유럽의 “위험 제로(zero risk)접근 방식”에 기반한 데이터 국외 이전 규범에 대한 비판적 검토

Following the Schrems II decision of the Court of Justice of the European Union(CJEU) invalidating the EU-US Privacy Shield, EU data supervisory authorities (DPAs) have developed a “zero risk approach” to the international transfer of personal data under Chapter 5 of the GDPR. This means that companies processing European personal data must eliminate all theoretical risk that foreign governments will be able to access European data. This “zero risk approach” also includes strong data localization. However, it is questionable whether this “zero risk approach” is security-friendly and effective. First of all, European data controllers are often subject to US personal jurisdiction and may face overseas data access (production) requests in the same way as US companies. In addition, foreign intelligence agencies do not necessarily access data through compulsory requests to companies, but rather through direct access by domestic technical means. Even if European data processors avoid being subject to foreign personal jurisdictions such as the United States, they may be at increased risk of being “directly accessed” by foreign intelligence agencies. Therefore, the “zero risk” requirement that Europe demands of CSPs can be seen as pursuing something that is ultimately unattainable. Furthermore, the GDPR is fundamentally based on a “risk-based approach,” which means “an attempt to strike the optimal balance between ultimately conflicting constitutional interests.” Therefore, safeguards for the international transfer of personal data should be evaluated according to the standard of “proportionality,” not “perfection.”