 3) read together impose that these controllers or processors (already subject to the GDPR) are also subject to the rules for international data transfers and must therefore adopt one or more transfer mechanisms. 

What are the implications for genomic and health data sharing?

Firstly, although an organisation from a third country may already be subject to the GDPR, one or more transfer tools will nonetheless be required in order to export the data to this controller or processor. 

For example, consider the case of a US-based organisation importing clinical personal data from a Spanish hospital to develop and test a health data management software to be commercialised in the EU. The US entity would already be subject to the GDPR by offering its services and products to data subjects in the Union but, in addition, it would have to rely on a data transfer mechanism. Certainly, at this stage, they may not rely on the Standard Contractual Clauses (SCCs) adopted by the Commission as this is expressly precluded by Recital 7 thereof in those cases where the importer is already subject to the GDPR based on Article 3. 

Secondly, since ‘transfer’ is defined as the ‘disclosure of data by transmission or otherwise making it available’, the scenarios in which the rules on international transfers would apply, even if the data remains in the EU, are significantly extended. The expression ‘otherwise making data available’ is not further described but only alluded to, and a reference is made to previous EDPB Guidelines. This is critical for genomic and health data sharing, e.g. for burgeoning federated infrastructures, platforms or databases. 

Consider a European federated platform that allows Canadian researchers to search and discover European data sets stored on European servers. Although the data may never ‘leave’ the EU, would the fact that these data can be displayed or remotely processed (even inside the EU) by the Canadian researchers fall within the concept of ‘otherwise making it available’? The EDPB fails to clarify this extent, and, if anything, such an omission would entail the risk of equating or confusing the terms of ‘processing’ and ‘transfer’. Therefore, it does not seem to be the intention of the European legislator to restrict any data processing operation carried out by controllers or processors in a third country, but only those that may undermine the level of protection of natural persons guaranteed both by the GDPR and Union law.

Lastly, as mentioned, direct disclosure of data at the initiative of the data subject does not constitute an international transfer, e.g. directly entering data in an online form. The GDPR may still apply but without the transfer tools being necessary. Hence, data and rights could be treated differently depending on who is transferring such data outside the EU boundaries. If the data are transferred directly by the data subject, this may result in a  different degree of protection and of rights enforcement, since the implementation of Chapter V tools and other safeguards will no longer be required. 

Further reading

• EDPB (2021). Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions of international transfers as per Chapter V of the GDPR.
• Fennessy, C (2021). New EDPB guidelines define international transfer: dancing in place. The Privacy Advisor.
• Boardman, R.; Hughes, C (2021). Filling in the blanks: what is the transfer of personal data and when will Chapter V obligations be applicable? The Privacy Advisor. 
• Kuner, C (2021). Exploring the Awkward Secret of Data Transfer Regulation: the EDPB Guidelines on Article 3 and Chapter V GDPR. European Law Blog.

Relevant GDPR provisions

• Recital 101 – General principles for transfers.
• Article 3 – Territorial scope.
• Article 44 – General principle for transfers.

Mikel Recuero is legal counsel and researcher at the Chair in Law and the Human Genome of the University of the Basque Country.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.