Intelligent CISO Issue 59 | Page 50

FEATURE

supervisory authorities this year considering the application of the

Schrems II and Chapter V GDPR requirements to specific international transfers of personal data . Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to ‘ third countries ’, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm ( however trivial and however unlikely ).

Commenting on the survey , Ewa Kurowska-Tober , Global Co-Chair Data Protection and Cybersecurity at DLA Piper , said : “ A proportionate , risk based approach to the interpretation of GDPR ’ s

restrictions on international transfers of personal data is not just permitted but , in our view , legally required . Adopting an ‘ absolutist ’ approach to transfer restrictions and effectively outlawing any transfer of personal data , however trivial the risk of harm , risks real lasting harm to consumers . Transfers have many benefits for consumers and for society , by ensuring the rapid development and rollout of vaccines , by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people . We hope that supervisory authorities reconsider the absolutist approach adopted in these early enforcement decisions .”

Ross McKean , Chair of the UK Data Protection and Cybersecurity Group , added : “ The spate of Irish Data Protection Commissioner fines targeting the behavioural advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the ‘ grand bargain ’ at the heart of today ’ s ‘ free ’ Internet , as Schrems II has been for international data transfers . Given what ’ s at stake , we can expect years of appeals and litigation . The law is very far from settled on these issues .” u

50 www . intelligentciso . com