The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach

Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of access to European personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law. This “zero risk” approach at first concerned transfers of European personal data to such countries. As a result, there has been growing legal and commercial pressure for many non-EU companies to localise data in Europe and propose so-called “sovereign” solutions. However, this has often been deemed insufficient by DPAs and other authorities who have highlighted the risk of extra-territorial access to data stored in Europe and have asked that any risk of such access by foreign authorities be “eliminated” as well.

In light of these issues, CIPL would like to thank Professor Theodore Christakis, Professeur de droit at the Université Grenoble Alpes for his comprehensive study ‘The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach’. We believe that this paper, which argues that the DPAs’ “zero risk” theory is overly restrictive, not mandated by the GDPR, and could have a number of adverse effects will contribute to a constructive discussion towards developing pragmatic and sustainable solutions for international transfers.

Download the Paper

Download Now