The Ebb and Flow of Trans-atlantic Data Transfers: It’s the Geopolitics, Stupid! *
The Future of Privacy Forum
The Future of Privacy Forum
In an article for the Future of Privacy Forum (FPF), Lokke Moerel, senior of counsel of Morrison Foerster’s Privacy + Data Security practice, discusses the threats to EU digital sovereignty to help companies better understand the EU digital policy and its disruptive impacts, especially on data transfers.
Frustrations increase as companies work towards Schrems II compliance by executing mitigating measures to ensure U.S. government entities cannot access their data. Yet, EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer. Industry organizations are frantically advocating for a new EU-U.S. Privacy Shield to continue trans-Atlantic transfers, arguing that EU data protection laws have always been about enabling personal data to flow while protecting the rights and freedoms of individuals. If only we could have a rational discourse to find the right way forward, as the GDPR may well be interpreted in ways that are not in conflict with the information economy.
Data protection experts focus on the merits of the state surveillance aspect of transfers. Emotions run high as criticism of the DPAs on the U.S. state surveillance powers are like the pot calling the kettle black as the state authorities of some of the Member States may well have similar powers (or use these in a similar way). Discussions further focus on the risk-based approach of the GDPR, highlighting the theoretical risks of access after the mitigating measures are implemented. These discussions are no longer on point. Data transfers are by now a geopolitical issue.
Read more in the article.
Practices