Key Points

  • In this article, the risk-based approach (RBA) in personal data transfers is assessed through the lens of Article 44 of the General Data Protection Regulation (GDPR or Regulation).

  • Leading scholarship underlines its requirement for data controllers to adhere to specific provisions of Chapter V (data transfers regime), alongside ‘other provisions’ of the Regulation, including Article 24.

  • This article aims to expand this argument through the lens of the ‘two-step test’ embedded in Article 44 GDPR to find other implications of applying this test; in particular, the necessity of integrating a Data Protection Impact Assessment (Article 35 GDPR) in the context of data transfers.

Introduction

The integration of the risk-based approach (RBA) in the General Data Protection Regulation (GDPR or Regulation)1 has been a focal point in scholarly articles2 and books.3 Gellert describes the RBA as a trend emerging in the late 2000s or early 2010s, characterized by the integration of risk management tools into data protection legal frameworks.4 Similarly, important scholars view data protection law as a form of ‘risk regulation’.5 However, the GDPR adopted this approach only partially. It emphasizes risk-based measures that data controllers must implement to safeguard fundamental rights and freedoms, while at the same maintains a commitment to a more traditional legal approach described as ‘rights-based’.6

Following the landmark Schrems II decision7 and subsequent decisions by Data Protection Authorities (DPAs),8 the RBA has garnered renewed attention, particularly in the context of personal data transfers.9 Nevertheless, the topic of risk in personal data transfers rules is not a novel one.10 The concept was briefly alluded to by the Article 29 Working Party (WP)11 in the late 1990s12 and prior to Schrems II, prominent scholars had already been advocating for data controllers to consider the risks associated with data transfers and to implement corresponding mitigating measures.13

More recently, some scholars14 argue in favour of a RBA based on the Standard Contractual Clauses released by the European Commission in June 2021.15 Differently, Moerel16 relies on the horizontal application of the accountability requirement in Article 24 (1) GDPR.17 The author identifies Article 44 GDPR (General principle for transfers) as a pivotal source for this argument, noting its requirement for controllers to adhere to specific provisions of Chapter V, alongside ‘other provisions’ of the Regulation, including Article 24. This double requirement for data transfers is the essence of the ‘two-step test’ central to this article’s discussion.

Building on Moerel’s insights, this article seeks to further the understanding of the GDPR’s RBA by highlighting the critical role of Data Protection Impact Assessment (DPIA) within the ‘two-step test’ in Article 44 GDPR. To directly address this goal, the article posits that the DPIA, as necessitated by Article 35 in cases of ‘high risk’, is a fundamental component in operationalizing the RBA for data transfers. This exploration addresses a gap in existing scholarship, aiming to elucidate the conditions under which DPIAs become integral to ensuring compliance with the GDPR’s requirements for data transfers.

Initially, the article outlines the ‘two-step test’ as articulated in Article 44 of the GDPR, tracing its evolution from the precedent set by the Lindqvist case to its current status as a principle governing data transfers within the GDPR framework.

Subsequently, the discussion shifts towards an in-depth examination of the test’s first step, emphasizing the DPIA requirements for data transfers. Recognizing that the GDPR mandates a DPIA for processes deemed ‘high risk’, this analysis endeavours to identify the conditions under which data transfers might fall into this category. In doing so, the article not only contributes to the broader discourse on the RBA’s role in ensuring compliance of data transfers, but it also seeks to elucidate the critical function and implications of DPIAs for data controllers navigating the post-Schrems II landscape. This ruling18 has tightened the requirements of the test’s second phase, introducing a pre-transfer assessment that demands meticulous attention from controllers.

Through this inquiry, the article aspires to clarify the operationalization of DPIAs within the framework of data transfer compliance, addressing a crucial need for guidance in the wake of the Schrems II judgment.

The ‘Two-Step Test’ in Article 44 GDPR

Chapter V GDPR outlines the framework for personal data transfers to third countries or international organizations. Central to this framework, Article 44 establishes the ‘two-step test’ as a general principle, requiring that data transfers comply not only with the general provisions of the GDPR but also with the specific requirements detailed in Chapter V.

This section traces the evolution of the ‘two-step test’ from its conceptual foundations to its current definition in Article 44 GDPR. In tracing its evolutions, the article underlines the test’s pivotal role in integrating DPIAs into the GDPR’s regulatory framework for data transfers, thereby providing a foundational context for this article’s proposals.

The evolution of the ‘two-step test’: from the Lindqvist case to a general principle for data transfers in Article 44

In the seminal Lindqvist case,19 the Court of Justice of the European Union (CJEU) characterized the data transfers regime in Chapter IV of the Directive as ‘a special regime, with specific rules’. This set of rules was further defined as ‘a complementary regime to the general regime set up by Chapter II of that directive concerning the lawfulness of processing of personal data’.20 This interpretation suggests that data transfer rules add an extra layer of lawfulness to the standard data protection requirements. Leading scholars have consequently viewed transfer mechanisms as ‘special legal grounds’ for data transfers, with Kuner noting that ‘the rules requiring a legal basis for international data transfers apply in addition to those requiring a legal basis for data processing’.21

Article 44 GDPR appears to reflect and expand upon the standard established in Lindqvist. It states that ‘Any transfer of personal data (…) shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processing (…)’. This indicates an expansion of the extra lawfulness requirement in Lindqvist to ‘other provisions’, thereby adding another layer of protection to data transfers that extends beyond mere lawfulness.

Consequently, Article 44 operates an expansion of the ‘two-step test’.22 This test involves subjecting the data transfer to the general provisions of the GDPR (step one) and to the ‘complementary regime’ in Chapter V (step two). Hence, this Chapter is not an exception to other duties in the GDPR.23

The rationale for this dual layer of protection in data transfers is articulated in Recital 116, which notes that ‘when personal data moves across borders outside the Union’, it may be subject to foreign laws that do not ensure the ‘ability of natural persons to exercise data protection rights’. In the words of Advocate General Saugmandsgaard Øe, ‘in the absence of common personal data protection safeguards at global level, cross-border flows of such data entail a risk of a breach in the continuity of the level of protection guaranteed in the European Union’.24 Scholars also mention the ‘prevention of circumvention of the law’ as the main policy goal of data transfers rules.25

Article 44 GDPR further reinforces this approach, stipulating that ‘All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’ Recital 101 emphasizes the tension inherent in Chapter V, acknowledging the significance of the free flow of data while underscoring the necessity to maintain GDPR standards.

Applying the ‘two-step test’ for data transfers

In applying the ‘two-step test’, the GDPR mandates initial compliance with its general provisions (Articles 5, 24, 25, and 32), setting the stage for this article’s examination of how these provisions underpin the necessity for DPIAs in the first step of data transfer compliance. This alignment is pivotal in this article’s exploration of DPIAs’ role within the RBA framework and data transfer compliance.

The second step demands alignment with Chapter V’s detailed conditions for international data transfers. This section aims to methodically dissect these steps, clarifying the distinct requirements each entails.

Step one: compliance with general provisions of the GDPR

Kuner points to an agreement between the European Data Protection Board (EDPB) and the European Commission on the necessity for both a legal basis for data transfers under Article 6 GDPR, alongside a specific data transfer mechanism outlined in Chapter V.26 However, Article 44 GDPR extends beyond Article 6, referencing ‘other provisions’ of the Regulation.

Thus, controllers must meet ‘general obligations’, beginning with Article 24 (1), which mandates the identification and evaluation of risks in processing personal data.27 Following this initial assessment, controllers are to implement effective and appropriate measures as specified in Article 24.28

Echoing Moerel, this duty extends to data transfers,29 requiring controllers to objectively assess the risk of the data transfer and to quantify it in terms of its likelihood and severity. Should a transfer be deemed ‘likely to result in a high risk to the rights and freedoms of natural persons’,30 it triggers an additional requirement: conducting a DPIA. This point is further elaborated in ‘The DPIA in the realm of data transfers’ section.

Step two: compliance with Chapter V GDPR

In this step, controllers must adhere to the regime for personal data transfers outlined in Chapter V GDPR. This includes adhering to the overarching principle articulated in Article 44, which necessitates the selection and use of a transfer mechanism. Such mechanisms include adequacy decisions (Article 45), appropriate safeguards (Articles 46 and 47), and derogations for specific situations (Article 49). This exhaustive list31 does not enumerate any unilateral risk assessment of the data transfer among the transfer mechanisms listed.32

The prerogative to determine if a third country or an international organization ensures an ‘adequate level of protection’ rests solely with the European Commission.33 In conducting this assessment, the Commission is guided by criteria outlined in Article 45 (2) GDPR, which generally encompass elements of the legal framework, such as the rule of law, relevant legislation, data protection rules, the existence and functioning of supervisory authorities, and the international commitments of the third country or international organization concerned. The primary legal effect of such a decision is that transferring personal data ‘shall not require any specific authorization’.34

Furthermore, in the absence of an adequacy decision, the selection35 and use of another transfer mechanism must not undermine the ‘level of protection’ contained in the GDPR. This principle was emphasized by the CJEU in the Schrems II decision,36 where the court explored the possibilities provided in the GDPR for data transfers under the umbrella of safeguarding EU fundamental rights as protected in the Charter of Fundamental Rights of the EU. It invalidated the adequacy decision for transfers to the USA—the Privacy Shield—and placed fundamental rights at the core of transfer mechanisms.

Indeed, the CJEU further expanded a concept previously developed in Schrems I37 and Opinion 1/1538 in relation to EU fundamental rights—essential equivalence—and extended it towards a guiding benchmark for the whole approach for data transfers in the GDPR.39

Following Schrems II, when using Article 46’s appropriate safeguards, controllers must assess the effectiveness of the transfer mechanism and, if necessary, implement ‘additional safeguards’ provided by ‘supplementary measures’ that bring the protection to the level required by EU law.40 Drechsler and Kamara emphasize that ‘the standard of essential equivalence as developed by the CJEU is the level to maintain when personal data are being transferred’.41 More practically, the CJEU requires controllers to evaluate the effectiveness of the transfer mechanism and the legislation and practices in place in the country of destination.42

Lastly, Article 49 GDPR introduces ‘Derogations for specific situations’ detailing conditions under which data transfers can occur in the absence of an adequacy decision under Article 45 GDPR or appropriate safeguards under Article 46 GDPR. The EDPB has interpreted this provision very restrictively, emphasizing its ‘exceptional nature’ and stating that the derogations ‘must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive’.43

The DPIA in the realm of data transfers

The preceding analysis demonstrates that Article 44’s first step requires controllers to conduct a risk assessment (Article 24) and, where applicable, a DPIA (Article 35), emphasizing the critical role of risk assessment in this phase.

Moerel relies on this argument to underscore that the obligation in Article 24 GDPR (Responsibility of the controller) applies to data transfers.44 This section delves into the interplay between the GDPR’s general risk management obligation (Article 24) and the specific requirements for conducting DPIAs (Article 35 GDPR). In particular, it will examine whether a data transfer qualifies as ‘high risk’ processing, necessitating a DPIA, and how this aligns with the CJEU’s assessment in the Schrems II decision. This discussion will provide a concrete foundation for understanding when data transfers trigger the need for a DPIA.

The general obligation to manage risks in Article 24 (1) GDPR

Article 24 (1) GDPR imposes a proactive obligation on controllers to implement ‘appropriate technical and organizational measures’. However, it neither prescribes a specific list of measures nor grants unfettered discretion to controllers in their choices. Instead, controllers must consider two primary criteria in their decision-making: (i) ‘the nature, scope, context and purposes of processing’45; and (ii) ‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’46. These two criteria embody the ‘scalability of obligation’ concept articulated by the WP, allowing controllers to customize their compliance system.47

The WP interprets Article 24 (1) as establishing a ‘general obligation to appropriately manage risks presented by the processing of personal data’.48 This interpretation extends to the need for risks to be assessed, meaning that they need to be ‘identified, analyzed, estimated, evaluated, treated (e.g. mitigated), and reviewed regularly’.49

However, the GDPR does not define ‘risk’, despite its frequent mention throughout the Regulation. The term ‘risk’ appears 73 times throughout the Regulation,50 with three instances being particularly significant for understanding its integration into the GDPR’s framework. These key references are found in Recital 75,51 Articles 24 (1), and 35 (1) GDPR. Recital 75 GDPR delineates the concept of risk, which encompasses the following elements: (i) any unintended or unforeseen effect or consequence to the data subject, (ii) with varying likelihood and severity, (iii) caused by the processing of personal data.

The forward-looking notion of risk, as underscored by the WP, aligns with scenarios envisaging potential events and their repercussions, marking a shift from purely ‘harms-based approaches’.52 The criteria of likelihood in the second element was introduced by the GDPR, in addition to that of the level of severity of risk already in Article 17 of the Directive.53 This option seems to outline a modern concept of risk, defined through concepts of likelihood and probability in dealing with the possibilities of future events.54 Arguably, the use of the term ‘probability’ points to a conception of risk that can be measured in certain formulas.55

This focus on quantification and rationality is further evident in Recital 76 GDPR, which mandates an objective identification of risk factors and an assessment of risk levels. Recital 75 GDPR also points to the necessity of quantifying the consequences—such as physical, material or immaterial damage, issues of discrimination, loss, damage to reputation, etc—of potential future events on the rights and freedoms of the data subject.

Notably, the WP interprets ‘rights and freedoms’ broadly, encompassing not only data protection but also other fundamental rights like free speech, freedom of thought, and the prohibition of discrimination.56 Consequently, the GDPR’s focus on risk is primarily for the protection of the data subject, rather than the controller or processor’s regulatory compliance.

Lastly, the third element of this framework locates the main source of the risk for the data subject in the processing of personal data.

The duty to perform a DPIA and the role of risk

Kosta notes that the use of impact assessments is not new and it has been prevalent in various regulatory fields.57 The author gives the example of technology assessments developed in the 1960s to study the impact of technological inventions.58

In the GDPR, the ‘high risk’ of personal data processing is the trigger of a particular type of assessment. Article 35 (1) GDPR introduces a mandate for controllers to conduct a DPIA when a data processing operation, or a set of similar operations, is likely to pose a ‘high risk’ to the rights and freedoms of data subjects.59

Recital 84 GDPR positions DPIAs as an accountability requirement, stipulating that their outcomes must inform the decisions on appropriate measures to demonstrate that the data processing operation is compliant. Simultaneously, DPIAs serve as an ex-ante compliance requirement, designed to pre-emptively identify and mitigate potential negative consequences of processing operations.60

In a non-exhaustive list, Article 35 (3) GDPR introduces three scenarios where a DPIA is required, encompassing systematic and extensive evaluations based on automated processing, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas.61 Recital 92 provides examples such as ‘where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity’.

Additionally, Article 35 (4) obliges data protection authorities to publish a list of processing operations warranting DPIAs, with Article 35 (7) GDPR providing a non-exhaustive checklist for DPIA contents, including risk assessment in terms of likelihood and severity62 and the measures necessary to address these risks and demonstrate GDPR compliance. Recitals 84 and 90 GDPR add that DPIAs should, among other elements, evaluate the origin, nature, particularity, and severity of the risk.

The WP contends that the risk assessment integral to DPIAs does not overlap with the general risk management obligation outlined in Article 24 GDPR.63 The latter underscores the importance of risk assessment for all processing operations, regardless of the perceived level of risk, meaning that the absence of conditions demanding a DPIA does not reduce the obligation to manage risks effectively.64

This article concurs with this interpretation. Following a logical and chronological argument, risk assessment is essential before classifying risks as high, medium, or low, with only the former necessitating a DPIA. The WP’s suggestion also highlights the scalable nature of the RBA,65emphasizing the need for comprehensive and preliminary or basic risk assessments that differ from the scope of DPIAs.

Data transfers as ‘high risk’ processing

Applying this logic to data transfers, not all transfers necessitate a DPIA. In fact, Article 35 GDPR does not explicitly mention data transfers. Beyond the scenarios listed in Article 35 (3) GPDR, the WP issued Guidelines in 2017, proposing nine criteria for identifying ‘high risk’ processing.66

These criteria are not legally binding but serve as a guidance for controllers. They include evaluation or scoring, automated-decision making with legal or similar significant effect, systematic monitoring, processing of sensitive data or data of a highly personal nature, large-scale data processing, matching or combining datasets, processing personal data concerning vulnerable data subjects, innovative use or application of new technological or organizational solutions, and processing that impedes data subjects from exercising a right or using a service or a contract. The WP suggests that a DPIA is generally required when a processing operation meets two of these criteria.67

Similar to Article 35 (3) GDPR, the WP guidance does not explicitly mention data transfers nor any criteria directly related to the problems discussed in data transfers case law68 and recognized in other legal instruments69 such as the impact of foreign law or the direct access to personal data by foreign authorities. Arguably, this absence is not sufficient to conclude that personal data transfers do not pose ‘high risk’ for data subjects. The expression ‘shall in particular be required in the case of’ in paragraph 3 of Article 35 suggests that the list is not exhaustive. Therefore, data transfers can be ‘high risk’, for instance, a multinational research project involving significant health data collected from millions of data subjects could be considered ‘processing on a large scale of special categories of data referred to in Article 9(1)’.

In addition, the WP, as early as 1998, recognized the heightened risk of data transfers, suggesting that the degree of risk should significantly influence the ‘requirements of a particular case’.70 It recommended creating a list of ‘priority cases’ for data transfers that ‘pose particular risks to privacy’ and ‘merit particular attention’, including transfers of sensitive categories of data, risks of financial loss, threats to personal safety, and situations that could cause serious embarrassment or tarnish an individual’s reputation.71

Also, recital 116 GDPR acknowledges that personal data transfers ‘may put at increased risk the ability of natural persons to exercise data protection rights’ and that DPAs ‘can be unable to pursue complaints or conduct investigations relating to the activities outside their jurisdiction’.

A DPIA for data transfers and the Schrems II decision

The terms ‘data transfer risk assessment’72 or ‘data transfer impact assessment’ (DTIA)73 emerged post-Schrems II decision, potentially conflating the CJEU required assessment with general risk identification processes for data transfers and suggesting a new type of assessment specific to data transfers.

Yet, the Court did not directly link between the specialized assessment of transfer mechanisms with the risk assessment obligation under Article 24 or the DPIA requirement under Article 35 GDPR. Therefore, conducting a risk assessment for data transfers, whether under the general obligation of risk management or as part of a DPIA, differs from the assessment mandated by the CJEU in Schrems II.

Applying the ‘two-step test’ strictly, both the obligation to manage risks and the duty to perform a DPIA, arise from the first step, unrelated to the second step concerning the transfer mechanism. Conducting a DPIA is based on the processing’s risk level, not on the type of transfer mechanism used. Thus, performing a DPIA can be mandatory regardless of the transfer mechanism in place, even when an adequacy decision was adopted. The legal effect of the adequacy decision is that the transfer does ‘not require any specific authorisation’,74 but it does not replace or annuls the application of the general provisions of the GDPR applied in step one. Nevertheless, there seems to be no reason or legal ground for data controllers to re-assess the criteria used by the Commission before adopting the adequacy decision.

In addition, the nature and content of assessments can differ. The Schrems II decision emphasized that controllers should consider the factors aligned with those the EU Commission considers under Article 45 (2) GDPR, such as the rule of law in a third country, the presence of comprehensive data protection laws, or an independent data protection authority.75 This approach ensures consistency in fundamental rights protection across data transfer mechanisms, requiring controllers to assess protection equivalency as the EU Commission does.76 Hence, the assessment suggested in Schrems II differs from the risk analysis or quantification rationale foundational to both Articles 24 and 35 GDPR.

However, when data transfers are considered ‘high-risk’ and a DPIA is mandatory, there may be an overlap with the Schrems II assessment. Article 35 (7) GDPR introduces a non-exhaustive list of elements that can be included in a DPIA, making it a flexible instrument to accommodate the assessment introduced by the Schrems II decision. In cases where conducting a DPIA is not mandatory, controllers must independently assess the transfer mechanism according to the CJEU criteria.

Concluding remarks

In conclusion, this article affirms the significance of DPIAs within the GDPR’s ‘two-step test’ for data transfers, directly addressing the previously identified gap in scholarly discourse. By systematically examining the conditions that necessitate DPIAs for data transfers, this article not only advances the understanding of the RBA but also provides guidance for data controllers on ensuring GDPR compliance with data transfers post-Schrems II.

It explored the RBA within the GDPR, specifically through the prism of personal data transfers and the pivotal ‘two-step test’ delineated in Article 44. A critical examination of the first step revealed that the general obligation to assess risk, as specified in Article 24, applies to data transfers. Consequently, controllers must identify risks and implement appropriate safeguards for data transfers, similar to the requirements for other types of data processing. But more importantly, the initial phase of the test dictates that following the risk assessment required by Article 24 (1), if a ‘high risk’ to data subjects is determined, a DPIA, as required by Article 35 (1) GDPR, must be carried out.

Notably, the scenarios deemed ‘high risk’ under Article 35 (3) do not explicitly pertain to data transfers. Nevertheless, this absence does not imply that DPIAs are unnecessary for data transfers. Indeed, ‘high risk’ data transfers that fall into the scenarios described in Article 35 (3) necessitate a DPIA. Therefore, the first conclusion of this article is that data transfers are subjected to a risk assessment not only due to the general obligation to manage risk (Article 24), but also when a DPIA is required whenever the data transfer presents a ‘high risk’. An illustrative example involves a research project with international partners and health data.

Following the Schrems II ruling, the test’s second phase has become more stringent for controllers. The CJEU’s refinement of ‘essential equivalence’ now serves as the guiding benchmark for GDPR’s approach to data transfers. Controllers are thus tasked with evaluating the effectiveness of the transfer mechanism and the legislative and practical landscape in the destination country.77 But the Court’s assessment in Schrems II and the risk assessment process outlined primarily in Article 35 GDPR are different. This is the second conclusion of this article that identifies three key differences.

The first distinction addresses the ‘two-step test’ structure, indicating that risk assessment occurs in the first phase, while the CJEU’s assessment applies to the second. Accordingly, the necessity for a DPIA is influenced by the processing’s risk level, independent of the chosen transfer mechanism, marking the second distinction. The third difference highlights that the CJEU’s recommended assessment departs from the risk analysis or quantification foundational to Articles 24 and 35 GDPR. The Court emphasized that controllers are to consider the same factors as the EU Commission, as specified in Article 45 (2) GDPR, which includes the rule of law in a third country, the presence of comprehensive data protection laws, or an independent data protection authority.78

These three differences open the avenue for another conclusion about the connection between a DPIA and data transfers mechanisms, in particular adequacy decision. Indeed, given the mandatory nature of a DPIA for ‘high risk’ data transfers such an assessment must be performed even when the transfer mechanism is an adequacy decision by the EU Commission. This requirement stems from the ‘two-step test’s’ first phase, with the adequacy decision forming part of the second phase’s transfer mechanism verification. However, it seems impractical to compel controllers to re-evaluate the Commission’s analysis.

Furthermore, the distinctions drawn between the general risk assessment obligation under Article 24, the specific requirements of Article 35, and the nuanced assessment mandated by the Schrems II decision underscore the complexity of the GDPR’s approach to safeguarding data subject rights across borders. The article illuminated the subtle yet significant differences in these assessment processes, highlighting the GDPR’s layered approach to risk in the realm of data transfers.

In conclusion, this article contributes to the ongoing dialogue on the GDPR’s RBA by elucidating the ‘two-step test’ and its implications for data transfers, especially regarding DPIA requirements. By mapping out when and how data transfers should be considered ‘high risk’ processing, it seeks to offer clarity on a previously underexplored aspect of GDPR compliance.

Footnotes

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L 119/1.

2

Christopher Kuner and others, ‘Risk Management in Data Protection’ (2015) 5 International Data Privacy Law 95; Luiz Costa, ‘Privacy and the Precautionary Principle’ (2012) 28 Computer Law & Security Review 14; Raphael Gellert, ‘Data Protection: a Risk Regulation? Between the Risk Regulation of Everything and the Precautionary Alternative’ (2015) 5 International Data Privacy Law 3.

3

Maximilian von Grafenstein, The Principle of Purpose Limitation in Data Protection Laws. The Risk-based Approach, Principles, and Private Standards as Elements of Regulating Innovation (Nomos 2017); Raphael Gellert, The Risk-Based Approach to Data Protection (Oxford University Press 2020).

4

Gellert (n 2).

5

Kuner and others (n 2); Grafenstein (n 3); Costa (n 2); Gellert (n 2).

6

Gellert (n 2).

7

Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems [2020] ECLI:EU:C:2020:559.

8

About the Austrian and French decisions, see Lokke Moerel, ‘What Happened to the Risk Based Approach to Data Transfers? How the EDPB is Rewriting the GDPR’ (Future of Privacy Forum blog, 2022) <https://fpf.org/wp-content/uploads/2022/09/FPF-Guest-Blog-What-Happened-to-the-Risk-Based-Approach-of-Data-Transfers.doc.pdf> accessed 5 December 2023.

9

Christopher Kuner, Lee Bygrave, and Christopher Docksey, The EU General Data Protection Regulation: A Commentary. Update of Selected Articles (Oxford University Press 2021) 113; Moerel (n 8); Paul Breitbarth, ‘A Risk-based Approach to International Data Transfers’ (2021) 4 European Data Protection Law Review 539, 547.

10

Kuner, Bygrave, Docksey (n 9); Breitbarth (n 9); Moerel (n 8).

11

This WP was established under Art 29 of Directive 95/46/EC and functioned as an independent European advisory body, comprising the collective data protection authorities of the Member States. It was succeeded by the similarly constituted European Data Protection Board (EDPB) on 25 May 2018, coinciding with the enforcement of the GDPR. While their guidelines are not legally binding, they provide valuable insights for interpreting key concepts in data protection law.

12

The ‘degree of risk that the transfer poses to the data subject will be an important factor in determining the precise requirements of a particular case’, see Art 29 WP, ‘Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’ (WP12, 24 July 1998) 5.

13

Christopher Kuner, Transborder Data Flows and Data Privacy Law (OUP 2013) 173; Kuan Hon, Data Localization Laws and Policy: The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens (Edward Elgar Publishing 2017) 153.

14

Breitbarth (n 9).

15

Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standards contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (2021) OJ L 199/31.

16

Moerel (n 8).

17

‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’

18

Case C-311/18 (n 7).

19

Case C-101/01, Bodil Lindqvist [2003] ECLI:EU:C:2003:596.

20

Ibid para 63.

21

Kuner (n 13).

22

EDPB, ‘Guidelines 07/2022 on Certification as a Tool for Transfers’ (June 2022) 6, 7.

23

Christopher Kuner, ‘Article 44 General Principle for Transfers’ The EU General Data Protection Regulation (GDPR): A commentary (Oxford University Press 2020) 755–770 (Kindle edition).

24

Opinion of Advocate General Saugmandsgaard Øe in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems [2019] ECLI:EU:C:2019:1145, para 1.

25

W Kuan Hon provides a good summary of scholarship about policy goals for data transfers rules in general: ‘preventing circumvention of national data protection/privacy laws); guarding against processing risks elsewhere, e.g. US authorities accessing non-US citizens’ data; difficulties asserting data protection/privacy rights abroad; and enhancing consumers’ and individuals’ confidence in the processing of their personal data (and in ecommerce)), see Hon (n 13).

26

Kuner (n 23).

27

The first step implies that other obligations apply such as Arts 25 (Data Protection by design and by default) and 32 (Security of processing). However, the focus of this article is Art 35 (Data Protection Impact Assessment).

28

This will be further detailed in ‘The DPIA in the realm of data transfers’ section.

29

Moerel (n 8).

30

See Art 35 (1) GDPR.

31

According to Kuner, ‘Chapter V contains a closed list of methods for international transfers of personal data, ie, no other ones are possible’, see Kuner (n 23).

32

W Kuan Hon notes that, previous to the GDPR enactment, a self-assessment of the data transfer was in place as a transfer mechanism in some Member States, see Hon (n 13).

33

The adequacy can be of the country as a whole, a territory, or one or more specified sectors within that third country. See Arte 45 (1) GDPR.

34

Ibid.

35

Kuner suggests a hierarchy among transfer tools, but it also stresses that any conflict between transfer mechanisms should be solved ‘with an aim to maximize the level of data protection for the transfer’, see Kuner (n 23).

36

Case C-311/18 (n 7).

37

Case C-362/14, Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650.

38

Opinion 1/15 Draft agreement between Canada and the European Union—Transfer of Passenger Name Record data from the European Union to Canada [2017] ECLI:EU:C:2017:592 (This judgment will be referred to in this article as ‘Opinion 1/15’).

39

Laura Drechsler and Irene Kamara, ‘Essential Equivalence as a Benchmark for International Data Transfers after Schrems II’ Research Handbook on EU Data Protection (Edward Elgar Publishing 2021) 314.

40

Case C-311/18 (n 7) para 132–134.

41

Drechsler and Kamara (n 39).

42

Case C-311/18 (n 7) paras 103–105.

43

EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’ 11.

44

Moerel (n 8).

45

For an explanation of the meaning of this expression, see Lina Jasmontaite and others, ‘Data Protection by Design and by Default: Framing Guiding Principles into Legal Obligations in the GDPR’ (2018) 2 European Data Protection Law Review 1.

46

Commenting on Art 25 GDPR, which uses the same expression (‘to implement appropriate technical and organizational measures’), Hildebrandt and Tielemans explain that the meaning of ‘appropriate’ can change depending on the risks identified, Mireille Hildebrandt and Laura Tielemans, ‘Data Protection by Design and Technology Neutral Law’ (2013) 29 Computer Law & Security Review 509.

47

Docksey, ‘Article 24 Responsibility of the Controller’ The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 564 (Kindle edition).

48

WP, ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248, 4 October 2017) 2.

49

Ibid.

50

Arts 4 (24), 23 (2) (g), 24 (1), 25 (1), 27 (2) (a), 30 (5), 32, 33, 34, 35, 36, 39 (2) GDPR, among others.

51

The CJEU has consistently held that recitals, while lacking binding legal force, do not directly create rights or impose duties. Despite this, recitals hold value within the EU legal framework as interpretative tools. Particularly in cases where a recital is clear but an associated operative provision is ambiguous, the recital can be pivotal in resolving such ambiguity. This highlights the importance of recitals in understanding and applying EU law. See Case C-136/04, Deutshes Milch-Kontor v Hauptzollamt Hamburg-Joanas [2005] ECLI:EU:C:2005:716; Case C-134/08, Hauptzollamt Bremen v J. E. Tyson Parketthandel [2009], ECLI:EU:C:2009:229; Case C-244/95, Moskof v Ethnikos Organismos Kapnou [1997], ECLI:EU1997:551, para 44; Case C-435/06, C [2007], ECLI:C:2007:714, paras 51–52.

52

WP, ‘Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks’ (WP218, 30 May, 2014).

53

Docksey (n 47).

54

Margot E Kaminski, ‘Regulating the Risks of AI’ (2023) 103 Boston University Law Review 2.

55

About this, see Jasmontaite (n 45).

56

WP248 (n 48).

57

Eleni Kosta, ‘Article 35 Data Protection Impact Assessment’, The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020) 668 (Kindle edition).

58

Ibid 668.

59

Also see Recital 89 GDPR.

60

Kosta (n 57).

61

With more accuracy: ‘(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person’; and ‘(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10’; (c) ‘a systematic monitoring of a publicly accessible area on a large scale’.

62

Art 35 (7) (c) GDPR prescribes that the assessment shall contain ‘an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1’. The provision in paragraph 1 mentions a ‘high risk’ that, logically, needs to be measured and classified as such.

63

WP248 (n 48).

64

‘The mere fact that the conditions triggering the obligation to carry out a DPIA have not been met does not, however, diminish controllers’ obligation to implement measures to appropriately manage risks for the rights and freedoms of data subjects’, see Ibid 6.

65

WP218 (n 52).

66

WP248 (n 48).

67

Ibid 11.

68

Eg, in the Schrems I and II decisions of the CJEU.

69

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data (2018) OJ L 295/39. Recital 71 mentions ‘unlawful use or disclosure’. A similar wording is used in recital 74 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (2016) OJ L 119/89.

70

WP12 (n 12).

71

Ibid.

72

Breitbarth (n 9).

73

Chistopher Kuner, International Data Transfers after Five Years of the GDPR: Postmodern Anxieties (EU Law Live, 5 May 2023). <https://eulawlive.com/op-ed-international-data-transfers-after-five-years-of-the-gdpr-postmodern-anxieties-by-christopher-kuner/> accessed 1 July 2023.

74

Art 45 (1) GDPR.

75

Case C-311/18 (n 7) para 104.

76

Underlining the challenges of this task, see Drechsler and Kamara (n 39).

77

Case C-311/18 (n 7) paras 103–105.

78

Ibid para 104.

This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com.libproxy.ucl.ac.uk/pages/standard-publication-reuse-rights)