Meet the expert: Cassandra Moons to speak at #RISK Amsterdam

Taking place at RAI Amsterdam on September 27 and 28, #RISK Amsterdam examines the trends and best practices organisations are employing to navigate today’s rapidly evolving risk landscape.

Cassandra Moons is a Head of Compliance / Data Protection working with TomTom, the global mapmaker and location technology specialist. She is responsible for advising on global data privacy matters that are related to connected cars and location technology services. Besides privacy her focus areas also include product and corporate compliance. 

Cassandra will be at #RISK Amsterdam to discuss strengths and weaknesses of the new EU-US data transfer framework.

We spoke with Cassandra about her professional journey and for an introduction into the themes on the table at her #RISK Amsterdam session.

Could you outline your career pathway so far?

Let me start by introducing my current role, which I began in late 2018. I currently serve as the Head of Compliance and hold the position of Data Protection Officer. In my current company TomTom, we specialised in global mapmaking and location technology through various software solutions.

In my current capacity, I focus on three primary areas: privacy compliance, product compliance, and corporate compliance. This entails overseeing a range of global data privacy concerns related to connected cars and location technology services. Additionally, I handle matters connected to our product lifecycle, including sourcing, distribution, and exports.

We also manage corporate compliance mandates, which involve developing and implementing organisational policies. As a lawyer with experience dating back to 2007, I’ve primarily worked as a commercial IT lawyer for various international business units within ING. In between my roles at ING and TomTom, I was a part of the legal team at Coolblue, a company similar to Amazon, specializing in online retail.

Notably, I led the GDPR readiness program, which played a pivotal role in sparking my interest in privacy matters. Beyond my professional experience, I frequently serve as a speaker at various international business conferences and seminars.

Following the replacement of Privacy Shield, have we seen the last of transatlantic data transfer stresses?

The challenge in reaching a concrete agreement lies in the inevitable hurdles posed by privacy activists, such as Max Schrems and his organisation, None Of Your Business (NOYB). Their persistent opposition has the potential to disrupt the delicate balance we’re striving to achieve.

Privacy activists like NOYB have already indicated their intent to challenge the agreement once more. This raises concerns that the European courts might strike it down for the third time, leading to what some might call the “Schrems 3”. If that happens, we may find ourselves at an impasse.

Looking back at the history of data privacy frameworks between the EU and the US, which include predecessors like Safe Harbour and Privacy Shield, it’s evident that both European and American authorities have made extensive efforts to address the issues highlighted by the European Court of Justice. These frameworks were designed to facilitate cross-border data transfers from the EU to the US while ensuring compliance with the GDPR.

However, the persistent objection of activists like Max Schrems and NOYB suggests that these efforts might not have been enough. Their viewpoint seemingly calls for fundamental change in the US Constitution, a stance that poses a significant challenge to any resolution.

In essence, if the new data privacy framework faces a valid legal challenge and fails, it would inevitably force us to consider whether the US legal framework, even at the constitutional level, needs an overhaul. 

This scenario creates a complex dilemma, as the likelihood of such a fundamental change in the US legal system is exceedingly low. This results into companies and authorities that have to rely on trans-Atlantic data transfers for economic reasons for instance, eventually still pay the price for a political problem.

The most significant risk in this situation is that we could find ourselves in a deadlock if the new legal challenge gains traction. However, it’s worth noting that significant progress has been made. The US has introduced a new executive order to incorporate pan-European principles of necessity and proportionality into its intelligence practices, addressing a crucial concern raised by European courts.

Furthermore, a new redress mechanism has been implemented on the US side.

These developments played a role in the recent European Commission decision to adopt the EU-US data privacy framework. Nevertheless, uncertainty still lingers, making it a challenging prospect for companies to integrate these changes into their day-to-day operations. We must remain vigilant and wait for further developments, as this issue is far from being resolved conclusively.

In the end, this appears to be a political conundrum that may require a political solution, rather than one that can be readily addressed by companies alone.

What other positive aspects are there within the new EU-US data transfer framework?

The framework itself appears relatively straightforward for companies that were participants in the predecessor of the Privacy Shield to attain certification under the new framework. Although the process is detailed, it shouldn’t pose a significant challenge.

Moreover, European companies can now leverage this data privacy framework for their potential impact assessments. This framework provides a pathway for US regulations, including the new executive order, to meet a level of adequacy and equivalence compared to European standards. This makes it more manageable for European companies involved in cross-border data transfers to the US, whether or not US companies are self-certified.

In essence, it presents a viable solution, simplifying the process for European companies. However, it’s important to note that this framework applies exclusively within the United States. When it comes to cross-border data transfers to numerous Asian countries, uncertainties still linger regarding whether these jurisdictions meet GDPR standards for sending personal data. Consequently, the need for conducting data transfer impact assessments remains a pertinent concern.

What steps should businesses be prepared to take should the framework fall short, in order to reduce risk?

Companies are currently grappling with a critical question: should they place full confidence in the data privacy framework, despite the likelihood of it being contested and potentially jeopardised in the near future?

Alternatively, should they maintain a second alternative, such as standard contractual clauses with supplementary measures, recognising that even these may not suffice for certain types of data transfers? This dilemma remains a pressing concern for many organisations.

Considering the possibility of the new data privacy framework facing legal challenges in the coming years, relying solely on it without a backup plan, like standard contractual clauses with supplementary measures, could leave companies in a precarious position. Some companies may opt to maintain the status quo, as they did during the uncertainty surrounding Schrems 2, without making substantial changes.

It’s imperative for companies to closely monitor these developments and delve into the motivations and rationale behind the EU and US perspectives on the adequacy and robustness of the data privacy framework.

Additionally, conducting a thorough self-assessment tailored to specific suppliers, transfers (whether internal or external), and unique circumstances is vital. This continuous monitoring and alignment of internal practices with external developments are key to maintaining data transfer compliance in an ever-evolving regulatory landscape.