Following the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) have adopted a “zero risk” approach concerning Chapter V of the GDPR. They require data controllers transferring data to eliminate all risks of access by intelligence and law enforcement agencies from foreign countries that lack legal safeguards equivalent to EU standards. Consequently, many non-EU companies have opted to localize data in Europe and offer “sovereign” solutions. However, DPAs often find these measures insufficient, citing the risk of extraterritorial access to data stored in Europe and demanding the complete elimination of such risks.
These legal measures by DPAs are complemented by political actions from European governments. Various initiatives have been launched, including discussions at the European Union Agency for Cybersecurity about incorporating “sovereignty requirements” into the EU Cybersecurity Certification Regime for Cloud Services (EUCS). These efforts reflect a broader strategic focus on enhancing data protection within the EU framework, aiming to establish stricter controls over cross-border data transfers and data localization practices.
The paper critiques the “zero risk” theory, arguing that it is excessively restrictive, not required by GDPR, and introduces several negative consequences. While acknowledging the DPAs’ intentions to enforce Schrems II and offer clear solutions in a complex domain, it questions the practicality of completely eradicating the risk of unauthorized foreign government access. The paper challenges whether such absolute protection measures align with GDPR, EU law, and fundamental rights, emphasizing the need for a more feasible approach.
It advocates for a nuanced, risk-based approach to international data transfers that aligns with GDPR’s inherent flexibility and encourages proportionate data protection measures. The paper suggests that European authorities should reconsider their stance on international data transfers, looking for practical, scalable solutions for businesses. It underscores the importance of maintaining data flows to support the exercise of rights under the EU Charter of Fundamental Rights and calls for democratic governments to promote “data free flow with trust,” finding consensus on protocols for accessing personal data that affect individuals’ rights globally.
