The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA has been the subject of recent regulatory and judicial attention – with European data protection supervisory authorities adopting an absolutist interpretation of the European Union (EU) General Data Protection Regulation (GDPR) in the context of data transfers under Article 46 GDPR.
Member State supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to “third countries”, in essence arguing that transfers are prohibited if the possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).
Given the importance of transfers in our hyperconnected world and with the objective of creating greater legal certainty for organisations wishing to export personal data from the EEA to third countries, the European data protection practices of DLA Piper and Clifford Chance, have today published a joint paper which argues the case for proportionality and a risk-based approach to international transfers.
The paper concludes that the European Charter of Fundamental Rights, the Treaty on European Union, the GDPR and relevant CJEU case law require a proportionate, risk-based approach to personal data transfers to third countries outside the EEA, which can be implemented in practice and which will help to address the legal uncertainty created by an unlawful strict interpretation of Schrems II and Chapter V of the GDPR.
Commenting on the paper, Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper said:
“The Charter of Fundamental Rights of the European Union, the Treaty on European Union, the GDPR and the caselaw of the Court of Justice of the European Union all support a risk based approach to the assessment of international transfers of personal data to third countries. Transfers have many benefits for consumers and for society. Transfers helped to ensure the rapid development and roll-out of vaccines to combat the COVID-19 pandemic. Transfers enable effective oversight and regulation of business to ensure consumer protection and sound governance. Transfers provide access to information society services enjoyed by billions of European citizens and consumers worldwide.
Heidi Waem, Legal Director at DLA Piper in Brussels commented:
“Cross-border data flows are vital to our society and to our global economy. As a fundamental right, data protection must be protected when personal data are exported from the EEA to third countries, but the measures implemented to protect data should be proportionate to the risk of harm arising from the transfer. To demand the same approach to be implemented for all transfers, irrespective of the risk of harm to individuals, will impose a disproportionate burden on data exporters.”
The Paper is available here.
 See: Austrian (DSB) decisions available at: https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_EN_bk.pdf and https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschw%C3%A4rzt%20EN.pdf. French (CNIL) decision available at: https://www.cnil.fr/sites/default/files/atoms/files/decision_ordering_to_comply_anonymised_-_google_analytics.pdf. Italian (Garante) decision available at: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874#english (document: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782890). Danish decision available at: https://www.datatilsynet.dk/english/google-analytics/use-of-google-analytics-for-web-analytics;