EDPB consultation on Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
FEDMA thanks the EDPB for this draft guideline 05/2021. We would like to take the opportunity to answer this consultation.
The guidelines conclude on the tools available to ensure a safe international transfer; notably adequacy decision, Standard Contractual Clauses, Binding Corporate Rules and Codes of conduct. The recent Austrian competent supervisory authority’s decision on Google analytics highlights the current issues surrounding safe transfers and the pressure that this puts in particular on European SMEs. Indeed, Binding Corporate Rules are recommended for multinational companies and take a long time to be approved. They are not recommended for European SMEs. As adequacy decisions do not exist yet for many important commercial partners around the world, European companies therefore heavily rely on Standard Contractual Clauses and Codes of Conduct.
Yet, the recent Austrian competent supervisory authority’s decision and the EDPS decision against the European Parliament show that it will be very difficult for businesses to ensure supplementary safety measures, especially for a destination where there is a risk of access to the data. One solution could be to check for European alternatives, with processing of data in the EU, before considering products or services which require transferring data outside the EU. However, substitute EU products are not always readily available and when they are, they may be more expensive than non-EU products. Shifting to a new service or product may require the implementation of a full project over several months involving sometimes heavy resources, which EU SMEs may need to allocate to their recovery efforts in the post covid era.
As FEDMA expressed in its answer to the consultation on the draft guidelines 4/2021 on codes as tools for international data transfers, the requirements for codes of conduct for safe international transfers are very stringent, to the extent that we believe multinational companies will prefer BCRs for the same cost, time and effort.
This leaves European SMEs in particular in a vulnerable situation. Taking the example of Google Analytics, organisations need to know what profile of consumer visits their websites and how, especially as the Covid 19 pandemic has increased online commerce. Though European alternatives exist, , Google Analytics leads the market with 31.55%, followed by alternative Google services for 42% and Facebook 4.45%. Concretely, European alternative service providers will require time to scale up, time during which European companies will be less competitive.
FEDMA supports competent supervisory authorities in their role as GDPR enforcers. However, enforcement towards companies must be reasonable and proportionate to their efforts to adapt to the current requirements by either adapting their budget to pay more for equivalent service or working on having a valid safeguard (e.g. SCC or Code for example). We call upon the EDPB and its members to leverage article 83 of the GDPR, notably to assess the nature of the data, number of data subjects concerned and the intent.
Download the full document here.
 Austrian DPA, 13th January NOYB vs Google LLC
 EDPS, 5th January 2022, Case 2020 1013