The following is a guest post to the FPF blog from Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security Council member. This blog is a summary of a longer academic paper which can be downloaded here.
The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.
In my earlier FPF guest blog on the geopolitics of trans-Atlantic data transfers, I flagged that Schrems II companies increasingly find themselves in a catch-22. Frustrations are running high as companies work towards Schrems II compliance by executing measures to mitigate the risk that US government entities can access their data. Yet, EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer, triggering a debate on what happened to the risk-based approach of the GDPR (RBA). This has come to the fore in recent decisions of the DPAs as to the data transfers in the context of the use of Google Analytics. The Austrian DPA kicked things off by issuing a decision in a complaint of noyb against, i.e., Google (GA decision).1 In this decision, the Austrian DPA explicitly discards the applicability of the RBA as far as the data transfer provisions of the GDPR are concerned. In a Q&A issued by the CNIL concerning the use of Google Analytics, the CNIL also