Abstract:The General Data Protection Regulation contains a blanket prohibition on the transfer of personal data outside of the European Economic Area unless strict requirements are met. The rationale for this provision is to protect personal data and data subject rights by restricting data transfers to countries that may not have the same level of protection as the EEA. However, the ubiquitous and permeable character of new technologies such as cloud computing, and the increased inter connectivity between societies, has made international data transfers the norm and not the exception. The Schrems II case and subsequent regulatory developments have further raised the bar for companies to comply with complex and, often, opaque rules. Many firms are, therefore, pursuing technology-based solutions in order to mitigate this new legal risk. These emerging technological alternatives reduce the need for open-ended cross-border transfers and the practical challenges and legal risk that such transfers create after Schrems. This article examines one such alternative, namely a user-held data model. This approach takes advantage of personal data clouds that allows data subjects to store their data locally and in a more decentralised manner, thus decreasing the need for cross-border transfers and offering end-users the possibility of greater control over their data.

What problem does this paper attempt to address?

### The Problem the Paper Attempts to Solve This paper aims to explore new legal risks in international data transfers and proposes a user-centered data model ("User-Held" Data Model) to address these risks. #### Specific Issues Include: 1. **International Data Transfer Restrictions under GDPR**: - The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data to countries outside the European Economic Area (EEA) unless strict requirements are met. This regulation aims to protect personal data and the rights of data subjects. However, with the proliferation of new technologies such as cloud computing and the interconnectedness of societies worldwide, international data transfers have become the norm rather than the exception. - New technologies like cloud computing have made large-scale data transfers common, while GDPR regulations have increased the compliance difficulty for businesses and organizations in international data transfers. 2. **Schrems II Case and Its Subsequent Impact**: - The Schrems II case further raised the bar for companies to comply with complex and opaque rules. The court ruled that US law does not provide a level of personal data protection equivalent to that of the EU, leading to the invalidation of the EU-US Privacy Shield agreement. - This ruling triggered a series of new measures by regulatory authorities, such as new Standard Contractual Clauses (SCCs) and recommendations from the European Data Protection Board (EDPB), which further increased the compliance burden for companies. 3. **Need for Technical Solutions**: - Many companies are seeking technology-based solutions to mitigate new legal risks. These technical solutions reduce the need for open cross-border data transfers, thereby lowering operational challenges and legal risks. 4. **User-Held Data Model**: - The paper proposes a "User-Held Data Model" that enables data subjects to store data locally through a "personal data cloud," reducing the need for cross-border transfers. This model not only enhances data security and compliance but also gives users more control over their data. ### Summary The paper focuses on how to manage and mitigate legal risks in international data transfers through technical means (especially the "User-Held Data Model") within the framework of GDPR and other relevant regulations. This not only helps companies better comply with regulations in a globalized context but also enhances the level of privacy protection for users.

The Future of International Data Transfers: Managing Legal Risk with a User-Held Data Model

Governing personal data and trade in digital services

Competing Jurisdictions: Data Privacy Across the Borders

Cross-Border Data Flows, the GDPR, and Data Governance

A vision for global privacy bridges: Technical and legal measures for international data markets

Ownership of User-Held Data: Why Property Law Is the Right Approach

Trade and Cross-Border Data Flows

The new EU-US data protection framework's implications for healthcare

Achieving Personal Data Protection in the European Union

Data Warfare and Creating a Global Legal and Regulatory Landscape: Challenges and Solutions

Transparency, Fairness, Data Protection, Neutrality: Data Management Challenges in the Face of New Regulation

Re-thinking the allocation of roles under the GDPR in the context of cloud computing

A Law and Economics Approach to the New EU Privacy Regulation: Analysing the European General Data Protection Regulation

The European Union general data protection regulation: what it is and what it means

Cross-Border Data Flows and International Law: Navigating Jurisdictional Complexities in the Digital Age

Demystifying Schrems II for the cross-border transfer of clinical research data

Big Tech platforms in health research: Re-purposing big data governance in light of the General Data Protection Regulation’s research exemption

Unravelling cross-country regulatory intricacies of data governance: the relevance of legal insights for digitalization and international business

Standard contractual clauses for cross-border transfers of health data after Schrems II

Data Mobility at the Intersection of Data, Trade Secret Protection and the Mobility of Employees in the Digital Economy

Impossible, unknowable, accountable: Dramas and dilemmas of data law