What Happened to the Risk-Based Approach to Data Transfers?
The following is a guest post to the FPF blog from Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security Council member. This blog is a summary of a longer academic paper which can be downloaded here.
The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.
In my earlier FPF guest blog on the geopolitics of trans-Atlantic data transfers, I flagged that Schrems II companies increasingly find themselves in a catch-22. Frustrations are running high as companies work towards Schrems II compliance by executing measures to mitigate the risk that US government entities can access their data. Yet, EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer, triggering a debate on what happened to the risk-based approach of the GDPR (RBA). This has come to the fore in recent decisions of the DPAs as to the data transfers in the context of the use of Google Analytics. The Austrian DPA kicked things off by issuing a decision in a complaint of noyb against, i.e., Google (GA decision).1 In this decision, the Austrian DPA explicitly discards the applicability of the RBA as far as the data transfer provisions of the GDPR are concerned. In a Q&A issued by the CNIL concerning the use of Google Analytics, the CNIL also indicated that the RBA cannot be applied to data transfers.2
This is noteworthy, as, in legal literature, it is generally assumed that the RBA is incorporated in the ‘accountability principle’ of Article 24 GDPR and that this principle has a horizontal application throughout the GDPR and therefore also applies to the data transfer requirements.3 In this light, it is high time for an in-depth assessment of whether, and if so, to what extent the GDPR introduced the RBA, and specifically whether the RBA also applies to the data transfer requirements of Chapter V of the GDPR.
The conclusion will indeed be that the accountability requirement of Article 24 GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment. We will, however, also see that the EDPB is trying to rewrite the GDPR by applying the accountability principle of Article 5(2) GDPR (which does not include the RBA) rather than the accountability principle of Article 24, which does. By taking this position, the EDPB pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators in the GDPR.
1. Reasoning Austrian DPA in GA decision
In the GA decision, the Austrian DPA rejected Google’s arguments that a RBA should be taken when assessing the impact of the data transfers in the context of Google Analytics and that the Austrian DPA applies too strict a standard when considering that the mere possibility of access is relevant and not the actual risk of U.S. public authorities accessing the data.
Specifically, the DPA reasoned that such RBA could not be derived from the wording of Art. 44 GDPR. See the decision point D.4 (underlining by Austrian DPA in the original decision):
“Art. 44 GDPR – General principles of data transmission
“Any transfer of personal data already processed or to be processed after their transfer to a third country or an international organization shall only be allowed if the controller and the processor comply with the conditions laid down in this Chapter and with the other provisions of this Regulation, including any onward transfer of personal data from that third country or international organization to another third country or international organization. All provisions of this Chapter shall be applied in order to ensure that the level of protection of natural persons ensured by this Regulation is not undermined.”
On the contrary, it can be deduced from the wording of Art. 44 GDPR that for every data transfer to a third country (or to an international organization), it must be ensured that the level of protection guaranteed by the GDPR is not undermined.
The success of a complaint of a violation of Art. 44 GDPR, therefore, does not depend on whether a certain “minimum risk” is present or whether U.S. intelligence services have actually accessed data. According to the wording of this provision, a violation of Art. 44 GDPR already exists if personal data are transferred to a third country without an adequate level of protection.
In connection with those provisions of the GDPR where a risk-based approach is actually to be followed (“the higher the processing risk, the more measures are to be implemented”), the legislator has also explicitly and without doubt, standardized this. For example, the risk-based approach is provided for in Art. 24(1) and (2), Art. 25(1), Art. 30(5), Art. 32(1) and (2), Art. 34(1), Art. 35(1) and (3) or Art. 37(1)(b) and (c) GDPR. Since the legislator has standardized a risk-based approach in numerous places in the GDPR, but not in connection with the requirements of Art. 44 GDPR, it cannot be assumed that the legislator merely “overlooked” this; an analogous application of the risk-based approach to Art. 44 GDPR is therefore excluded.”
The Austrian DPA further rejected the arguments of Google that the RBA was confirmed by the European Court of Justice (ECJ) in the Schrems II judgement4 and the EDPB’s Recommendations 01/2020 on measures to complement transfer tools to ensure the level of protection of personal data under EU law.5
The Austrian DPA further states that the GDPR:
“Unlike Chapter V – see below – Art. 5(2) in conjunction with Art. 24(1) GDPR now actually take a risk-based approach. The higher the risk associated with the data processing, the higher the standard for the evidence to be submitted in order to prove compliance with the GDPR.”
2. Questions of law to be investigated
Based on the GA decision, there are a number of questions of law to be investigated:
- Does the RBA apply to the accountability requirements in Article 24 only, in the sense that the standard of evidence (i.e., the required accountability measures, like policies, training requirements, etc.) scales with the risk of the relevant processing rather than that the RBA applies also to the underlying obligations of the controller set out in other provisions of GDPR?
- Is the position under 1) supported by the fact that where the EU regulator intended to implement the RBA, this is explicitly expressed in the relevant provisions only? [which seems to be the position of the Austrian DPA]
- If the position under 1) is not correct, and RBA in Article 24 GDPR must be considered to constitute a horizontal provision applying a RBA also to the underlying obligations of the controller, does the RBA then relate to the obligations of controllers in Chapter IV only, or to all data protection obligations of controllers, including those of Chapter V?
- Does Article 5(2) indeed take a RBA for the accountability principle? [which seems to be the position of the Austrian DPA]
- Is the position under 1) confirmed by the ECJ in the Schrems II judgment?
- Is the position under 1) confirmed by the EDPB Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Recommendations)?6
3. Summary Conclusions
Based on an analysis of the wording of the GDPR (see Section 5), the legislative history of the GDPR (see Section 6), the Schrems II judgment (see Section 7), and the EDPB Recommendations (see Section 8) the conclusions are:
- The accountability requirement of Article 24 incorporates the RBA. Article 24 has a horizontal application and the RBA, therefore, applies not only to the standard of evidence (accountability measures required) but also to the underlying obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies.
- The accountability principle of Article 24 does not apply to the general processing principles of Article 5(1). The accountability principle of Article 5(2) applies to the general processing principles only, which do not include the data transfer principles. Article 5(2) does not include the RBA.
- The ECJ in Schrems II has raised the bar as to data transfers based on Article 46 (transfers subject to appropriate safeguards), in the sense that when personal data are transferred, these require an essentially equivalent level of protection (rather than an adequate level), this in reference to the general principle for transfers of Article 44 and the EU Charter of fundamental rights. In the absence of an adequacy decision, the ECJ considers it the responsibility of the controller to make a transfer assessment before a transfer can take place on the basis of appropriate safeguards, which also includes an assessment of the laws and practices of the country or countries where the data are flowing to (see para. 126: where the ECJ explicitly refers to “the law and practices in force in the third country concerned” and requires “(…) ensuring, in practice, the effective protection of personal data transferred to the third country concerned.”7 The controller should then take measures to compensate for any lack of data protection by way of appropriate safeguards. The Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Though the ECJ did not explicitly refer to the accountability principle of Article 24, this transfer assessment obligation of the controller seems in line with the RBA of the accountability principle of Article 24.
- The EDPB Recommendations confirm that Schrems II is in line with the accountability principle and that this principle applies also to the data transfer rules. Though the EDPB Recommendations refer to the accountability principle of Article 5(2) GDPR only, the EDPB Recommendations seem to allow for a nominal RBA as to the transfer assessment; this is in line with the RBA of Article 24 and Schrems II.
- The EDPB is mistaken where it applies the accountability requirement of Article 5(2) also to the transfer requirements. The underlying reason for the EDPB to apply Article 5(2) rather than the accountability principle of Article 24 is likely that the accountability principle of Article 5(2) does not have the RBA as to compliance with the material principles, where the accountability principle of Article 24 does have the RBA for compliance of the obligations of controllers. By taking this position, the EDPB basically pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators.
4. Interpretation of Article 5 and 24 GDPR
According to the settled case law of the ECJ, the interpretation of a provision of EU law requires that account be taken not only of its wording and the objectives it pursues but also of its legislative context and the provisions of EU law as a whole. Also, the origins of a provision of EU law may provide information relevant to its interpretation.8
Article 24 is the first provision of Chapter IV (Controller and processor) Section 1 (general obligations). Reviewing the language of Article 24 GDPR, it resembles that of Article 25 (Data protection by design and by default) and Article 30 (Security). The heading of Article 24 is “Responsibility of the controller,” and the provision starts with the qualifier “taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall….” It is not under discussion that this implies the RBA.
The question then is whether the RBA applies to the standard of evidence (the accountability measures) or also to the underlying obligations of the controller under the GDPR themselves. The text of Article 24 reads that the controller must “ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Where the controller explicitly has to ensure compliance by taking a RBA, it is difficult to see why the RBA in Article 24 would only apply to the level of standard of evidence (i.e., to be able to demonstrate compliance) and not to the underlying controller obligations themselves. The obligation further explicitly refers to all requirements under the Regulation.
That being said, not all provisions of the GDPR are formulated as obligations of the controller. For example, the general processing principles listed in Article 5(1) are not formulated as obligations of the controller but as absolute principles. In Article 5(2) it is subsequently provided that “the controller is responsible for, and shall be able to demonstrate compliance with paragraph 1 (“accountability”).” Noteworthy here is that this accountability requirement is not in any manner qualified, taking a RBA similar to Article 24. This seems to mean that the RBA does not apply to the material processing principles (why otherwise include Article 5(2) in the first place; in that case, Article 24 GDPR would have been sufficient).
The question then is, how does this apply to the data transfer rules of Chapter V? There is no indication whatsoever in the GDPR that the general obligation of the controller of Article 24 would not also apply to obligations of controllers under Chapter V (again Article 24 requires that controllers ensure compliance with the Regulation).
Rather, there are indications to the contrary. For example, the privacy-by-design requirements and security requirements (which also incorporate the RBA) remain applicable when transferring data (see explicitly Recital 108). In the same vein, also the accountability principle will be applicable when transferring data (provide the transfer rules are formulated as obligations of the controller rather than in absolute principles).
As the Austrian DPA notes, the general principle for transfers in Article 44 does indeed provide that “any transfer of personal data shall only take place in accordance with the conditions of this Chapter,” but (as omitted by the Austrian DPA) this general principle is explicitly made “subject to the other provisions of this Regulation.” This is logical; Chapter V on transfers cannot be considered on a standalone basis. The transfer rules aim to ensure that data receive a similar level of protection after being transferred to a third county that does not provide an adequate level of protection, not a higher protection. This is also expressed in the last sentence of Article 44:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
Article 46 GDPR (transfers subject to appropriate safeguards) is further formulated not as an absolute principle (like the general processing principles of Article 5(1)) but as an obligation of the controller where it allows data transfers “if the controller (…) has provided appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
The conclusions seem justified that the obligation of the controller “to provide appropriate safeguards” under Article 46 GDPR are indeed risk-based, with the exception of where Article 46(1) provides for the absolute requirements “that enforceable data subject rights and effective legal remedies for data subjects are available.”
5. Legislative history Article 5 and 24 GDPR
5.1 The EU Data Protection Directive
Historically, EU data protection legislation has been “rights-based,” and the requirements were to be applied irrespective of the level of risk involved and whether actual harm was created.9 As the WP29 (the predecessor of the EDPB) put it at the time, the EU data protection legal framework provides for a ‘minimum and non-negotiable level of protection for all individuals.’ 10 This is all the more so since the entry into force of the Treaty on the Functioning of the European Union in 2010, which granted the right to personal data protection the status of a fundamental right of the EU (see Article 8 of the EU Charter11 and Article 16(1) of TFEU12).
Noteworthy is that the protection of data transfers is not among those listed as a fundamental right. The EU transfer rules are not considered to be one of the material processing principles, as the transfer rules are a mechanism to ensure that these material processing principles will be observed, rather than being a fundamental processing principle itself.13 This being said, the transfer rules are crucial in their own right to guarantee the protection provided by the EU Data Protection Directive (Directive) and therefore are a key cornerstone of the Directive.14 This distinction is continued in the GDPR, where the material processing principles are listed in Article 5(1) GDPR (and do not include data transfer requirements), and the data transfer requirements are regulated separately in Chapter V.
5.2 Legislative reform
The Directive did not include an accountability principle, and it was only as part of the legislative review of the Directive that this principle was introduced. The main trigger for introducing the accountability principle was that the legislative review of the Directive by the EC showed that there was a widespread lack of compliance with the Directive, in particular also the data transfer requirements and that the enforcement tools of the DPAs were not sufficient to force compliance.15 On July 9, 2009, the EC launched a consultation on the EU data protection legal framework. As part of the consultation, the WP29 and EDPS issued a number of opinions, which basically advised the EC to introduce the accountability principle in the revised Directive. The proposals of the WP29 developed somewhat over time, but its last stance was adopted by the EC in its first proposal for a new Regulation.16
(a) WP29 Opinion on the accountability principle (July 2010)
In its Opinion on the accountability principle, the WP29 proposed the following concrete provision:
“Article X – Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2. The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.”
The provision refers to all principles and obligations of the revised Directive. The Opinion further reflects that the accountability measures (rather than the material principles themselves) should be scalable (see para. 53). As to the consequences of compliance with the accountability principle, the WP 29 (at p. 11) stresses that “fulfilling the accountability principle does not necessarily mean that a controller is in compliance with the substantive principles […], i.e., it does not offer a legal presumption of compliance nor does it replace any of those principles.”
(b) First EC proposal for a Regulation (December 25, 2012)
The EC’s first proposal for a Regulation basically implements the proposals of the WP29. According to the Explanatory Memorandum accompanying the EU Commission’s first proposal17 dated December 25, 2012, the provisions of Article 22 of the draft considered the debate on a “principle of accountability” and described in detail the obligation of responsibility of the controller to comply with the Regulation and to demonstrate compliance, by adopting internal policies and mechanisms for ensuring such compliance. The first draft of the EU Commission did not include a reference to the “accountability principle” and did not include a reference to scalability (RBA) of the accountability provisions.
Article 5 sub (f):
“processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation
Responsibility of the controller
The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation, including the assignment of responsibilities, and the training of staff involved in the processing operations.”
“Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.”
Note that Article 5(2) is based on Article 6(2) of the Directive, which embodied the original and narrower meaning of accountability as responsibility for compliance.
(c) Note of the Presidency to EU Council on implementation of RBA (March 1, 2013)
Further to a first examination of the EU Commission proposal, the Presidency reported to the EU Council18 that several Member States voiced their disagreement with the level of prescriptiveness of a number of obligations in the draft Regulation. Many delegations stated that the risk inherent in certain data processing operations should be the main criterion for calibrating the data protection obligations. Where the data protection risk was higher, more detailed obligations would be justified, and where it was comparably lower, the level of prescriptiveness should be reduced.19 The revised draft subsequently incorporated a ‘horizontal clause’ in Article 22 to incorporate the RBA:
“Taking into account the nature, scope and purposes of the processing and the risks for the (…) rights and freedoms of data subjects, the controller shall implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation (…).”20
Art. 5 sub (f) was changed into:
“processed under the responsibility (…) of the controller (…)
Therefore basically reverting the language back to the text of its predecessor Article 6 (2) Directive.
(d) WP29 Statement on the role of a RBA in data protection legal frameworks (May 30, 2014)21
In reaction to these developments in the EU legislative process, the WP29 issued a Statement on the role of a RBA in data protection legal frameworks. From this Statement, it can be derived that the WP29 was well aware that the changes proposed by the European Parliament and the Council constituted a major change as the RBA was now introduced as a core element of the accountability principle, also impacting the underlying obligations of controllers rather than (just) the accountability measures themselves, see p. 2:
“However, the risk-based approach has gained much more attention in the discussions at the European Parliament and at the Council on the proposed General Data Protection Regulation. It has been introduced recently as a core element of the accountability principle itself (Article 22).”
The WP29 further clarified in a number of crisp statements that the RBA should (i) not apply to the key rights granted to data subjects, which apply regardless of the level of risks incurred by the processing, and (ii) that there can be different levels of accountability obligations depending on the risk posed, but that controllers should always be accountable for compliance with the data processing obligations “whatever the nature, scope, context, purposes of the processing and the risks for data subjects are.”
(e) Final text GDPR dated April 8, 2016
The EU Council ignored the WP29 Statement and adopted the final version of Article 24 GDPR.22 The EU Council, in its accompanying statement (p. 4),23 explained that it had strengthened the accountability of controllers and processors to promote a real data protection culture and introduced throughout the Regulation a risk-based approach, allowing for the modulation of the obligations imposed on controllers.
5.3 Assessment based on the legislative history of the GDPR
Inclusion of Article 5(2) seems to be based on Article 6(2) of the Directive (“It shall be for the controller to ensure that paragraph 1 is complied with”), which embodied the original and more narrow meaning of accountability as responsibility for compliance. It was at the proposal of the European Parliament to maintain the original proposal of the EC and bring this provision more into line with accountability (‘be able to demonstrate’ rather than ‘demonstrate’) and the addition of the word ‘accountability’ in brackets at the end.24 The Council proposed instead to concentrate on responsibility.25 The resulting compromise was a combination in Article 5(2) of responsibility proposed by the Council and demonstrability and the label ‘accountability’ in brackets proposed by the Parliament. 26 There are no indications in the legislative history why the accountability element in Article 5(2) was first included, then deleted, and then reinstated but without the RBA. As this provision must have meaning (why otherwise reinstate it), it seems justified to conclude that the RBA does not apply to the material processing principles of Article 5.
The actual principle of accountability, as inspired by the proposals of the WP29 found its way into Article 22 (now 24). It is unclear why the EC declined to use the term accountability principle in the text or heading of Article 22 itself. It is only in the Explanatory Memorandum (at para. 3.4.4) that it is explained that Article 22 [now 24] “takes account of the debate on a ‘principle of accountability’”. The heading further referred to the “responsibility of the controller,” which fitted more the compliance notion of Article 5(2). It is clear that the EC, in its first draft proposal for the Regulation included the accountability principle as advocated by the WP29, whereby the provision applied to the standard of evidence only and not also to the underlying obligations of the controller. Based on the legislative history it is however undisputable that subsequent changes to the initial Article 22 were introduced by the Council in order to incorporate a horizontal provision applying the RBA for all obligations of the controller, and specifically also for the data transfer obligations.
6. Assessment of Schrems II
Reviewing the ECJ judgment in Schrems II,27 the Austrian DPA is correct that the ECJ does not refer to the accountability principle or the RBA under the GDPR. The conclusion of the Austrian DPA, however, that the ECJ (therefore thus) does not take a RBA to data transfers cannot be based on this judgment. What the ECJ did in the Schrems II was raise the bar for international data transfers based on Article 46 (transfers based on appropriate safeguards) to the so-called essentially equivalent level; this in reference to the general principle for transfers of Article 44 and the EU Charter of fundamental rights (see para. 131 – 134). In the absence of an adequacy decision, the ECJ considers it the responsibility of the controller to make a transfer assessment before a transfer can take place on the basis of appropriate safeguards, which also includes an assessment of the laws and practices of the country or countries where the data are flowing to (see para. 126: where the ECJ explicitly refers to “the law and practices in force in the third country concerned” and requires “(…) ensuring, in practice, the effective protection of personal data transferred to the third country concerned.”28 The controller should then take measures to compensate for any lack of data protection by way of appropriate safeguards. It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Though the ECJ did not explicitly refer to the accountability principle of Article 24, this transfer assessment obligation of the controller seems in line with the RBA of the accountability principle of Article 24.
This is also confirmed by the dictum of Schrems II. The dictum provides that the relevant aspects of the legal system of the third country need to be taken into consideration, therefore not only the law of the relevant third country but also its practices, as also follows from para. 126 of Schrems II. The ECJ refers to relevant aspects to the non-limitative list of elements in Article 45(2) GDPR, which the EC needs to consider when performing an adequacy assessment of a third country. The list of Article 45(2) shows that the EC, in its assessment, not only needs to assess the law of the country but also “the effective functioning” of the law. In other words, all relevant aspects of the legal system are in practice.29
7. Assessment EDPB Recommendation
The EDPB in the Recommendation30 reflects the Schrems II judgment in a similar manner. The EDPB indicates that the Schrems II judgment “reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes,” that “the Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent,” that the “Court also upholds the validity of standard contractual clauses, as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries,” but that these “do not operate in a vacuum” and that:
“controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.
It is noteworthy that the EDPB explicitly refers to the accountability principle of Article 5(2), but does not in any way refer to the accountability principle of Article 24. The EDPB in para. 1 of the Recommendations explicitly considers that the accountability principle of Article 5(2) GDPR31 also applies to data transfers “since they are a form of data processing in themselves.”32 I recall (see sub 7.1 above) that the Article 5(1) lists the general processing principles, but that these do not include the data transfer principles. The EDPB is correct in considering a transfer a processing, but this then entails that the material principles apply to transfers, but this cannot carry the conclusion that transfers are thus a material principle in themselves. This goes against the system of the GDPR where the transfer rules have their own Chapter V. The underlying reason for the EDPB to find this ‘work around’ is that the accountability principle of Article 5(2), as I also concluded, does not have the RBA as to compliance of the material principles, where the accountability principle of Article 24 does have the RBA for compliance of the obligations of controllers. By taking this position, the EDPB pushes its own version of the accountability principle as proposed by the WP29 at the time for revision of the Directive, which was, however, ultimately not adopted by the EU regulator. Noteworthy is, however, that despite the reference to Article 5(2) GDPR, the final version of the Recommendation does include language (however nominally) to allow for a RBA of data transfer assessments, though the threshold seems high. A more kind interpretation is that the EDPB is confused by the fact that Article 5(2) does include the reference to “accountability,” while Article 24 does not (see sub 4 above). I, however, do not believe the EDPB is confused here, but actually pushes its version of accountability principle as it advocated from the start, while normally covering its basis by including a nominal RBA into the Recommendations itself in line with Schrems II. That the RBA is indeed (though somewhat nominally) included in the Recommendations can be derived from the changes made by the EDPB in the initial version after consultation.
The initial consultation version of the Recommendations,33 did not take a RBA as to the transfer assessment. The consultation version even specifically indicated that organizations should “not rely on subjective [factors] such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards” (see para 42). Following the consultation phase, whereby many stakeholders provided input that the EDPB had wrongfully ignored the RBA of the GDPR, the above statement was no longer included in the final version. Instead, the EDPB (somewhat nominally, and without any explicit acknowledgment) included the RBA approach, though the threshold to do so is very high. This is reflected in the text by including in a number of places that the transfer assessment should not only include the laws, but also the practices in the relevant third country (see in particular para. 43),34 but most importantly by allowing controllers to proceed with the transfer without supplementary measures if they have no reason to believe that the relevant legislation will be applied in practice (see para. 43.3).
The conclusion is that the accountability requirement of Article 24 GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment. The EDPB is trying to rewrite the GDPR by applying the accountability principle of Article 5(2) GDPR (which does not include the RBA) rather than the accountability principle of Article 24, which does. By taking this position, the EDPB pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators in the GDPR.
1 https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_DE_bk_0.pdf. See for English translation: Standarderledigung Bescheid (noyb.eu)
2 The CNIL also issued a Q&A concerning the use of Google Analytics: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises-en-demeure-de-la-cnil-concernant-lutilisation-de-google-analytics The last question of the Q&A refers to the use of RBA by controllers by taking into account the likelihood of data access requests. The CNIL indicates that the RBA approach cannot be applied and explains that as long as the access to the transferred data is possible and the safeguards governing the issuance of requests for access to data do not guarantee a level substantially equivalent to the one guaranteed in the EU, it is necessary to take additional technical measures to make such access impossible or ineffective.
3 See, specifically on the applicability of the RBA to data transfer requirements after the Schrems II judgement: Paul Breitbarth, “A Risk-Based Approach to International Data Transfers,” EDPL, 2021, p. 547; Christopher Kuner, ‘Schrems II Re-Examined’ (VerfBlog, August 25, 2020) , https://verfassungsblog.de/schrems-ii-re-examined/; and Christopher Kuner, Lee Bygrave and Christopher Docksey, The EU General Data Protection Regulation: A Commentary. Update of Selected Articles. Oxford University Press, 2021, p. 113. Other authors discuss the RBA of the GDPR, but not specifically in the context of data transfers and the ECJ judgement in the Schrems II case.
4 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems  ECLI:EU:C:2020:559 : CURIA – Case information (europa.eu).
7 See for a similar reference also para. 158.
8 ECJ judgment of December 10, 2018, Wightman and Others, C-621/18, EU:C:2018:999, paragraph 47 and the case-law cited: CURIA – Case information (europa.eu)
9 See, Amann v Switzerland App No 27798/95 (ECtHR, February 16, 2000) §70: in order to determine whether a processing constitutes an interference, the fact that the data subject may ‘have been inconvenienced in any way’ is irrelevant: AMANN v. SWITZERLAND (coe.int).
10 Art. 29 WP, ‘Opinion 1/98 Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS) , (1998), p. 2: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp11_en.pdf.
13 This is evidenced by the fact that in the Directive the EU transfer rules are not included in Chapter II (The General Rules on the Lawfulness of the Processing of Personal Data), but in a separate Chapter IV (Transfer of personal Data to third Countries). For a similar separation of the basic principles and the transfer rules see the Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (Madrid Draft Proposal for International Standards), as adopted on November 5, 2009 at The International Conference of Data Protection and Privacy Commissioners in Madrid by the participating data protection authorities, to be found at https://edps.europa.eu/sites/edp/files/publication/09-11-05_madrid_int_standards_en.pdf, where the transfer rules are included in Section 15 and the basic principles of data protection in Part II.
14 See WP 12, Working Document on Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, July 24, 1998 (WP 12), at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp12_en.pdf, where the Working Party 29 lists “six content principles” of which the 6th is: “restrictions on onward transfers – further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e., the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the directive.” Since a restriction on onward transfers was at the time missing from Convention 108, the Working Party 29 considered the protection provided by the countries that had at the time ratified Convention 108 was insufficient (see WP 12, at 8). This led to adoption of a transfer rule similar to the Directive in Article 2 of the Additional Protocol to Convention 108.
15 Rand Europe, Review of the European Data Protection Directive, Technical Report dated May 2009 (Rand Report) at https://www.rand.org/pubs/corporate_pubs/CP1-2009.html. Other reviews showed similar results: see Douwe Korff, EC Study on implementation of the Data Protection Directive, Comparative study of national laws, September 2002, Human Rights Centre University of Essex, at 209, to be found at <http://papers.ssrn.com>, notes that “the powers now vested in the data protection authorities, as currently exercised, have not been able to counter continuing widespread disregard for the data protection laws in the Member States.”
16 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp168_en.pdf, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf
24 See Amendment 99, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52014AP0212&from=EN.
26 Cf. supra n. 3, p. 113.
27 Cf. supra n.4.
28 Ibid. see para. 126.
29 Cf. supra n.5.
30 Cf. supra n.5.
31 See para. 3 where the EDPB refers to the accountability principle and includes in footnote 12 again a reference to Article 5(2) GDPR only. See also para. 5, footnote 18; para. 48, footnote 58; and para. 76, footnote 77. The only reference to Article 24 can be found in footnote 22, which seems an oversight more than intentional.
32 The EDPB refers to para. 45 of Schrems II. However, in this paragraph the ECJ just indicates that a transfer is a processing (which is correct), but this is not in any way related to how Article 5(1) GDPR should be interpreted.
33 Cf. supra n.5.
34 Cf. supra n.4.