Lokke Moerel has posted on the Future of Privacy Forum (FPF) blog a Contribution to the risk-based approach for transfers abroad published. It follows on from an earlier contribution by Moerel, The Ebb and Flow of Trans-atlantic Data Transfers: It’s the Geopolitics, Stupid!.
In essence, the analysis revolves around the question of whether the requirements for the transfer of personal data abroad should be located in Art. 5 (processing principles) or in Art. 24 GDPR (obligations of the controller) – this is because Art. 24 GDPR explicitly takes a risk-based approach.
Moerel comes to the following conclusions in her historical and grammatical analysis:
- Art. 24 GDPR and thus the risk-based approach not only determines the question of accountability and thus the burden of proof, but is also the benchmark for the obligations of the controller itself.
- This also applies to disclosure abroad, among other things because Art. 46 GDPR provides for an obligation of the controller (“provided that the controller or processor has provided appropriate safeguards”), which is thus subject to Art. 24 GDPR.
- The ECJ has confirmed this in Schrems II not refuted, just as the Recommendations of the EDSA on Supplementary Measures.
- In contrast, Article 5 (2) of the GDPR does not recognize a risk-based approach. However, this provision only applies to the processing principles of Art. 5 (1) GDPR.