Theodore Christakis, Professor of International Law at the University Grenoble Alpes and Senior Fellow and Director of Research for Europe at the Cross-Border Data Forum, has published a new comprehensive analysis on cross-border transfers of personal data and the EU’s data protection authorities’ “Zero Risk” theory developed since the CJEU Schrems II Judgment. Prof. Christakis looks at how controllers and processors transferring personal data outside the EU have been asked by Data Protection Authorities (DPAs) around the EU to guarantee no access to EU personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law. The study also analyzes in detail the positions of EU DPAs and Courts concerning protections from extraterritorial access by foreign governments to data localized in Europe as well as the “immunity from foreign laws” requirement proposed within the context of the EU Cybersecurity Certification Regime for Cloud Services (EUCS).
Prof. Christakis’s article tackles the subject in three parts:
- An examination of the EU’s DPAs’ “Zero Risk” approach”;
- A look at the reasons why it is impossible for organizations transferring personal data outside of the EU to achieve a “Zero Risk” approach to foreign authorities’ access to data; and
- A look at pragmatic and feasible solutions to the challenges faced by organizations transferring personal data outside the EU or using cloud providers localising data in the EU but who are subject to the personal jurisdiction of foreign governments.
The full article is available here.
Alston & Bird serves as counsel to the Cross-Border Data Forum.