A July decision by the Regional Court of Traunstein in Germany shows a more flexible approach to data transfers from the EU to the U.S. than has been taken by European data protection authorities. This decision contains several important findings and reflects a risk-based approach to Chapter V of the EU General Data Protection Regulation, which governs transfers of personal data to third countries. Importantly, the approach adopted by the Traunstein court contrasts with the "zero-risk" approach to data transfers adopted by DPAs since the Court of Justice of the European Union's "Schrems II" decision in 2020.
We briefly discuss the EU DPAs "zero-risk" approach to data transfers, before analyzing the findings of the Regional Court of Traunstein. A more detailed version of this article highlights that the Traunstein decision appears to be the latest judicial decision by an EU member state court that adopts a more flexible approach toward the interpretation of Chapter V of the GDPR.
The EU DPAs' "zero-risk" approach to data transfers
Since the "Schrems II" decision, European privacy regulators have adopted what has been described as a "zero-risk" approach to the enforcement of data transfers. DPAs have been asking companies transferring personal data outside the EU to "eliminate" all risks of access to such data by the intelligence and law enforcement agencies of foreign countries whose legal systems have not been deemed to include data protection legal safeguards that are essentially equivalent to those mandated by EU law.
As a result, DPAs have interpreted Chapter V of the GDPR as imposing a quasi-prohibition on the transfer of personal data in a readable format to countries that do not meet the European Data Protection Board's European Essential Guarantees requirements, in any case where there is even a theoretical risk of access by intelligence or law enforcement authorities. Simultaneously, DPAs have urged EU-based companies to refrain from utilizing service providers that localize data in the European Economic Area but may be subject to foreign laws.
This approach led to a ramp-up of enforcement actions by EU privacy regulators against U.S. companies, including large fines against Meta and Uber. DPAs have also used this "zero-risk" approach for enforcement against European entities that relied on U.S. companies for digital services. After "Schrems II," consumer-rights organization None of Your Business filed 101 complaints against the use of Google Analytics and Facebook Connect integrations on the webpages of EU controllers.
The companies defended themselves by explaining the low risk that the website measurement analytics data these technologies generated would be requested by the U.S. government. For instance, Google stated it received zero "requests for such data in the 15 years in which Google Analytics has been offered."
Nonetheless, European DPAs focused on the purely theoretical risk of access, i.e., even if Google never once received a request for Google Analytics data from a U.S. agency, at least in theory, it could receive such a request in the future. DPAs reached more than 12 decisions condemning such companies for the use of Google Analytics or other services involving data transfers to the U.S.
The Traunstein decision
The new Traunstein court decision is a final judgment issued in June 2024 by a trial court but published in August, after the deadline for appeal expired. In the case, a German plaintiff sued a social media network, which the text of the decision suggests was Meta. The plaintiff challenged the network's transfers of its users' data to servers in the U.S., alleging the transfers were unlawful before but also after the 2023 adequacy decision based on the EU-US Data Privacy Framework. The court rejected the plaintiff's claims and dismissed his lawsuit.
Here's a summary of the court's more salient points.
The inevitability and lawfulness of transfers of content published by a user in a worldwide social network
The court rejected the plaintiff's argument that the social media network should not transfer the content he published on his account to the U.S., because there was a risk of access by U.S. intelligence services. Instead, it found "if the social network is designed as a global platform, data must inevitably be exchanged internationally in order to maintain the global network." It also stated "searching for users in other jurisdictions can only work if there is a cross-border exchange of data" and "all of this is readily known by every (Meta) user," including the plaintiff.
In a recent study titled "The Zero Risk Fallacy," one of the authors argued DPAs should "recognize that Chapter V does not mandate degrading essential digital services in the EU." Instead, "DPAs should acknowledge that a proportionate approach to Chapter V does not preclude data transfers initiated and sought by individuals themselves," which are necessary for a global social network to function and indispensable to permit the exercise of other rights proclaimed by the EU Charter of Fundamental Rights, such as freedom of expression and information.
The Traunstein decision acknowledges this important issue and adopts a pragmatic approach based on the reality of how global social networks function.
The mere existence of a generalized, undefined risk arising from US foreign intelligence programs is not sufficient to make transfers unlawful
The court rejected the plaintiff's contention that Meta allegedly acted unlawfully because it "makes its entire database freely available to the U.S. foreign intelligence service without any preconditions." The court held that the plaintiff failed to show evidence of Meta making its "entire database" available to U.S. agencies, but at the same time, the court did not address the existence of U.S. foreign intelligence programs that could theoretically request access to the plaintiff's data.
Thus, the court at least implicitly acknowledged the mere existence of U.S. foreign intelligence programs — and the generalized, undefined risk to data they may create — was not sufficient to consider transfers of content published by a user in a worldwide social network unlawful.
Consumers do not have a default expectation that data should be stored in the EU
The court next rejected the plaintiff's argument that Meta had an obligation to store the European users' data in Europe. Instead, the location of data storage is a "business" or "operational" decision, which the court suggested was within the discretion of the company holding the data. Here, since Meta elected to store data in the U.S., its business decision was "to be accepted by the users," particularly since users are not compelled to use the platform.
The Data Privacy Framework's redress mechanism, even if based on executive order, is based on a "law" and is thus adequate
The court rejected plaintiff's contention that the EU-U.S. Data Privacy Framework is insufficient because it is implemented by a U.S. executive order rather than a statute. It stated, "an (executive) regulation is also a law in the substantive sense. It is not clear why this cannot provide equivalent legal protection." Authors of this article have written in detail about why this conclusion is correct in an European Law article and an IAPP article, and the EDPB has agreed.
Conclusion
The Traunstein decision is the latest in a series of other EU member state court decisions that have cast doubt on the "zero-risk" approach. Instead, these courts have favored a more flexible interpretation of GDPR Chapter V based on a series of considerations including the nature of data, the protections in place, the severity of the risk and the likelihood of unauthorized access to European data by the authorities of nonadequate countries.
The Traunstein decision shows awareness that DPAs in Europe have expressed different opinions on many of these aspects. Nonetheless, the court noted, "insofar as (DPAs) hold differing opinions, these are not binding on the court."
This case is a reminder of the fact that the ultimate decisions on issues related to Chapter V of the GDPR are not given by DPAs but by judicial bodies. To date, several member state court decisions have not followed the "zero-risk" approach requested by the plaintiffs in different kind of cases. Ultimately, the CJEU may well become the final arbiter between the "zero-risk" and the risk-based approaches to GDPR Chapter V.
_____
Theodore Christakis is a professor of law at the University Grenoble Alpes in France and director of research for Europe with the Cross-Border Data Forum.
Daniel Felz, CIPP/E, is a partner at Alston & Bird and was previously a lecturer in law at the University of Mainz School of Law in Germany.
Peter Swire, CIPP/US, is the J.Z. Liang Chair at the Georgia Tech School of Cybersecurity and Privacy and research director with the Cross-Border Data Forum.
