Authorities to the left, German courts to the right: The politics and law of transborder data transfers in the EU

The European Union's approach to transborder data flows has long been marked by a principled — and often uncompromising — commitment to high-level protection against risks of foreign governmental access. For years, this commitment has expressed itself most forcefully in the enforcement practices of data protection authorities, which tend to treat any contact with third-country legal systems as carrying intolerable risk. 

Yet developments over the past two years have sharpened longstanding tensions to the point where the very architecture of EU General Data Protection Regulation enforcement now appears to be splitting into two distinct trajectories. On one side, authorities — most prominently Ireland's Data Protection Commission — have intensified an absolutist conception of surveillance risk, exemplified by the long-anticipated TikTok decision resulting in a 530 million euro fine. In that case, the DPC adopted what the Cross-Border Data Forum, Director of Research for Europe, Théodore Christakis has labeled the "zero-risk fallacy," treating even remote access by staff in China as functionally equivalent to systematic transfers into a high-risk jurisdiction and imposing sweeping suspension orders as a result.

Less visible — but increasingly consequential — is the movement in the opposite direction among national courts, particularly in Germany. These courts are not merely adopting a more operationally realistic or context-sensitive approach; they are also, whether intentionally or not, politicizing GDPR adjudication by acknowledging the geopolitical asymmetries embedded in cross-border data flows.