March 16, 2021
Written by
Gary LaFever
WSJ Reports European-U.S. Data Agreement Will Not Occur for Years LinkedIn Logo

WSJ Reports European-U.S. Data Agreement Will Not Occur for Years

On 9th March 2021, the Wall Street Journal reported in “Surveillance Concerns Could Hold Up European-U.S. Data Agreement for Years” that EU Justice Commissioner Didier Reynders warned that “negotiations with the U.S. over a new data-transfer agreement could take years rather than months, making it difficult for companies to continue cross-border business without violating privacy rules”.

Since a near-term political solution is unlikely, Anonos is providing a Board Risk Assessment Framework to help companies develop Schrems II risks and mitigation strategies. This two-page document highlights two main risks arising from non-compliance with Schrems II:

  • The risk of Board/Executive Management personal and criminal exposure; and
  • Potential catastrophic disruptions to business operations.

In the broader environment of change stemming from Schrems II, Data Protection Authorities (DPAs) in Germany have begun to undertake enforcement steps. Most notably, DPAs in Hamburg and Berlin, as part of a larger Schrems II Task Force, are conducting random checks on companies to determine compliance. (See Schrems II: DPAs in Germany Begin Compliance Checks - Other Jurisdictions Soon to Follow.)

The Anonos Board Risk Assessment Framework helps to cut through much of the confusion surrounding Schrems II and helps G.C.s, CPOs and DPOs provide their Boards and C-Suites with information on the availability of GDPR Pseudonymisation as an immediately-available solution to establish a defensible position. Companies miss the first and most fundamental step of determining Schrems II’s compliance by not undertaking risk assessment processes. They may be caught unprepared when DPAs inevitably bring enforcement actions in their jurisdictions.

As noted by the Board Risk Assessment Framework, the European Data Protection Board (EDPB) has released guidelines on what is required from a technical perspective to bring an organisation’s data protection process into compliance with Schrems II. Most importantly, the EDPB recommends the implementation of GDPR Pseudonymisation for protecting data in use. Before Schrems II, many companies were only familiar with using encryption and other techniques to protect data in transit and data at rest. EDPB recommendations and the Schrems II ruling highlight additional requirements to protect data when it is in use.

The Board Risk Assessment Framework is now available to view and download at

How to Brief Your Board To Avoid Disruption Under Schrems II

Other Resources:

Join the Schrems II Linkedin Group with over 4,800 of your colleagues:

Are you Schrems II Compliant Quiz (in 2 questions):

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.