Lynn Goldstein, Senior Foundation Strategist at the Information Accountability Foundation, thinks not.

Max Schrems' "None Of Your Business" organisation (NOYB) recently reported on the Austrian DPA's second ruling on the legality of Google Analytics' data transfers to third countries. This comes as part of 101 claims brought by NOYB in respect of Google's collection of individuals' data in the course of their internet browsing on websites utilising Google Analytics' services (IP address and cookies at a minimum), which could be linked back to that individual through their Google accounts. 

Data protection authorities across the EU have been considering the legality of transfers of such personal data to the US, and it's safe to say that Google has been taking a hit with the decisions generally finding against them. However, there has been some speculation amongst data privacy lawyers that a risk-based approach to international data transfers may be the antidote to the potential that these rulings have to grind international business's data sharing practices to a complete halt - particularly in the context of Schrems II invalidating the EU-US's privacy shield (which was arguably NOYB's most impactful achievement to date).    

The Austrian DPA's ruling considers whether the EU GDPR allows for a risk-based approach to international data transfers (i.e. under Article 44), whereby a Controller might balance the risk to the rights and freedoms of the individuals against the likelihood and severity of those risks and the nature and purpose of the processing taking place. It has found that Article 44 does not allow for this, but Lynn Goldstein considers this to be an erroneous decision and her reasoning is compelling. 

It will be interesting to see how other data protection authorities tackle this question, and the approach the UK decides to take as its own data privacy regime starts to diverge from the EU model.