Clifford Chance

The leading European data protection teams at Clifford Chance and DLA Piper have collaborated on a joint paper setting out the case for a proportionate approach to conducting risk assessments of international transfers of personal data.

The paper, entitled "The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach", considers the current legal state-of-play for restricted international transfers of personal data under the European Union (EU) General Data Protection Regulation (GDPR), and argues in favour of  a risk-based approach to conducting the mandatory risk assessments.

Following the 2020 judgement of the Court of Justice of the EU (CJEU) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18), commonly referred to as Schrems II, data exporters in the European Economic Area (EEA) are required to carry out complex assessments of the legal regimes and practices of certain non-EEA countries (or "third countries") before they can transfer personal data to recipients in those countries. Recent enforcement by European data protection supervisory authorities have relied on a strict, or absolutist, interpretation of the Schrems II judgment, finding that theoretical risks of access by public authorities in third countries mean that transfers to such countries must be prohibited where they give rise to any risk of harm (regardless of severity or likelihood). These rulings indicate a trend towards what would in effect be outright bans of personal data transfers to certain countries.

The paper argues that the European Charter of Fundamental Rights, the Treaty on European Union, the GDPR and relevant case law of the CJEU in fact require a proportionate, risk-based approach to personal data transfers to third countries outside the EEA.  Furthermore, it argues that this absolutist approach is likely to lead to a culture of widespread non-compliance, undermining respect for the rule of law.

Dessislava Savova, partner at Clifford Chance's Paris office and head of the European Tech Group, comments: "International data flows are crucial in today's hyperconnected world.  Data exporters in the EU and beyond face significant legal uncertainties in this crucial area following recent judgements.   An approach that considers the real-life, rather than hypothetical, risks arising from the circumstances of a specific transfer was the intention of legislators and the CJEU, and delivers the best outcome for data subjects, exporters and wider society."

Commenting on the paper, Gunnar Sachs, member of the Clifford Chance global Tech and Data Privacy Groups and partner at Clifford Chance's Dusseldorf office, comments: 

"The direction of travel in judicial decisions after Schrems II risks creating a de facto ban on international data transfers to certain countries. This is not in keeping with the Schrems II decision itself in which the CJEU in effect requested European data exporters not to rely on an absolutist interpretation of the GDPR, by imposing on them the task of independently carrying out case-by-case assessments for each restricted data transfer. A proportionate approach enables data exporters to calibrate protections appropriately, and apply more resource to those transfers which pose a genuine risk of harm to data subjects."