May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

Cross-Border Transfer Master Class: Controller (EEA)→ Controller (EEA)→ Branch Office (US)

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company B is a European entity, that has a branch office in the United States (which is not a separate legal entity). While data is being directly sent from Company A in Europe to Company B’s branch office in the United States, the contract is between EEA Company A and EEA Company B. The EDPB has suggested that Company B’s branch office is not considered a controller or a processor (separate and apart from Company B itself).[1] However, the EDPB has not directly addressed a situation in which an entity sends personal information to an unincorporated office outside of the EEA. The solid line indicates the data flow; dashed line indicates the contractual relationships.

 

  • Ambiguity as to whether a mechanism is needed for transfer from Company A to Company B. The EDPB has not directly addressed this situation, as a result there are two possible interpretations of how to approach compliance.

 

    • An argument could be made that while data is being directly transmitted from Company A to Company B’s branch office in the United States, based upon the EDPB’s guidance discussed above an argument could be made that the branch office is not considered a separate controller or processor as compared to Company B in the EEA. As a result, an argument could be made that the data has not been transmitted to a controller that is located in the United States. Note that Company B would be directly subject to the GDPR, and, as a result, data received should be subject to all GDPR requirements even in the absence of a SCC.

 

  • An argument could also be made that because data is being transmitted from one controller (Controller A) to a second controller’s agents who are physically located outside of the EEA, the parties could enter into the SCC Module 1 wherein Company B would sign as the “data importer” listed the United States as a country in which processing will occur.

 

  • Transfer Impact Assessments. A formal transfer impact assessment is not required by contract if neither Company A nor Company B signed SCCs. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[2] As a result, Company A and/or Company B might consider conducting a TIA to analyze various risks that may result from the transmission of data (with respect to Company A) and/or the retention of data in a third country (with respect to Company B).

Law enforcement request policy. If no SCCs are signed, neither Company A nor Company B would be directly subject to Section 15 of the SCCs that require specific steps in the event that a company receives a request from a public authority for access to personal data. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[3] As a result, Company B might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests from the United States.

FOOTNOTES

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 15 and 16.

[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

[3] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 25
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement