The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach

The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach

Théodore Christakis

 

Introductory note by Peter Swire, Research Director of the Cross-Border Data Forum:

CBDF is proud to present, together with the Center for Information Policy Leadership, a major new study by Professor Théodore Christakis of Université Grenoble-Alpes, and European Research Director of the CBDF.

The study, with full text here, is entitled “The ‘Zero Risk’ Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach.” Professor Christakis provides the first detailed, scholarly treatment of the debate under European Union law of whether “zero risk” is possible with regards to transfers of personal data out of the EU under Chapter V of the General Data Protection Regulation. This “zero risk” approach has been reflected in actions by multiple EU data protection authorities and in ongoing discussions about the proposed EU Cybersecurity Certification Regime for Cloud Services (EUCS).

Professor Christakis, based on careful discussion of legal texts and policy considerations, concludes that there is a “zero risk fallacy” – the zero risk approach “is overly restrictive, not mandated by the GDPR, and could have a number of adverse effects.”

Rather than adopt the zero-risk fallacy, the study concludes that “democratic governments must intensify recent efforts at promoting “data free flow with trust” and advancing the concept of “trusted government access”. International negotiations are emerging as the most viable, if not the sole avenue for forging consensus on the protocols governing access to personal data that impacts the rights and interests of individuals in other countries.”

==

Summary of the report:

Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of access to European personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law. This “zero risk” approach at first concerned transfers of European personal data to such countries. As a result, there has been growing legal and commercial pressure for many non-EU companies to localise data in Europe and propose so-called “sovereign” solutions. However, this has often been deemed insufficient by DPAs and other authorities who have highlighted the risk of extra-territorial access to data stored in Europe and have asked that any risk of such access by foreign authorities be “eliminated” as well.

The legal actions by data protection authorities have been combined with political action by European governments. Several initiatives have been undertaken in this respect, including the ongoing discussions at the European Union Agency for Cybersecurity (ENISA) about the introduction of “sovereignty requirements” into the EU Cybersecurity Certification Regime for Cloud Services (EUCS).

This paper will show that the DPAs’ “zero risk” theory, which is very similar to the “immunity from foreign laws” political proposal, is overly restrictive, not mandated by the GDPR, and could have a number of adverse effects.

To be sure, the DPAs’ stance on these issues is understandable. Firstly, DPAs are obliged to enforce compliance with Schrems II. Secondly, DPAs seek to fulfill their role as the ultimate guardians of European personal data in an age where government surveillance has attained a high level of sophistication. Thirdly, DPAs provide oversight in an exceedingly complex area and, thus, are drawn to solutions that are as straightforward and easy to comprehend as possible. Unfortunately, however, attaining simplicity as regards government access to data creates insurmountable challenges and unintended adverse effects in practice.

The notion that data controllers can take measures to entirely “eliminate” any risk of unauthorised access to European personal data by foreign governments is grounded on questionable assumptions, including the belief that EEA-headquartered companies are shielded from direct or compelled access. It is also marked by a lack of clarity surrounding terms like “sovereign solutions”; unverified claims suggesting that ownership or staff requirements can confer “immunity” from foreign laws; questionable interpretations of the GDPR (such as automatically categorising requests from foreign countries as “disclosures” not authorised by Article 48 of the GDPR); and unrealistic expectations—such as the idea that a social media company could provide its global services in the EU without transferring user posts and interactions to countries outside the EU. This line of thinking leads to impractical solutions that have significant costs.

The GDPR, the Charter of Fundamental Rights, and EU Law as a whole do not mandate such absolutist approach to data transfer risks at the expense of innovation, economic growth and other rights guaranteed by the Charter. On the contrary, they allow a more nuanced and risk-based approach to data transfers that envisions data protection measures that are proportionate to the risks at hand. This approach takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

To that end, it is incumbent upon the European Data Protection Board (EDPB), DPAs, and ultimately the European Commission and other relevant European institutions to revisit, clarify and coordinate their views and the interpretation of rules on international data transfers in the context of our digital reality. Specifically this study suggests that they could consider solutions in order to:

 

1. Enable Consideration of Past Practice and Empirical Context in Assessing Risk. DPAs should acknowledge the significance of the “practice related to the transferred data”, as highlighted in the final version of the EDPB Recommendations on “Supplementary Measures”.

 

2. Explore Scalable Transfer Solutions for Start-ups and SMEs. European authorities should explore, develop and promote transfer solutions tailored for start-ups and small to medium-sized enterprises (SMEs) that may lack the financial resources needed for extensive legal expertise and detailed transfer impact assessments.

 

3. Recognize that Chapter V of the GDPR does not Mandate the Degradation of Services that Inherently Rely on Global Data Flows. DPAs should acknowledge that a proportionate approach to Chapter V does not preclude data transfers initiated and sought by individuals themselves, and which are indispensable to enable exercise of other rights in the EU Charter of Fundamental Rights, such as freedom of expression and information. Specifically, when users seek to share posts on social networks and interact with a global audience, how can this be achieved without transferring data beyond EU borders?

 

Should we contemplate geo-blocking not only on social networks but also on communication platforms, video-sharing sites, online collaboration tools, forums, messaging services, and even any EU website that contains personal data? Does Chapter V of the GDPR really require that the EU be disconnected from the global internet?

 

4. Provide Workable Solutions for EU Businesses that Rely on Cross-Border Data Flows. Similar considerations arise for numerous EU businesses that depend on cross-border data transfers for their operations, such as to provide requested services (for instance online booking and travel agencies), detect and prevent fraud, defend against cyber-attacks. Crafting viable solutions necessitates a nuanced approach based on risk assessments and proportionate safeguards, rather than stopping cross-border data flows that are essential to the functioning of the service.

 

5. Re-assess the EDPB’s Supplementary Measures and the Practices of European DPAs Under the Prism of a Risk-Based Approach. The EDPB should revisit its Recommendations on supplementary measures and its practices and interpretation of the GDPR, to clarify that they enable a risk-based approach to data transfers that ensures that measures designed to protect the data are proportionate to the transfer risks at hand. Moreover, the EDPB should establish an expert group tasked with identifying and describing use cases necessitating cross border data flows most commonly faced by organisations and the available and appropriate measures that might be applied to them.

 

6. Enable a more flexible interpretation of Article 49 derogations. DPAs have precluded in theory the use of derogations, further compounding the complexities of data transfers. In practise, though, DPAs have accepted in some cases the use of derogations in order to permit some EU Institutions to continue to use tools that have “become indispensable to the daily functioning” of such Institutions, as shown by the EDPS decision on the video-conferencing tool used by the CJEU. It could be useful, then, to adopt a more flexible approach on derogations for all organisations wishing to use similar essential tools and services.

 

Concerning the use of Cloud Service Providers (CSPs) subject to foreign laws, it may be useful for DPAs and other authorities in the EU to reflect, among other things, on the following issues:

 

7. Determine the Relevance of the Proposed Criteria for “Immunity from Foreign Laws”. The present study found that data localisation, headquarter, ownership, and local staff requirements do not truly ensure “immunity from foreign laws”. The primary criterion is in reality the personal jurisdiction of the foreign country as understood by that country, as well as its ability to “compel” the production of data by imposing sanctions. European Institutions, such as the European Commission or DPAs, should study more thoroughly these questions before supporting the introduction of such strict requirements in the context of the EUCS or the GDPR.

 

8. Clarify the meaning of “Compliant EEA-Sovereign Cloud Solutions”. The EDPB should explain the meaning of the term “compliant EEA-sovereign cloud solutions”, or abandon ambiguous references to the politically connotated term “digital sovereignty”.

 

9. Assess the Impact of “Immunity from Foreign Laws” Requirements. The European Commission, in the context of the EUCS negotiations, should assess the impact that “immunity from foreign laws” requirements could have on a series of issues such as innovation in Europe and ensuring high levels of cybersecurity which is required by the GDPR.

 

10. Explore the Relevance of Adequacy Decisions in Addressing Extraterritorial Data Access Requests. The European Commission and the EDPB should explain clearly what is the significance of obtaining an adequacy decision when grappling with the issue of extraterritorial requests to access data that are situated within the EU. CSPs and other companies spend billions to localise data in Europe in order to offer better protections. Strikingly, these efforts seem to place companies in a more precarious situation, compared to when they transfer the same data to the US or other countries that benefit from an adequacy decision.

 

11. Consider Trade-offs between Encryption and Functionality. What trade-offs should be considered when employing encryption as a safeguard for data at rest against unauthorised access, especially when weighed against the challenge of functionality loss that encryption may cause, significantly constraining the utilisation of AI and cloud computing technologies?

 

12. Reflect on Satisfactory Solutions for the EU-US E-Evidence Agreement Challenges. The privacy community in the EU could play a useful role in assisting the European Commission with constructive ideas on how the ongoing negotiations of the EU-US e-evidence agreement could effectively address and satisfactorily resolve the conflicts of laws related to Article 48.

 

Moving away from a zero-risk approach in favor of a more flexible and risk-based interpretation of Chapter V of the GDPR appears legally justified. Such flexibility could offer pragmatic and feasible solutions to the day-to-day challenges faced by organisations and would provide relief to data controllers and processors throughout Europe. The EDPB and DPAs however lack the capacity to provide definitive solutions in relation to these issues; only governments can do so. As this paper concludes, democratic governments must intensify recent efforts at promoting “data free flow with trust” and advancing the concept of “trusted government access”. International negotiations are emerging as the most viable, if not the sole avenue for forging consensus on the protocols governing access to personal data that impacts the rights and interests of individuals in other countries.

 

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.