What happened to the Risk Based Approach to Data Transfers?

How the EDPB is rewriting the GDPR

In an article for the Future of Privacy Forum (FPF), Lokke Moerel, senior of counsel of Morrison Foerster’s Privacy + Data Security practice, discusses the origins of the risk-based approach (RBA) in the GDPR, how it evolved during the EU's legislative process, and why it should also apply to the data transfer obligations of the GDPR. This issue has come to the fore as companies work towards Schrems II compliance by executing measures to mitigate the risk that U.S. government entities can access their data. Yet the EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer, triggering a debate on what happened to the RBA.  

The Austrian DPA kicked things off by issuing a decision in a complaint of nyob against i.e. Google regarding data transfers in the context of the use of Google Analytics. In this decision, the Austrian DPA explicitly discards the applicability of the RBA as far as the data transfer provisions of the GDPR are concerned. In a Q&A issued by the CNIL concerning the use of Google Analytics, the CNIL also indicated that the RBA cannot be applied to data transfers. This is noteworthy, as in legal literature, it is generally assumed that the RBA is incorporated in the ‘accountability principle’ of Article 24 GDPR and that this principle has a horizontal application throughout the GDPR and therefore also applies to the data transfer requirements. In this light, it is high time for an in-depth assessment whether, and if so, to what extent, the GDPR introduced the RBA, and specifically whether the RBA also applies to the data transfer requirements of Chapter V of the GDPR. 

The conclusion will indeed be that the accountability requirement of Article 24 GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgement. We will however also see that the EDPB is trying to rewrite the GDPR, by applying the accountability principle of Article 5(2) GDPR (which does not include the RBA), rather than the accountability principle of Article 24, which does. By taking this position, the EDPB basically pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators in the GDPR.

Read the full article.