Following the Schrems II decision of the Court of Justice of the European Union(CJEU) invalidating the EU-US Privacy Shield, EU data supervisory authorities (DPAs) have developed a “zero risk approach” to the international transfer of personal data under Chapter 5 of the GDPR. This means that companies processing European personal data must eliminate all theoretical risk that foreign governments will be able to access European data. This “zero risk approach” also includes strong data localization. However, it is questionable whether this “zero risk approach” is security-friendly and effective. First of all, European data controllers are often subject to US personal jurisdiction and may face overseas data access (production) requests in the same way as US companies. In addition, foreign intelligence agencies do not necessarily access data through compulsory requests to companies, but rather through direct access by domestic technical means. Even if European data processors avoid being subject to foreign personal jurisdictions such as the United States, they may be at increased risk of being “directly accessed” by foreign intelligence agencies. Therefore, the “zero risk” requirement that Europe demands of CSPs can be seen as pursuing something that is ultimately unattainable. Furthermore, the GDPR is fundamentally based on a “risk-based approach,” which means “an attempt to strike the optimal balance between ultimately conflicting constitutional interests.” Therefore, safeguards for the international transfer of personal data should be evaluated according to the standard of “proportionality,” not “perfection.”

1 김현수, "소비자보호와 정보주체의 권리 실현 집행체계- 미국 FTC의 사례를 중심으로 -" 2024

2 박선욱, "미국과 EU의 개인정보보호에 관한 법제 비교분석" (83) : 2019

3 김현경, "데이터 속성과 국지화 규범의 법적 쟁점에 대한 고찰" 78 : 2017

4 김민호, "개인정보의 의미" 28 (28): 2016

5 김현경, "‘데이터 주권’과 ‘개인정보 국외이전’ 규범 합리화 방안 연구" 31 (31): 2019

6 CIPL, "White Paper - A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision"

7 Lokke Moerel, "What happened to the Risk Based Approach to Data Transfers? How the EDPB is rewriting the GDPR"

8 "The White Book: USA v. Microsoft: What Impact, CEIS & The Chertoff Group White Paper"

9 Clifford Chance, "The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach"

10 Giovanni De Gregorio, "The European Risk-Based Approaches: Connecting Constitutional Dots in the Digital Age" 59 (59): 2022

11 Peter Swire, "The Effects of Data Localization on Cybersecurity - Organizational Effects" Georgia Tech Scheller College of Business 2023

12 Matthias Bauer, "The Economic Impacts of the Proposed EUCS Exclusionary Requirements: Estimates for EU Member States" ECIPE Study 2023

13 Theodore Christakis, "The 'Zero Risk' Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach, CIPL/CBDF Paper Series"

14 TikTok, "Setting a new standard in European data security with Project Clover"

15 Christopher Kuner, "Schrems II Re-Examined"

16 Swire, Peter, "Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures"

17 EDPB, "Recommendations 02/2020 on the European Essential Guarantees for surveillance measures"

18 US Dep’t of Justice, "Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act"

19 D. Felz, "New EU data blockage as German court would ban many cookie management providers"

20 CNIL, "Mémoire en Observations, Conseil d’Etat, Referé L, 521-2 CJA"

21 Microsoft, "Microsoft Cloud enables customers to keep all personal data within European Data Boundary"

22 EDPB, "Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence"

23 "Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II"

24 Nigel Cory, "France’s “Sovereignty Requirements” for Cybersecurity Services Violate WTO Trade Law and Undermine Transatlantic Digital Trade and Cybersecurity Cooperation"

25 Nigel Cory, "France—and Potentially EU—Cybersecurity Regulations: The Latest Barrier to Data Flows, Digital Trade, and Digital Cooperation Among Likeminded Partners" CBDF 2021

26 Theodore Christakis, "European Digital Sovereignty: Successfully Navigating Between the ‘Brussels Effect’ and Europe’s Quest for Strategic Autonomy" MIAI/Grenoble Data Institute 2020

27 Claudia Quelle, "Enhancing compliance under the general data protection regulation: the risky upshot of the accountability-and risk-based approach" 2018

28 Oracle, "EU Sovereign Cloud" OCI

29 "Décision n° 2024-205 du 13 mars 2024 mettant en demeure la société C8 NOR :RCAC2408029S JORF n°0067 du 20 mars 2024 Texte n° 76"

30 Amazon Web Services, "Digital Sovereignty at AWS"

31 CNIL, "Deliberation No. 2023-084 of 7 September 2023 on a draft decree relating to the organisation and operation of the national platform for combating competition manipulation, section D"

32 "Decision of the European Data Protection Supervisor in complaint case 2020-1013 submitted by Members of the Parliament against the European Parliament"

33 "Decision of the European Data Protection Supervisor in complaint case 2020-1013 submitted by Members of the Parliament against the European Parliament"

34 Theodore Christakis, "Data, Extra-territoriality and International Solutions to Transatlantic Problems of Access to Digital Evidence - Legal Opinion on the Microsoft Ireland Case (US Supreme Court)"

35 "DPA Decision on D155.027, 2021-0.586.257"

36 Randal Milch, "Cybersecurity and Privacy in a Globalized World - Building Common Approaches" New York University School of Law 2019

37 EDPB, "Coordinated Enforcement Action, Use of cloud-based services by the public sector"

38 Matthias Bauer, "Building Resilience? The Cybersecurity, Economic & Trade Impacts of Cloud Immunity Requirements" ECIPE 2023

39 Greenberg Traurig LLP, "Application of the CLOUD Act to EU Entities" Ministry of Justice and Security NCSC 2022

40 Google Cloud, "Announcing Google Cloud’s new Digital Sovereignty Explorer"

41 Theodore Christakis, "After Schrems II : Uncertainties on the Legal Basis for Data Transfers and Constitutional Implications for Europe"