In the wake of the Schrems II decision, the EU’s lead data regulators have largely adopted an absolutist view that any potential for harm due to interception by a foreign government (even if trivial) is a GDPR violation and that these governments must demonstrate parity with the bloc’s data privacy laws before they can become a trusted partner. A new paper from global law multinationals DLA Piper and Clifford Chance lays out the case for a risk-based approach to these international data transfers, arguing that the status quo is too onerous and that data exporters are suffering from unfair burdens under an “unlawfully strict” interpretation of the Schrems ruling.
Should “heavy-handed” GDPR terms be replaced by a risk-based approach?
The current position of EU data protection supervisory authorities is that Article 46 of the GDPR utterly forbids data transfers (without strong safeguards) to a non-EU nation if there is reason to believe that country’s government is intercepting international data transfers, for whatever purpose. However, this wasn’t the case until mid-2020. This perspective is informed by the Schrems II decision, which focused on data transfers to the United States; the Edward Snowden intelligence-gathering leaks and several official policies (Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive 28) that allow US intelligence agencies to indiscriminately gather the personal information of persons outside the country that are not necessarily under investigation for or suspicion of anything.
Though the Schrems case focused on data sent to the US, the EU policy now applies to international data transfers with all non-EU nations. DLA Piper argues that the individual risk-based approach should be back on the table, given that in at least some cases the risk of actual harm to individuals is insubstantial. And, in addition to being unfair to some of the businesses that are subject to them, the draconian terms simply encourage “widespread non-compliance” that ends up being worse for data subjects.
Part of that argument for the benefit of the average person is that vital information sharing might be hampered in times of crisis, such as the Covid-19 pandemic and the war in Ukraine. But the paper goes beyond mere opinion and appeals to sympathy for individuals and struggling businesses, making the case that prior rulings related to the GDPR terms establish that a risk-based approach should be required for international data transfers.
The case for a change in perspective on international data transfers
The legal argument centers on GDPR Article 45, which governs how adequacy decisions are made, and Article 46, which sets terms for transfers to countries that are not considered adequate data partners. Article 46 sets the terms of Standard Contractual Clauses (SCCs), which allow for these transfers so long as personal data is essentially encrypted and protected at the remote end such that data subjects can be confident that the foreign government is not intercepting it along the way.
Article 46 had been the primary focus of the Schrems II decision, as the previous transfer framework (Safe Harbor) had allowed for much more leeway in crafting SCCs. After Schrems II, SCCs continue to function but are subject to much more scrutiny (such as a mandatory impact assessment). Some companies, such as Facebook, have openly pondered pulling out of the EU entirely if the ongoing chain of legal battles related to these terms does not ultimately shake out to their liking.
The DLA Piper risk-based approach argument refers to the fundamental principle of “proportionality” embedded in the core of EU law (Article 5(4) of the Treaty on European Union). This essentially states that freedom to conduct a business is a fundamental right along with personal privacy, and thus limitations put on it must be proportionate, made only if necessary and genuinely meet the need to protect the rights and freedoms of others.
The argument is thus that the balance between business and personal rights has been tilted too far against businesses. What is described as an unfair compliance burden on businesses could be alleviated by a risk-based approach, which would only require businesses to take on these extra responsibilities in cases where it can be determined that actual harm might come to the data subject from foreign interception of the specific data being transferred.
The argument further notes that the GDPR itself recognizes proportionality principles in Recital 4, which states that the entitlement to protection of personal data is not an “absolute right.” Some prior case law, such as the 2003 Lindqvist decision, appears to affirm the concept of considering the right to operate a business in counterweight to data privacy rights.
At the moment, the risk-based approach argument is not much more than an opinion posted on a blog. However, some believe that it has enough merit to eventually gain legal traction in a challenge to how international data transfers are governed by the GDPR. Gunnar Sachs, member of the global Tech and Data Privacy Groups at Clifford Chance, comments: “The direction of travel in judicial decisions after Schrems II risks creating a de-facto ban on international data transfers to certain countries. This is not in keeping with the Schrems II decision itself in which the CJEU in effect requested European data exporters not to rely on an absolutist interpretation of the GDPR by imposing on them the task of independently carrying out case-by-case assessments for each restricted data transfer. A proportionate approach enables data exporters to calibrate protections appropriately, and apply more resources to those transfers which pose a genuine risk of harm to data subjects.”