Quick thoughts on the EDPB data transfer guidance. Parts of the opinion still seem to lack coherence.
edpb.europa.eu/news/news/2021…
Some breathed a sigh of relief that direct data collection from individuals won't require a transfer mechanism. Alas, the next transfer will require one, even if it's entirely outside the EU. So while excused from one data transfer mechanism, you may be subject to a dozen others.
Apparently, the EDPB chose a “geographic” approach to defining data transfers (it’s a transfer once data leaves the EU, even if the importer is subject to GDPR) over a “jurisdictional” approach (it’s a transfer only if the importer isn’t subject to GDPR). BUT....
Actually, the EDPB approach is more muddled. Consider this: a non-EU (say, US) company subject to GDPR (say, a publisher) will now need a data transfer mechanism for transfers to its processors/business partners in the US!
What’s “geographic” about this approach then? It requires a cross border transfer mechanism for transfers of data from one US entity to another. The data never cross a geographic border.
A further complication is that no SCCs exist for transfers from EU to an importer directly subject to GDPR. The COM will need to set forth a new set of SCCs. And companies will need to determine which set to adopt based on an assessment of applicable law. That's tough.
Moreover, the EDPB suggests that government access risks should now be weighed in assessing Article 32 security mechanisms. So even without a transfer, "supplementary measures" may be needed.
Finally, the guidelines state that crossborder data disclosure/access within the same organization is not a data transfer. (e.g., employee accessing data from abroad). But that’s only true within a single entity. What is an entity and where is it based are complicated questions.
