Don't expect 'revolution' in Biden's approach to EU data-transfer talks, EDPS says

The EU shouldn’t expect any “revolutionary” changes to how a new US administration approaches talks on trans-Atlantic data transfers, the European Data Protection Supervisor has told MLex, after an EU court struck down the previous accord in July.

“From 2001 until today we have had different administrations in the White House and we're talking about a system which is evolving. There are no revolutionary changes. There is an evolution,” Wojciech Wiewiórowski, the data-protection authority for the EU bodies and agencies, said in an interview.

Wiewiórowski was referring to the Safe Harbor agreement, the first EU-US data-transfer deal, which the EU Court of Justice annulled in 2015 following a challenge by Max Schrems, an Austrian data-privacy advocate.

The EU and the US then negotiated a new agreement, known as the Privacy Shield, but the EU's top court annulled that deal in July this year, arguing that US intelligence surveillance oversight is “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”

The EU and US negotiators have started “technical talks” on a new agreement on international data transfers. They are trying to determine how to meet the court’s complaints about intelligence agencies’ collection of data and how to bolster a redress mechanism that was set up in the Privacy Shield to give Europeans the ability to complain if they thought their data was being inappropriately handled by intelligence services.

Wiewiórowski downplayed any major changes to the US approach to surveillance law under President-elect Joe Biden’s administration.

When asked whether the Biden administration will take a different approach to its predecessor, Wiewiórowski said, “It's not for me to assess that … Everything is up to the new administration, and the new administration will have to decide."

“If you look at the previous agreements, they've been taken by different administrations and held on to by different administrations,” he said. “I don't think that a change of president has changed too much in this subject.”

Some EU officials have expressed hope that the US will change its surveillance rules to ensure that Europeans will have redress in US courts and thus abide by the EU’s court’s ruling.

Miapetra Kumpula-Natri, a Finnish Socialist member of the European Parliament, hopes the Biden administration will make the necessary adjustments to unblock trans-Atlantic data transfers.

"I strongly hope that the … Biden administration, if soon confirmed, will make necessary adjustments to privacy" so that the issue won't "jeopardize the good start we have had with the partner across the Atlantic," she said.

But US officials have been less sanguine.

Alex Greenstein, director of the Privacy Shield team at the US Department of Commerce, said in September that addressing the court’s concerns about protecting Europeans’ personal data may not have to involve "wholesale" changes to US national security laws — something which he said would be likely to face resistance from any US administration.

Wiewiórowski told MLex that he would “love” a better atmosphere for negotiators in the next year, “but I don't know if anyone can tell us if just a change of the president makes a big change in the American approach to national security.”

— California dreaming? —

Under the EU’s General Data Protection Regulation, data can only be transferred to countries that provide “adequate” protection of EU citizens’ privacy rights.

The European Commission currently has 12 adequacy decisions — some with countries such as Canada and New Zealand — but also several with smaller dependencies such as Jersey and the Isle of Man, as the GDPR allows the commission to reach an adequacy decision for a region of a country.

Following the US’s loss of its adequacy status in July, San Francisco real-estate developer Alastair Mactaggart said California could be eligible to apply for an adequacy decision under the GDPR if voters approved new privacy rules for businesses. On Nov. 3, they did.

But Wiewiórowski said it’s not likely that California will apply for an adequacy decision.

“I don't believe that we will see any kind of adequacy decision which is directed to several states of the US,” he said. “I simply don't think they will ever apply for adequacy. Do you think that California will ever start to negotiate the agreement like that with the EU? I have big doubts whether it's possible according to American law."

But he said he’s very pleased that US states such as California and Washington are taking privacy seriously.

When asked whether the US should adopt national-data protection legislation, he said that it’s not for the EDPS to “advise or propose” laws for a foreign jurisdiction. But he stressed that the US doesn’t need to have the same data-protection laws as in the EU to provide adequate protection under GDPR.