The Splintering of Global Data Flows: Is the ‘Risk-Based Approach’ Dead?

Among the GDPR’s toughest problems is the “international data transfer”. 

Under the GDPR, personal data is protected to a world-leading standard. But when data leaves the control of companies that are subject to EU data protection law, it can fall into the hands of foreign governments with intrusive surveillance laws.

If you live in a country where the GDPR applies, you have a fundamental right to privacy and data protection—and these rights should persist even when your data is transferred to a country where these rights do not apply.

At least, that’s the theory.

Given the business models of data-hungry tech companies and the extent of state surveillance powers, most notably in the US, the reality can be quite different.

Most of the world’s most popular tech products are provided by US-based companies. To serve customers in the EU, the UK, or the European Economic Area (EEA), these businesses must comply with the GDPR in much the same way as domestic organisations. 

But US companies are bound by US law, too. So if you use virtually any of these products—or even if you use an EU-based product that shares data with one of these companies—information about you could still end up in the hands of the US National Security Agency (NSA).

People in the EU are subject to snooping from their own governments, of course. But—again, in theory—these state authorities are constrained in ways that do not universally apply abroad.

As it stands, millions of companies are potentially supplying governments with information about millions of people under laws that do not meet EU standards.

There’s no easy solution, and the situation recently got a lot more complicated.

The Risk-Based Approach

The data transfer puzzle means that EU companies face increasingly taxing GDPR compliance demands if they want to continue working with businesses based in the US and other problematic jurisdictions.

The “risk-based approach” emerged as a potential solution that would permit certain types of data transfer to proceed—even if foreign governments can access some personal data about people protected by the GDPR. 

Proponents of this approach argue that some personal data is unlikely to be of interest to national intelligence agencies—and that, even if it could theoretically be subject to surveillance, preventing transfers of these data types is disproportionate.

The debate around the risk-based approach has created something of a split in the data protection community.

In favour of the approach, one side argues against “privacy absolutism” that they claim could break up the internet across national borders. Others maintain that the fundamental right to data protection is not up for debate.

But the matter may have just been settled by the Austrian data protection regulator, known as the “DSB”.

A decision against Google, released in late April, makes the regulator’s position clear: The GDPR “does not recognise a risk-based approach”.

The case may not provide total legal certainty. But for some, it brings the debate to a close.

However, if the risk-based approach is truly dead, there are significant implications. 

“I think the Austrian DSB’s absolutist position… turns a blind eye to the realities on the ground,” said Carey Lening, a data protection consultant with Irish consultancy Castlebridge.

Online communications are largely facilitated by multinational tech firms. This means legally-compliant transatlantic trade has become increasingly difficult over recent years.

Some of these companies may be willing to spend enough on data protection compliance to meet the EU’s high standards. But if the risk-based approach is off the table, this might not even be technically feasible.

“I understand the result is not great for everyone,” said Romain Robert, a data protection lawyer with NOYB, the campaign group which initiated the Austrian DSB’s decision against Google. 

“But you cannot bend the law and make it say something it did not say.” 

Schrems II and the End of the ‘Privacy Shield’

The risk-based approach emerged in response to a landmark July 2020 judgment by the Court of Justice of the European Union (CJEU). The case is known as Schrems II, after the lead litigant, NOYB Honorary Chairman Max Schrems.

In Schrems II, the CJEU shot down a scheme known as “Privacy Shield”—a framework that made it easier for US companies to receive personal data from organisations based in the EU (and the wider EEA).

US-based companies that signed up to Privacy Shield were ostensibly guaranteeing that they would protect EU-originating personal data to the bloc’s high standard.

But there was a major problem with the scheme: it still left US companies largely powerless to protect personal data from the authorities.

In some cases, US surveillance laws do not allow people to challenge the authorities before a court. This “right to redress” is a fundamental part of data protection in the EU, and business activity that risks violating the right to redress is considered unacceptable.

But however flawed, Privacy Shield legitimised data transfers for thousands of businesses. After Schrems II, these companies had to find a new way to comply with the GDPR’s requirements.

Standard Contractual Clauses

Beyond “adequacy decisions” such as Privacy Shield, the GDPR provides several options for safeguarding personal data when making an international transfer. With Privacy Shield dead, many US companies switched to a different sort of mechanism known as “Standard Contractual Clauses” (SCCs).

SCCs can be inserted into an agreement between a data exporter that is covered by the GDPR and a data importer that is not. The clauses hold the importing party to a high standard of data protection. 

But SCCs are just a contract. As with Privacy Shield, the CJEU found that SCCs alone might not be able to stop the US authorities from accessing personal data and compromising people’s data protection rights.

In some cases, though, SCCs can be accompanied by “supplementary measures”—technical and organisational methods to protect personal data from access.

In November 2020, the European Data Protection Board (EDPB) provided recommendations on the sorts of supplementary measures that EU organisations could employ to protect transferred personal data when using SCCs.

There are circumstances in which the data importer can implement supplementary measures that will effectively prevent US authorities from getting their hands on imported data. For example, if the data is encrypted, and neither the importer nor the legal authorities can obtain the key, the data is considered safe.

But the EDPB found that, in other cases, there was simply no way to keep US authorities from snooping.

Google, Facebook, Zoom—and many of the other US-based tech companies that qualify as Electronic Communications Services Providers (ESCPs) under US law—provide some services that require them to have access to unencrypted data.

The US government can force these companies to hand over that personal data. And if it’s not encrypted, or because they can also force the companies to hand over the decryption keys, the government can read it.

The GDPR’s data transfer rules apply equally to everyone from micro-businesses selling knitted baby clothes on eBay to retail giants using US-based customer management platforms.  

With no Privacy Shield and with SCCs unsuitable in many cases, millions of companies have been making unlawful data transfers every single day.

At least, according to those who deny the existence of a risk-based approach.

The Great Data Transfers Debate

Here’s the question at the heart of the “risk-based approach” debate: Given that some data transfers will inevitably lead to a risk of access by US intelligence services, should all these types of transfers be prohibited?

Bear in mind that, if enforced, this could prevent the use of tools and platforms employed by the majority of European businesses with any online presence.

Here’s where data protection experts disagree.

In interpreting the GDPR, the Schrems II ruling, the EDPB recommendations and the SCCs themselves, two opposing schools of thought have emerged.

One side, which supports the existence of a risk-based approach, claims that data exporters can proceed with a transfer if they believe the risk is sufficiently low.

The other side argues that when conducting an international data transfer under the GDPR, the risk of access by the importer’s government has to be effectively zero. 

“The idea of a risk-based analysis for cross-border transfers misframes the GDPR requirement,” said Daniel Sereduick, a counsel and data protection officer with French insurtech firm Shift Technology.

“The issue to be solved under GDPR is whether the level of protection in the importing country is, or can be made through supplementary measures, equivalent to the requirements of EU law and GDPR with respect to the rights of data subjects.”

“This is not about guessing whether an authority in the destination country would use (or historically has used) legal mechanisms to access EU personal data in violation of data subject rights, but whether those mechanisms can be made ineffective through supplementary measures,” Sereduick said.

The First Google Analytics Decision

There was little enforcement activity on international transfers for some months after Schrems II torpedoed Privacy Shield and badly damaged SCCs. But then, throughout mid-2021, EU regulators tentatively began getting busier.

Authorities across Europe determined that using services such as Mailchimp, Cloudflare and Zoom was unlawful in certain contexts. But these decisions did not get much attention outside of the community of data protection professionals and academics.

Then in January 2022, the Austrian DSB decided that a retail website was violating the GDPR’s data transfer rules through its use of Google Analytics—a widely-used tool that delivers insights about how people use websites and apps.

This decision, triggered by a case brought by NOYB in the wake of Schrems II, was a precursor to April’s decision, which addressed the risk-based approach directly.

The DSB heard that websites using Google Analytics transfer certain personal data to Google, including unique user IDs, browser parameters and IP addresses.

This isn’t exactly exposing the full contents of your email inbox to the NSA. But it might help US intelligence services understand whether you’ve visited a given website at a given time.

However, is it likely that the US government would require Google to hand over Analytics data? Google says “no”.

Responding to the decision in a blog post on 19 January, Kent Walker, Google’s President of Global Affairs, said the company “has never once received the type of demand the DSB speculated about” in over 15 years of offering its Analytics product.

If we take Google at its word (there’s a chance the company has received requests it cannot legally disclose), it would appear that the US government is not interested in Google Analytics data at all. 

Yet the January decision did not address this question—it only concluded that the government could access such data and, therefore, that transfers to Google were unlawful.

This suggested the risk-based approach might be wrong: the risk of government access had to be eliminated, rather than merely “low”.

But some advocates of the risk-based approach maintained that EU-based website operators should be allowed to continue using Google Analytics.

They point to a section of the EDPB’s recommendations that states that a transfer may proceed if there is “no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer.”

If the US authorities have truly never required Google to hand over Analytics data in the past, do data exporters using the service have “reason to believe” that they will, “in practice”, do so in future?

Or is that the wrong question?

The Second Google Analytics Decision

The Austrian DSB’s second Google Analytics decision, published in April, addressed the issue directly, stating clearly that the GDPR “does not recognise a risk-based approach”.

The regulator said that the legality of a data transfer “does not depend on whether a certain ‘minimum risk’ is present or whether US intelligence services have actually accessed data”.

Instead, according to the DSB’s interpretation of the GDPR itself, no data transfer can proceed unless the personal data is protected to an equivalent level as in the EU.

If the authorities can access the personal data—regardless of whether they likely would—the transfer is not allowed to take place.

The Aftermath

The DSB’s April decision was directed at Google and one website operator using Google Analytics, and it is not directly applicable to other companies. Regulators like the DSB are not courts, and the respondents have the right to appeal.

But the implications are vast, with implications for millions of businesses using services based in the US and other countries with similarly problematic surveillance laws.

“The reality is, pretending that risks aren’t different (or don’t matter) neither solves the problem or addresses real privacy concerns,” said Castlebridge’s Carey Lening.

“Instead, it leaves all organisations operating online in an unenviable position: either stop operating globally and stop using any service or product located outside of the EEA, implement costly, and in some cases, wholly unworkable technical controls that are hard even for the biggest firms to get right, or hope and pray that regulators don’t target them directly”.

The Austrian DSB did address the potential economic impact of the decision, saying that neither the GDPR’s rules on international transfers nor the CJEU’s Schrems II decision allow for a “business-friendly interpretation” of the rules.

But the economic impact could be significant nonetheless. Otto Lindholm, a tech and data lawyer based in Finland, argues that the regulator’s decision could make GDPR compliance practically impossible in certain contexts.

“In saying that even the mundane identifiers can bring a dataset into being personal data, and in saying that even the theoretically potential unfounded access by the third country entities should be brought down to zero, the Austrian DSB is effectively saying that that controllers will not de facto be able to comply with the GDPR as long as they operate in the context of the global internet”, Lindholm said.

Lindholm also argues that the decision could present a legal problem, “because it ultimately limits other fundamental rights”, such as the freedom to conduct business..

“An interplay between different fundamental rights should really be taken seriously”, he said.

What Happens Next?

So is the risk-based approach dead? Some argue that it never existed in the first place.

“Arguing that there is no risk-based approach is like asking to prove there is no god”, said NOYB’s Romain Robert. 

“First, people come to you with a weird idea, and then they ask you to demonstrate that this idea is false and take you accountable for the results”.

Others say that the Austrian DSB’s case is not conclusive. In a blog for the Information Accountability Foundation (IAF), Lynn Goldstein argues that the decision was “poorly reasoned” and based on “outdated ‘facts’”.

But the decision is the clearest interpretation of the issue that has been provided by any regulator, and those who argue against the risk-based approach could reasonably accept it as vindication of their view.

Yet Google, like many other US companies, has a European arm based in Ireland. Can’t these companies simply confine their European users’ data to data centres in Europe?

Some tech firms do indeed see this as part of the solution. But the long arm of US surveillance law means it might not work.

“In terms of supplementary controls, the issue is that Google itself could potentially be compelled to disclose the information, even if stored on servers in the EU, where they are subject to US laws that might compel them to disclose the data,” said Shift Technology’s Daniel Sereduick.

“On a technical level, it also likely wouldn’t be feasible for Google to use EU servers to process EU users’ data because Google’s services are necessarily global,” he continued. 

“Users travel and may be affiliated with global organizations, so segmentation of users by geography could break other key aspects of how they manage accounts and accesses.”

A new data transfer framework to replace Privacy Shield has been agreed upon “in principle” between the EU and the US. This could solve the issue of widespread unlawful data transfers—unless it is also successfully challenged at the CJEU.

But until this new framework provides some relief, however temporary, the Austrian DSB’s decision has made life more complicated for the data protection professionals charged with ensuring their companies’ operations are GDPR compliant.

“Even if the decision would be technically—legally—correct, it ignores the repercussions”, said privacy lawyer Otto Lindholm. “Which make operations practically impossible for so many entities”.