Since the Schrems-II judgment, a discussion is taking place on solving the challenges organisations face when transferring personal data out of the European Economic Area: can they rely upon data transfer risk assessments, and may they also consider the likelihood of the risks actually occurring? If not, it seems unavoidable that many international data flows will either need to stop or continue illegally, since the threshold to transfer personal data would become too high to work with on a daily basis. This paper discusses why a risk-based approach to international transfers is both needed and legal, why the guidelines of the European Data Protection Board may be expecting too much from organisations and what a risk-based data transfer should mean in practice. Apart from legislative change, a solution can be found in increased accountability and transparency by organisations, to regain public trust.
Keywords: data protection, international transfers, transfer risk assessment, accountability