EU-US data transfer clarity may take several months, warns head of EDPB

European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski says he does not expect a new solution to the Privacy Shield problem for several months, as the Biden administration grapples with other priority issues.

The head of the EDPS told Reuters said he is doubtful that EU businesses will receive clarity in the coming weeks and months over the uncertainty around EU-US data transfers. This in part due to the Biden administration having other issues to prioritise first.

“I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while,” European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski told Reuters.

“If you ask me what will be the attitude of the new administration towards the possible changes in American law on national security …that is first of all a question of our American friends and I don’t know if the Biden administration will take this topic as the most important,” Wiewiorowski said.

Austrian lawyer and privacy activist Max Schrems took Facebook to court on two occasions over the misuse of his personal data by the tech giant through the lawful transference of his data with US law enforcement agencies enabled by US surveillance laws, which Schrems contended, violated his fundamental European right to privacy.

As a result of both hearings, two fundamental mechanisms for transatlantic data sharing have been made redundant by the CJEU – Safe Harbor in 2015 and the Privacy Shield earlier this year. EU businesses doing business with the US were now expected to rely on standard contractual clauses – but only insofar as the data transfer did not clash with EU and US law.

As a result of the Schrems II ruling, EU companies and the EDPB have therefore been expected to understand how to interpret the Court of Justice’s judgement that companies may have to use “supplementary measures” alongside SCCs.

In his keynote session at last week’s PrivSec Global event, Wiewiorowski said in relation to the nebulous guidance from the Court on “supplementary measures”, that the EDPS as well as the EDPB, including the other data protection authorities have presented a joint recommendation in order to access the ‘what’ and ‘how’ questions surrounding “supplementary measures.” He adds that the publication of this document is currently under consultation but is expected to be published before the 15 January 2021.

“I hope that we will be able in 2021 to answer the questions that were set by the court but also which are set by business and which are set by the organisations and entities for whom the transfer of data between jurisdictions is their main way of doing work and made part of their business model,” he tells PrivSec Global.

 


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.