A Risk-Based Approach to International Data Transfers

Paul Breitbarth

doi:10.21552/edpl/2021/4/9

A Risk-Based Approach to International Data Transfers

Paul Breitbarth^*

^*Corresponding author for this work

Faculty Office

Research output: Contribution to journal › Article › Academic › peer-review

Abstract

Since the Schrems-II judgment, a discussion is taking place on solving the challenges organ-isations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the Eu-ropean Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.

Original language	English
Pages (from-to)	539-549
Number of pages	11
Journal	European Data Protection Law Review
Volume	7
Issue number	4
DOIs	https://doi.org/10.21552/edpl/2021/4/9
Publication status	Published - 1 Jan 2021

Keywords

accountability
data protection
international transfers
transfer risk assessment

Access to Document

10.21552/edpl/2021/4/9Licence: CC BY

Cite this

@article{36888eea25e141969b3cc1ddee6342eb,

title = "A Risk-Based Approach to International Data Transfers",

abstract = "Since the Schrems-II judgment, a discussion is taking place on solving the challenges organ-isations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the Eu-ropean Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.",

keywords = "accountability, data protection, international transfers, transfer risk assessment",

author = "Paul Breitbarth",

year = "2021",

month = jan,

day = "1",

doi = "10.21552/edpl/2021/4/9",

language = "English",

volume = "7",

pages = "539--549",

journal = "European Data Protection Law Review",

issn = "2364-2831",

publisher = "Lexxion",

number = "4",

}

TY - JOUR

T1 - A Risk-Based Approach to International Data Transfers

AU - Breitbarth, Paul

PY - 2021/1/1

Y1 - 2021/1/1

N2 - Since the Schrems-II judgment, a discussion is taking place on solving the challenges organ-isations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the Eu-ropean Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.

AB - Since the Schrems-II judgment, a discussion is taking place on solving the challenges organ-isations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the Eu-ropean Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.

KW - accountability

KW - data protection

KW - international transfers

KW - transfer risk assessment

U2 - 10.21552/edpl/2021/4/9

DO - 10.21552/edpl/2021/4/9

M3 - Article

SN - 2364-2831

VL - 7

SP - 539

EP - 549

JO - European Data Protection Law Review

JF - European Data Protection Law Review

IS - 4

ER -