International data transfers top of the agenda for the 48th EDPS - DPO meeting


The EDPS and the network of DPOs of the EU institutions held its 48th meeting on 11 December 2020. Our second online meeting since the outbreak of the COVID-19 pandemic coincided with the second anniversary of the EUDPR and focussed on the issue of international data transfers further to the “Schrems II” Judgement.

In this landmark decision, the CJEU has defined clear roles and responsibilities for all, including supervisory authorities such as the EDPS. Therefore, colleagues from the Supervision and Enforcement Unit (S&E) presented the EDPS Strategy for EUIs to comply with the “Schrems II” ruling. This strategy follows closely the EDPB’s guidance in this regard.

As the first step of this compliance strategy, the EDPS ordered EUIs to provide information on certain categories of international transfers on 5 October 2020. I am happy to report that this EDPS order was complied with in a diligently and timely manner, showing that the majority of EUIs recognised the importance of this exercise.

The meeting with the DPO network was therefore a great opportunity to collect feedback from DPOs and to address in detail some technical issues (e.g. the practical consequences for existing and new contracts, how to conduct Transfer Impact Assessments (TIAs), or the margin of manoeuvre with regard to the use of derogations or supplementary measures). 

We are fully aware of the fact that the implementation of the “Schrems II” Judgment presents some serious challenges for EU institutions. As Head of Administration of the EDPS, I am particularly aware of this as I also responded to the order by the Supervisor with the assistance of the DPO of the EDPS.

My colleagues from the Supervision and Enforcement team (S&E) are currently analysing the responses received. This will take some time and even though everybody is eager to see the results, it would not be wise to jump to any conclusions too early. Meanwhile, to facilitate the process, the EDPS is committed to issue guidance shortly on how to carry out Transfer Impact Assessments (TIAs). This is an important step to identify whether an essentially equivalent level of protection is available in the third country of destination and, where appropriate, identify effective supplementary measures, in compliance with the EDPB Recommendations.

Beyond the technical complexity of this exercise, and irrespective of any political considerations which have very little to do with the tasks and responsibilities of the EDPS, our Supervisor, Wojciech Wiewiorowski, shared with the DPO community his deep belief that this strategy of compliance is a joint venture between the EDPS and data controllers in the EU institutions. The role of all DPOs is vital to identify smart and pragmatic compliance solutions.

Moving on to the second part of the meeting, a session on “Technology, Privacy in 2020 and beyond - a futuristic retrospective”, provided DPOs with a review of the tech challenges impacting the protection of personal data and privacy, as well as an overview of what 2021 may bring in this area. I found this second part of the meeting not only refreshing but also very relevant as EU institutions, including the EDPS, are currently embarking on an accelerated process of modernisation, which presents some challenges from a data protection viewpoint but it is also full of exciting opportunities. We should never forget that data protection is about protecting and empowering people, not about creating unnecessary obstacles to legitimatise modernisation attempts.    

As Director of the EDPS, I must abide by the highest standards of data protection and accountability, drawing on my own experience as a senior manager but also on the feedback and loyal cooperation from other EU institutions and service providers. The contracts and service level agreements concluded with them are necessary for our small organisation to be able to fulfil its tasks.

In this regard, I salute the continued cooperation between the EDPS and the DPOs of the 68 EU institutions and bodies and I look forward to meeting them in person as well as many of the readers of this blogpost with whom I have had the privilege to work or exchange views in the past.

Happy Christmas and all the best for 2021 and please remember to #SSS: StayStrong&Safe.