BRUSSELS: Companies hoping the EU and the new U.S. administration will soon strike a new transatlantic data transfer pact to replace one struck down by a court will probably have to wait months for any result, the head of the EU privacy watchdog said on Friday.
Washington and Brussels have in recent years seen their data transfer accords, one known as the Safe Harbour and its successor the Privacy Shield, rejected by Europe’s top court because of concerns about U.S. surveillance.
Both pacts were challenged in a long-running dispute between Facebook and Austrian privacy activist Max Schrems who has campaigned about the risk of U.S. intelligence agencies accessing data on Europeans.
More than 5,000 companies had signed up to the Privacy Shield set up in 2016 when the Luxembourg-based EU Court of Justice (CJEU) scrapped it in July this year, disrupting their businesses and exposing them to the risk of privacy lawsuits.
“I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while,” European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski told Reuters.
He said one reason for the delay is that new Joe Biden administration, which will take up office in January, may have different priorities.
“If you ask me what will be the attitude of the new administration towards the possible changes in American law on national security … that is first of all a question of our American friends and I don’t know if the Biden administration will take this topic as the most important,” Wiewiorowski said.
The European Union is also trying to devise different ways to manage its data transfers with the rest of the world after the CJEU said privacy watchdogs must halt or prohibit transfers outside the EU if other countries cannot assure that the data will be protected.
To that end, Wiewiorowski gave a thumbs up to the European Commission’s proposed revisions to data transfer tools known as standard contractual clauses used by thousands of companies to transfer data around the world for services ranging cloud infrastructure, data hosting, payroll and finance to marketing.
“The proposed standard contractual clauses look very promising and they are already introducing many thoughts given by the data protection authorities,” he said.
Separately, Wiewiorowski said concerns about the Irish data protection agency’s lengthy investigations into U.S. tech giants such as Facebook, Twitter, Apple and Alphabet unit Google, with no decisions to date, were justified but defended the drawn-out proceedings.
“Of course it is a concern. That is a concern but not a tragedy,” he said.
“One of the worst things which may happen is if they lose two, three first cases, because they didn’t do the due process of going through the complaint. That would be a disaster because it would actually undermine the position of the supervisory authority,” he said.