Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The European Union's approach to transborder data flows has long been marked by a principled — and often uncompromising — commitment to high-level protection against risks of foreign governmental access. For years, this commitment has expressed itself most forcefully in the enforcement practices of data protection authorities, which tend to treat any contact with third-country legal systems as carrying intolerable risk.
Yet developments over the past two years have sharpened longstanding tensions to the point where the very architecture of EU General Data Protection Regulation enforcement now appears to be splitting into two distinct trajectories. On one side, authorities — most prominently Ireland's Data Protection Commission — have intensified an absolutist conception of surveillance risk, exemplified by the long-anticipated TikTok decision resulting in a 5.3 million euro fine. In that case, the DPC adopted what the Cross-Border Data Forum, Director of Research for Europe, Théodore Christakis has labeled the "zero-risk fallacy," treating even remote access by staff in China as functionally equivalent to systematic transfers into a high-risk jurisdiction and imposing sweeping suspension orders as a result.
Less visible — but increasingly consequential — is the movement in the opposite direction among national courts, particularly in Germany. These courts are not merely adopting a more operationally realistic or context-sensitive approach; they are also, whether intentionally or not, politicizing GDPR adjudication by acknowledging the geopolitical asymmetries embedded in cross-border data flows.
In a series of decisions from Cologne to Traunstein and now Bonn, judges have distanced themselves from the DPC's abstract, risk-maximizing stance and instead foregrounded the material likelihood of access, the technical constraints of global cloud infrastructure, and — most strikingly in Bonn 13 O 156/24 — the differing weight they assign to conflicts involving U.S. secrecy laws versus those arising in other jurisdictions.
This introduces a subtle but far-reaching political logic into data-transfer doctrine: the permissibility of withholding access or maintaining transfers may depend not only on the structure and clarity of foreign surveillance law, but also on the EU's strategic alignment with that jurisdiction. The result is a growing divergence in which the administrative and judicial arms of the GDPR increasingly steer toward different understandings of what protection requires — authorities disciplining transfers through a maximalist, sovereignty-sensitive lens, while courts carving out exceptions shaped as much by geopolitical realities as by textual interpretation.
This article builds upon these exceptionally detailed analyses and broadens that frame by integrating two major developments from 2025. The DPC's TikTok decision, which represents the most distilled expression of the zero-risk approach to date, and the Bonn Regional Court's judgment, which moves decisively in the opposite direction by rejecting absolutism and openly recognizing the geopolitical dimensions of conflicts between EU and U.S. legal obligations.
The aim is to illuminate the contours of an increasingly bifurcated legal landscape — one in which regulators march leftward toward rigidity, while courts drift rightward toward pragmatism, feasibility, and, at times, geopolitics.
The DPC's strict interpretative approach and the TikTok fine
The term zero-risk fallacy, developed by Christakis in a 2024 Centre for Information Policy Leadership report, captures a phenomenon that has become increasingly visible in the post–"Schrems II" enforcement landscape. It denotes an interpretive stance in which authorities treat any non-zero possibility of foreign surveillance as sufficient to render a data transfer unlawful, irrespective of its likelihood, its practical feasibility, or the presence of technical and organizational safeguards. This mindset potentially transforms "Schrems II" from a proportionality-driven, context-sensitive judgment into an absolutist regulatory command under which risk is not something to be managed but to be eradicated.
The DPC's 2025 TikTok decision is the most distilled expression of this approach to date. In May 2025, Ireland's DPC hit TikTok with a 530 million euro fine for systematically allowing European-user data to be remotely accessed by staff in China. This marks the first time a China-based jurisdiction transfer via remote access was penalized, following earlier big-ticket fines on Meta and Uber, and ordering TikTok to stop transfers within six months unless it brings processing into compliance. TikTok has appealed and at press time, the suspension on data transfers is formally stayed. Subsequent disclosures by TikTok that certain EU-resident data had in fact been stored in China collapsed the DPC's remote-access analytical framework and compelled the regulator to open a new investigation into the legality of that storage.
The DPC proceeds on the basis that because remote access by engineers in China is possible, it must be treated as a third-country transfer — even when data is stored and processed in Europe, when the company has invested heavily in localizing infrastructure, i.e. Project Clover, and when the risk of access is allegedly remote. While the Court of Justice of the European Union holds a somewhat strict approach to risk mitigation in "Schrems II," it creates some breathing space allowing international businesses to manage risks through a combination of technical and organizational measures.
It can be largely concluded that the analysis performed by the DPC rendered most supplementary measures irrelevant because the measures — however comprehensive and multi-faceted — did not prevent — that is, eliminate absolutely — the hypothetical possibility of future access, they were treated as legally insignificant.
The DPC noted, "While the supplementary measures implemented by TikTok Ireland were reflective of a general level of security to prevent unauthorised access to the personal data processed in China by means of the Remote Access Solution, the DPC finds that those measures cannot act to prevent access supported by problematic laws."
The DPC's reasoning signals a further doctrinal consolidation that rejects the use of Article 49 derogations for transfer types that are continuous or scalable, which is interpreted quite distinctly by the German courts. As the next part shows, European courts have begun charting a very different path — one that explicitly rejects the zero-risk approach and embraces a kind of operational pragmatism unimaginable within the DPC's framework.
German courts and the rise of operational pragmatism
While data protection authorities have embraced a strict, nearly absolute reading of Chapter V, several German courts have moved in a markedly different direction. Since 2023, a distinct jurisprudential trajectory has emerged, anchored in contextualized risk assessment, operational necessity and an increasingly explicit departure from the interpretations favored by DPAs.
German courts' early engagement with international data transfers did not begin with pragmatism, but a striking instance of doctrinal maximalism. The Administrative Court of Wiesbaden, 6th Chamber Court's Cookiebot ruling 6 L 738/21.WI held that the mere use of a U.S.-based consent management platform to collect personal data constituted an unlawful transfer under GDPR Article 44, even without evidence of actual cross-border transmission.
This was an expansive, risk-averse reading that effectively treated the location of the provider — rather than any demonstrated movement of data — as sufficient to trigger Chapter V. Yet its influence was short-lived. The Higher Administrative Court in Kassel swiftly overturned the ruling, not by endorsing Cookiebot's legality, but on strictly procedural grounds: the lower court lacked jurisdiction and had, in any event, intervened through urgent provisional measures. That reversal left the substantive question untouched, and it signaled that later German courts would approach transfer questions with far more nuance than this early outlier.
The Cologne Regional Court's 2023 judgment on Google analytics marked an early departure from the DPA orthodoxy. Rather than treating the mere involvement of a U.S.-based service provider as dispositive, the court focused on the concrete configuration of analytics tools, the design of consent interfaces, and the proportionality of the processing. It required actual evidence of infringements and meaningful analysis of technical safeguards. The decision was faithful to "Schrems II" and declined to follow the absolutist path once adopted by the Wiesbaden court.
The more pronounced shift came with the Regional Court of Traunstein 2024 judgment 9 O 173/24. Anonymized in the German manner but widely understood to concern a major global platform, the court's decision marked a sharp doctrinal turn away from the zero-risk logic that had dominated the history of GDPR enforcement.
Rather than accepting that any hypothetical access by U.S. intelligence services necessarily rendered a transfer unlawful, the court insisted that risk must be assessed concretely, contextually, and with evidence. It stressed the GDPR does not demand a guarantee against all third-country access, and it rejected the idea — central to several post-"Schrems II" enforcement theories — that mere U.S. jurisdiction over a provider automatically converts processing into an unlawful transfer.
The court highlighted the operational realities of global platforms, recognizing that technical architectures often require distributed data processing and that such necessities cannot be treated as per se violations. Crucially, it held that when an EU adequacy decision is in place, national courts cannot re-adjudicate the underlying geopolitical or intelligence-law assessments and must instead apply the decision unless manifestly invalid.
The 2025 judgment of the Bonn Regional Court marks a significant doctrinal turn in the emerging German case law on trans-Atlantic data governance. Unlike Traunstein Regional Court, Bonn squarely confronted the interaction between the right of access under GDPR Article 15 and foreign secrecy obligations. The court framed the dispute not as one of statutory restriction under Article 23 GDPR, but as a case of unauflösbare Pflichtenkollision — a genuine and irreconcilable conflict of legal duties.
It accepted that the controller was simultaneously subject to a positive obligation to provide access information to the data subject and to a directly conflicting prohibition under U.S. national-security law that criminalized disclosure of precisely the same material. Where compliance with one obligation would necessarily entail breach of the other, the court held that the controller's refusal to disclose was legally excusable.
Crucially, the court did not hold that FISA 702 or U.S. secrecy law automatically extinguishes the right of access, nor did it treat the U.S. statutory framework as a substantive counter-norm capable of displacing Article 15 as such. Instead, it adopted a narrow, fact-sensitive approach. The conflict was excusable only because the controller provided a credible and sufficiently granular account of the specific secrecy obligations to which it was subject; the information sought — detailed internal access logs — was plausibly covered by those prohibitions; and no technical or organizational workaround existed that would have enabled partial, delayed, or anonymized disclosure without violating foreign law.
This reasoning is more nuanced than a categorical restriction of access rights, as it avoids implying that any third-country secrecy regime automatically justifies nondisclosure. At the same time, it is more controversial. By elevating legal impossibility arising from foreign law to a ground for excusing compliance with Article 15, the judgment risks rendering the right of access practically ineffective in precisely those contexts — such as FISA 702-type regimes — where transparency concerns are most acute.
Yet Bonn is clear that this logic is not symmetrical. It expressly resisted the idea that all foreign secrecy laws — particularly those from authoritarian jurisdictions — would generate an equivalent conflict-of-duties scenario; instead, it stressed the need to examine the specific statutory structure, the credibility of the controller's evidence, and the actual risk of criminal sanctions. The decision thus carves out a pragmatic but uneven doctrinal space, one that insulates U.S. secrecy obligations from GDPR enforcement in a way that is not automatically extended to other regimes.
Toleration for allies only and the geopolitics of data transfers
Surprisingly, the Bonn judgment goes further than its predecessors not just by doctrinal innovation but inserting a jarringly direct and unusual commentary on the geopolitical character of the U.S. In paragraph 40, the court makes an unusually polemical statement:
"40 However, all this does not change the fact that the USA is — still — an allied state of Germany and, despite the clearly anti-democratic, anti-constitutional, autocratic, and even fascist tendencies of the current US government, and despite the significant deficits in the protection of civil liberties, particularly data protection rights, is — still — to be regarded as a constitutional democracy. Thus, a US company that conducts fundamentally legal business with citizens in Europe must be allowed to comply with US law, and this must be tolerated in Germany — in individual cases — even if this restricts citizens' data protection rights to a certain extent. (machine translated)”
Although the court disclaims any authority to evaluate the validity of the EU's adequacy decision for the U.S., it cannot resist offering a politically laden assessment of the U.S. legal environment. The conclusion of this commentary is simply that because the U.S. remains an ally, its political and legal defects must be tolerated to some extent for purposes of data transfers. To reiterate, the court's logic appears to create, even if unintentionally, a geopolitically tiered approach to transfers: one standard for allies and another for non-allies.
These developments expose a tension that is no longer merely about doctrinal technique but reveals, with unusual clarity, the geopolitical scaffolding that has always undergirded EU data-transfer governance. The political economy of cross-border data flows — long implicit in regulatory practice — now surfaces explicitly in judicial reasoning. German courts are not alone in making this visible. As University of East Anglia, School of Law Associate Professor, Karen Mc Cullagh argues in a recent paper, the European Commission's adequacy assessments routinely display selective and strategically inflected applications of the GDPR's equivalence criteria. Notably, Mc Cullagh frames this diagnosis in largely doctrinal terms, emphasizing inconsistency, selectivity, and analytical slippage rather than explicitly foregrounding their geopolitical implications. States with strong trade relationships or diplomatic significance to the Union are more likely to receive favourable adequacy findings, even where their surveillance regimes diverge sharply from EU fundamental-rights standards. By situating trade leverage at the center of the adequacy process, Mc Cullagh provides the missing macro-institutional context for the courts’ more granular maneuvers: what appears, at the judicial level, as doctrinal accommodation or excusable conflict emerges, at the regulatory level, as a structurally embedded willingness to subordinate rights-based equivalence to geopolitical and commercial imperatives.
The Bonn judgment thus forces an unavoidable question: if transborder data governance is increasingly mediated by geopolitical preference, what remains of the GDPR's promise of universalist, principle-based protection? Bonn's conflict-of-duties approach is framed as formally neutral, but it functions asymmetrically. If an irreconcilable legal conflict justifies nondisclosure for U.S. providers bound by Section 702 of the U.S. Foreign Intelligence Surveillance Act, could the same reasoning apply to China, India, Brazil or Turkey, where domestic secrecy laws also criminalize certain disclosures? Bonn implicitly suggests not — all conflicts are not equal — but that asymmetry risks entrenching a two-tier global data regime in which the permissibility of transfers turns less on the substantive protections of foreign law than on the EU's political alignment with the jurisdiction in question.
If these trajectories continue, companies will face a regulatory environment in which Chapter V is interpreted divergently by supervisory authorities, domestic courts, and EU institutions, producing contradictory expectations and uneven compliance burdens. The question, then, is whether the CJEU will step in. "Schrems I" and "Schrems II" articulate a principled, rights-intensive approach, yet they leave open room for more contextual, risk-sensitive calibration. Recent jurisprudence — most notably the EDPB v SRB suggests a subtle move away from absolutist conceptualization of risk and towards a recognition that proportionality and operational reality have a legitimate place in EU data-protection doctrine. But until the CJEU confronts the tensions crystallized in cases like TikTok, Meta, and Uber, uncertainty will still predominate.
As these tensions intensify, the EU must confront whether it intends its global data strategy to be guided by strict doctrinal principle, by infrastructural and operational feasibility, or by geopolitical alignment. At present, the answer appears to be all three, though not always consistently or coherently. Companies operating transnationally face an uncertain landscape in which risk is assessed differently by regulators and courts, and in which political considerations may implicitly determine the permissibility of transfers.
If the EU is to establish a stable, credible, rights-respecting and geopolitically aware data transfer framework, it must reconcile these competing instincts. The alternative is a regime in which, as of 2025, authorities and courts continue to move left and right, navigating the same crossroads but heading toward very different destinations.
Wenlong Li is a research professor at Guanghua School of Law, Zhejiang University.
