Data protection and the US - US clouds and tools. How do I handle the data transfer to third countries?
If data protection is spoken of in Germany, yes, the entire EU, then this topic is always linked to the USA. Sometimes the questionable practices of the American secret services are in the foreground, sometimes like technology companies like Google, Amazon or Microsoft hungry for data. The latter at least seemed to be restricted to an acceptable level by the Safe Harbor Agreement and later by the Privacy Shield Agreement.
Then, however, the rulings Schrems I and II of the ECJ followed: With these two groundbreaking rulings, the court first declared the Safe Harbor Agreement and then its successor Privacy Shield null and void, as they violated the recently adopted GDPR. The extremely wide access of the US secret services to foreign user data makes it impossible for American companies to comply with European data protection standards, according to the ECJ. International negotiations aimed at establishing a new data protection agreement have so far failed. Instead, the so-called standard contractual clauses were brought into being. These are contractual clauses approved by the data protection authorities, which are intended to guarantee the security of the data of European users on American servers through additional measures and controls. The ECJ did not find this solution illegal, but doubted it. Even the most comprehensive contract clauses are of no use if American intelligence services want data, the judges said.
Study reveals problems
So much for the legal side of the problem. It has been a long way to date, but at least temporarily there seems to be a reliable solution.
Unfortunately, the practice is not that simple: There are a multitude of regulations to be observed, so many that a quick look on the Internet followed by downloading and filling out a few documents and templates is no longer enough to comply with the law. There is more to be observed than that the customers have signed a consent and read a supposedly complete data protection declaration, especially when countries outside the EU (such as the USA) are involved.
A recent study by the Center for European Politics shows how difficult it is to comply with the requirements: In her 70-page analysis, the author Anja Hoffmann comes to the conclusion that numerous companies are still violating the provisions of the GDPR on data transfer to third countries. Unsurprisingly, the most involved country is the United States. The data protection agreements may no longer apply and the legal situation is complicated, but that does not change the needs of the economy. The big tech corporations and their tools remain unrivaled, and it is not easy to find an alternative. The various cloud services, for example Amazon AWS or Microsoft Azure, prove to be particularly problematic. But what options remain for companies to offer their services legally and efficiently?
Own data centers are not a solution
The classic answer to this question is your own server: From a single home server in the office to gigantic, specially built data centers, there seem to be solutions for small and large companies. However, there are also disadvantages, for example comparatively high costs and complex maintenance. In-house systems are also significantly more susceptible to malfunctions and thus less reliable, not to mention the complex handling in everyday life. How serious these disadvantages are is shown by the fact that Deutsche Bahn recently announced that it would give up its own data centers and switch completely to US cloud services. According to the statement of the railway, no European competitor could keep up with the "high flexibility and availability of higher-quality services" from Amazon and Microsoft.
So if large public-sector corporations are already opting for American solutions, what alternatives can there still be?
American provider, European location
A fairly unknown solution is the use of American cloud services, the servers of which are located within the EU. Unfortunately, this is not possible with all providers, but their number is constantly increasing. Since these servers are located within the EU, they are fully subject to the GDPR and the data processing carried out there has no reference to a third country. They are also (at least legally) out of the reach of US intelligence. Some technical advantages can also be seen, for example the connection is often better since the data does not have to cross the Atlantic first.
Unfortunately, however, not all data processing processes can be relocated to the EU; The reasons for this are diverse. Often your own team is already used to working with a certain tool, sometimes you need a certain add-in that is not available for all platforms and often it is simply a cost. So what to do when you have to rely on American tools?
What if there is no alternative?
In such a case, the first thing to do is to obtain information about the current legal situation and the respective provider. The European single market is of extreme importance for the big tech companies, which is why many of the cloud providers have made efforts to maintain their access to this market: Some have established European servers, as described above. Many have been certified by the European Commission. Transatlantic corporations have used the opportunity to issue group-internal data protection regulations. There are some, albeit difficult, options.
The fact that a contractual partner / provider of services states that they process data in accordance with the GDPR does not mean that this is the case. The rapidly changing legal situation, which is often difficult to understand, especially for citizens of third countries, creates a great deal of uncertainty.
This uncertainty could now lead to massive problems: From now on, the German data protection supervisory authorities want to target companies nationwide. The focus should be on the use of US cloud services such as Amazon, Microsoft and Google. According to the authorities, several questionnaires will serve as the basis, which are currently being developed by a "task force" of the data protection conference (DSK) of the federal and state governments. These questions are to be used as part of random samples to proactively address companies. Those affected must disclose which services they use on the basis of which legal basis. If the companies cannot answer the questions of the authorities satisfactorily, they have to switch providers. In addition, fines of up to EUR 20 million can be imposed, a severe blow for companies.
External data protection officer
This step is justified with the "clear and unambiguous legal situation". However, the legal situation is only that clear and unambiguous for experts. For everyone else, it is almost impossible to assess when data processing is legal and when not. In addition, data processing is everywhere: Office software, video conference services, survey tools, ... Nowadays almost every process contains data processing. Even trained specialists have difficulty keeping track of things. The resulting additional burden is often too much for a company to bear on its own. That is why more and more companies are turning to so-called external data protection officers. Every day they deal with current data protection law, keep an eye on developments and thus bring a large amount of knowledge and experience with them from which companies can benefit.
We at heyData have a long history of external data protection officer. What sets us apart from our competitors is our use of legal tech. The state-of-the-art combination of digital technology rightly allows us to work cheaper, more thoroughly and faster.