Refe­rence: Moerel, What Hap­pen­ed to the Risk-Based Approach to Data Transfers?

Lok­ke Moerel has posted on the Future of Pri­va­cy Forum (FPF) blog a Con­tri­bu­ti­on to the risk-based approach for trans­fers abroad published. It fol­lows on from an ear­lier con­tri­bu­ti­on by Moerel, The Ebb and Flow of Trans-atlan­tic Data Trans­fers: It’s the Geo­po­li­tics, Stu­pid!.

In essence, the ana­ly­sis revol­ves around the que­sti­on of whe­ther the requi­re­ments for the trans­fer of per­so­nal data abroad should be loca­ted in Art. 5 (pro­ce­s­sing prin­ci­ples) or in Art. 24 GDPR (obli­ga­ti­ons of the con­trol­ler) – this is becau­se Art. 24 GDPR expli­ci­t­ly takes a risk-based approach.

Moerel comes to the fol­lo­wing con­clu­si­ons in her histo­ri­cal and gram­ma­ti­cal analysis:

• Art. 24 GDPR and thus the risk-based approach not only deter­mi­nes the que­sti­on of accoun­ta­bi­li­ty and thus the bur­den of pro­of, but is also the bench­mark for the obli­ga­ti­ons of the con­trol­ler itself.
• This also applies to dis­clo­sure abroad, among other things becau­se Art. 46 GDPR pro­vi­des for an obli­ga­ti­on of the con­trol­ler (“pro­vi­ded that the con­trol­ler or pro­ces­sor has pro­vi­ded appro­pria­te safe­guards”), which is thus sub­ject to Art. 24 GDPR.
• The ECJ has con­firm­ed this in Schrems II not refu­ted, just as the Recom­men­da­ti­ons of the EDSA on Sup­ple­men­ta­ry Mea­su­res.
• In con­trast, Artic­le 5 (2) of the GDPR does not reco­gnize a risk-based approach. Howe­ver, this pro­vi­si­on only applies to the pro­ce­s­sing prin­ci­ples of Art. 5 (1) GDPR.