Skip to content

A Risk-Based Approach to International Data Transfers


Paul Breitbarth


Since the Schrems-II judgment, a discussion is taking place on solving the challenges organisations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the European Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.
Keywords: data protection, international transfers, transfer risk assessment, accountability

Paul Breitbarth is Visiting Fellow at the European Centre on Privacy and Cybersecurity, Maastricht University, and Director, Global Policy and EU Strategy at TrustArc. For correspondence: <>. The author would like to thank prof. Christopher Kuner, Elise Latify, Dr. K Royal and Dr. Gabriela Zanfir-Fortuna for their invaluable comments and support ahead of submission of the paper.


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation