GDPR: Transfer

In Lindqvist, the court concluded that uploading data to a hosting provider within the EU where that data is available for access to anyone outside the EU does not constitute a data transfer [1]. The explanation given was that the page did not have the ability to initiate a transmission of that information to those who were not seeking that information [2] and it was not a direct link between Lindqvist and the person in the third country but through a hosting provider [3].

I believe this creates some form of a lacuna or loophole, where data processors can transmit/send/push/upload that data on a server and have the party in the third country request/retrieve/pull/download that data. Since, the transmission is initiated by the party in the third country and there is no direct link, it does not constitute a transfer. Much wasn't clarified because it wasn't relevant in Lindqvist. If it was specifically set up to require authentication such that it was meant only for a certain party to retrieve, would it have constituted a transfer?

If I had could use an analogy to clarify, if I pass an envelope directly to a friend, it is a transfer. However, if I leave an envelope taped to the underside of a park bench, and someone happened to chance upon it at a later time and retrieved it, it is not a transfer. What if I had told a friend about the location with the expectation that he was going to retrieve it shortly after I taped it there?

According to the GDPR, a "data transfer" occurs if and only if that data is processed after the "transfer" has taken place [4]. According to the ICO, if no processing takes place, it is merely considered a "data transit" and not "data transfer" [5]. I think this is a really elegant way to sidestep the complexity of defining the direction of transmission, intention behind transmission, direct/indirect transmission and other such aspects. If we were to return to that analogy, it no longer matters how my friend got hold of that envelope. If it remains sealed, it is a "data transit". Once he opens the envelope and processes the contents, it is a "data transfer".

With the recent trend of "cloud computing", where processing and storage of data is moved to the cloud instead of on-premise, there has been increased scrutiny with respect to data transfers. In general, when data is moved to a cloud provider in a third party country, the European Commission recommends the use of Standard Contractual Clauses (SCC) to ensure that personal data receives adequate protection that meets the standards of the GDPR [6]. However, cloud providers do offer solutions such as a Virtual Private Cloud (VPC), which Amazon claims "closely resembles a traditional network that you'd operate in your own data center" [7]. In such cases, it can probably be argued that the data still remains within your organization and Binding Corporate Rules (BCR) might suffice.

[1] Case C-101/01 Bodil Lindqvist [2013] ECR I–12971, para 70.

[2] ibid, para 60.

[3] ibid, para 61.

[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, Article 44

[5] Information Commisioner's Office, 'International data transfers' https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/ accessed 15 November 2023

[6] COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L199/31

[7] Amazon, 'What is Amazon VPC?' https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html accessed 16 November 2023