Topics In Demand
Notification
New

No notification found.

Submission to the European Data Protection Board on the regulation of international data transfers under the GDPR
Submission to the European Data Protection Board on the regulation of international data transfers under the GDPR

February 8, 2022

269

0

We recently submitted our feedback to the European Data Protection Board (EDPB) on their draft guidelines published on specific issues about the treatment of international data transfers (available here) under the General Data Protection Regulation (GDPR).

These draft guidelines aim to clarify the interplay between the rules on the use of transfer tools (under chapter V of the GDPR) and the rules on how the GDPR applies extraterritorially, that is, to entities situated outside the EU. A notable aspect of these draft guidelines was the effort to define the concept of a “transfer”, a key concept in the GDPR that is not given a formal legal definition in the regulation.

In our feedback, we focused on asking the EDPB to nuance their understanding of a “transfer” and to not require transfer tools where there is a low risk of personal data not being appropriately protected.

First, we noted that the definition of a transfer rests on two key phrases – “disclosure by transmission” and “making available” of personal data. Neither of these are defined. We submitted that this a missed opportunity to examine how this legal concept can be properly delimited.

Second, we noted that the EDPB has, across documents, assumed that scenarios of “remote access” of personal data will always be regarded as a transfer, even though what is meant by this term is not clarified.  We submitted that the EDPB should look to define what it means by “remote access” and to exclude scenarios that should not need a transfer tool. For instance, a transfer tool should not be required for operations where the personal data does not actually move to a territory outside the EU and is only viewed by a non-EU data processor who cannot export or download such personal data.

Third, we also noted that the concept of “transfer” should not be interpreted in a manner where it also applies to personal data that moves between different jurisdictions when in transit from one organization to another. So, for instance, if an EU data controller sends personal data to an EU data processor, but that personal data passes through a server in a territory outside the EU in transit, then this should not be regarded as a transfer if the personal data is not accessed or manipulated whilst in transit.

A copy of our submission is enclosed. For any questions or clarifications, please write to varun@nasscom.in.

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

20220131 - NASSCOM - EDPB - Comments on Draft Guidelines on Interplay Between Article 3 and Chapter V GDPR.pdf

images
Varun Sen Bahl
Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

© Copyright nasscom. All Rights Reserved.