From Safe Harbor Principles to EU General Data Protection Regulation
Here are the key data protection points that you need to observe in 2017
I have been meeting with many of our customers, as I normally do at the end of the year. These encounters have been making it clear that the digital transformation process is now fully underway in all sectors, and that it has reached companies of all sizes. For the year 2017, which will soon be here, this process is creating promising new business opportunities. At the same time, it is obviously producing challenges.
One of the concerns that customers voice to me, again and again, has to do with data protection and data security with respect to the cloud. Especially in terms of data storage and processing in the U.S. Basically, this is something that affects every company that uses IT services of U.S. providers and that stores any sensitive data – such as personal data – on servers located in the U.S. or simply operated by U.S. providers. As a rule, for example, just about any cloud-based customer relationship management (CRM) system will be hosted on such servers.
And this is where the problems begin. Our customers are well aware that the Safe Harbor Agreement has been overturned, that it has been supplanted by the EU-U.S. “Privacy Shield” and that new data protection rules for Europe have been adopted. So far, so – not – good. This is because, clearly enough, not all companies understand what the new framework means for their entrepreneurial realities. According to the Federal Association for Information Technology, Telecommunications and New Media (BITKOM), only about half of all companies have looked into the EU General Data Protection Regulation to date. So please allow me to try to shed a little light on this subject.
Put very simply, both the Safe Harbor principles and the Privacy Shield are (or were) designed to make it possible to send personal data to the U.S. securely. However, the Safe Harbor Agreement, a data protection agreement with the U.S. that was enacted in 2000, was declared null and void by the European Court of Justice at the end of 2015. The Court based its ruling on the finding that data sent from Europe would not be sufficiently shielded from U.S. government agencies. Once the Agreement was overturned, the only legally acceptable means – apart from obtaining the explicit consent of the affected parties – to transfer data to the U.S. was to use “Binding Corporate Rules” and the EU standard contractual clauses. Experts were in disagreement regarding the legal solidity of these two approaches, however. Then came the EU-U.S. Privacy Shield, which was supposed to resolve all the uncertainty.
On paper, at least, the Privacy Shield, which has been in force since July 2016, seemed to be a worthy successor to the Safe Harbor principles. Well, “on paper” is not the same as “in the real world.” Critics find that the Privacy Shield’s data protection guarantees are also inadequate in practice. Not unexpectedly, a data privacy group just recently filed an action, with the European Court of Justice, for its annulment.
And as if all that were not enough, as of May 2018 the new EU General Data Protection Regulation will apply. Its purpose is to streamline European data protection, also by being directly applicable in all Member States (following a two-year transition phase). According to experienced lawyers specializing in IT law, the new Regulation has serious shortcomings. For example, its Article 32 imposes a requirement to pseudonymize and encrypt data – under certain circumstances, and subject to criteria such as the state of the art of relevant technology and the severity of the risk for the rights and freedoms of affected parties.
Violations of the obligations imposed by Art. 32 are subject to administrative fines of up to ten million euros. For all of these reasons, I am certainly sympathetic to our customers’ concerns about their cloud strategies! At the same time, clear avenues for addressing these concerns are available.
My 5 data privacy tips for 2017 are as follows:
- Read the fine print in your IT services agreements with external services providers. Check whether any personal data are going to be sent abroad – and, if so, where the data are going to be sent.
- If you have not yet done so, create a directory of your processes – a listing and description of your company’s internal processes for processing personal data. You will then be on the safe side if you are audited in any way by supervisory authorities; you can prove that your processes are being carried out as prescribed.
- Carefully weigh the advantages and disadvantages of any solutions that involve vendor lock-ins: while the option of obtaining all cloud services from one IT services provider may seem alluringly simple, such sourcing leads to lock-ins for additional services, and thereby can complicate data protection issues.
- Consider alternatives to vendor lock-ins: OpenStack-based solutions, which Deutsche Telekom also supports, can be combined with all leading technologies and applications. And if you remember OpenStack as a “crafts project for computer nerds,” then it’s time you had another look at it! The times have changed, and OpenStack is now well-established and is rapidly growing in importance. While it can take time to learn the ins and outs of OpenStack, the effort is certainly worth it. And of course experts, such as those at T-Systems, stand ready to assist you.
- If you want to take no chances with your data protection, a cloud subject to German data protection laws and meeting German data security standards is still the ideal option. And it continues to be the ideal option even though the EU’s data protection framework has changed. And this will continue to be the case regardless of any agreements that policymakers make with the U.S. Whether we’re talking about a Privacy Shield agreement or any other agreement…
The recent BITKOM study “Cloud Monitor” found that 83 percent of all German companies expect their cloud-services providers to operate their data centers solely in Germany. Clearly enough, the “I want my data in Germany” trend is not going to disappear anytime soon. And I am very confident that more and more companies – including both services providers and users – are going to be following our example in this regard.
Any companies who still see gaps or “challenges” in their cloud strategy thus need to join this trend. Peace of mind is available to them! Please do not hesitate to contact me personally if I can support you in any way in this area. And please note that I’ll be available to take your questions, about the issue of security in the public cloud, in a live webcast to be held on December 14 (German), in cooperation with Computerwoche magazine.