One of the things we learnt yesterday is that the potential new data transfer agreement between the US and the EU is to win time and not to solve the true problem regarding international data transfers from the EU to the US, according to Max Schrems.
Our colleagues Jelmer and Dounia attended the PrivSec Amsterdam event that included a range of speakers from world renowned companies and industries to allow privacy professionals from across different fields to share case studies and their experiences. It included keynote speeches, presentations, panel discussions, and enough time to meet up with other privacy professionals.
Topics of yesterday’s program included Google Analytics, the cooperation between data protection and security teams, data retention, consumer trust and transparency, and DPIAs amongst others. Furthermore, Max Schrems provided a presentation on The Future of Online Privacy, GDPR Enforcement and The Battle Against Surveillance.
In his keynote speech Schrems elaborated on how he believes that even though they are planning on introducing a new Executive Order that includes a proportionality assessment, that the new international data transfer agreement would not change anything and is meant to win time, because of the fact that FISA and the PRISM program would still apply. The best solution in his eyes would be to level data protection in the US by the introduction of a federal privacy law amongst other things.
Furthermore, he also warned organizations of the risk of lawsuits by individuals when continuing their data transfers in violation of the GDPR, which could ultimately lead to higher costs than the fines opposed by data protection authorities.
For us, especially the Schrems keynote was very interesting, because it confirmed that we should continue with helping out our clients with all the needed work regarding Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs). Chances are likely that a new standard will again be invalidated and your organization should be able to fall back on at least a GDPR compliant TIA in case SCCs are used as an international data transfer mechanism.