365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
I was already aware of how important the topic was while I was still a student – which is why it became my main field of study back then. Later, I worked in the data privacy department of the Ministry of the Interior. That was just when things began heating up around the European General Data Protection Regulation (GDPR), shortly before it was adopted. Then I got to build up my knowledge further with studies for a master’s degree in Glasgow on copyright, e-commerce and intellectual property. That curriculum focused extensively on EU law. A further step led me to eBay, where I honed my sense of the practical side of things. By now, I’ve been working in data privacy for a good ten years.
It was especially my masters’ studies that made me aware of the field’s connection with policy, and working with an association was a logical next step. And since I wanted to have an effect in digitalisation, that meant Bitkom. So I applied right off for three positions here. These days I’m mostly working from home, like most of the rest of the team as well.
How complicated things got depended on how well the company was positioned beforehand. A lot of them were in such a hurry at the start that they overlooked making some important contracts, like an agreement about contracting-out data processing. You always need one of those if a company is going to hand over data to be stored or processed further by third parties. They had to fill in that gap later. Anybody who had lawyers in-house was usually in a better position. So that kind of problem cropped up less at large companies. Those who had never dealt with digitalisation before at all faced special challenges. Then too, there was often a lot of uncertainty about which Cloud services can be used for what processes, and which ones you’re better off without.
One out of every three companies is already using Cloud services, and the figures are rising. Using the Cloud is an important feature for companies, but it needs proper legal safeguards. From the viewpoint of data privacy, for any Cloud application you need the contract I just mentioned about third-party data processing. It needs to precisely describe the processing procedures. It should also include the necessary security measures. There are model contracts for the purpose, but they need to be customised. If I’m selecting a provider who stores data outside the EU, I have to follow the related rules. For example, for a transfer to the USA you might rely on the Privacy Shield, or on what are called “standard contractual clauses”.
They have different bases. I can use standard contractual clauses for any third country. The Privacy Shield is an agreement with the United States by which the EU intends to ensure that the US level of data protection conforms to the one in Europe. There’s also something called an “adequacy decision,” which guarantees that a country’s data protection complies with the GDPR. The EU Commission decides on that for each country separately. For instance, those decisions have declared Switzerland, Japan, Canada and Uruguay equivalent to the EU. Which means that after a “no-deal” Brexit, it would be easier to store data in Uruguay than in the UK.
The standard contractual clauses are prescribed by the EU. The safeguard they provide applies only if they’re adopted without changes. There are also appendices that have to be modified for each case individually.
That’s because these are individual agreements between two companies. Yes, there are models available, but certain parts have to be negotiated individually each time – such as technical or organisational measures for data security. Things like that are tailored to the individual process, to the specific data processing itself, so they have to be revised accordingly. You have to precisely describe the underlying data processing, which is usually project-specific, which means there will also need to be regular revisions if there’s any change.
The Privacy Shield works like its forerunner, the Safe Harbor arrangement. Companies can be listed if they confirm their GDPR compliance. But to some extent there are distinctions by type of data. For example, personal data might be excluded because the company isn’t listed for that. So if you want to use that kind of data, you can’t work with the Privacy Shield. Then the company would have to switch to something like the standard contractual clauses – but those would have to be negotiated with each company individually. Those procedures are under scrutiny right now. There’s controversy about whether standard contractual clauses can provide adequate protection under the GDPR. The European Court of Justice (ECJ) just handed down a decision on the matter on July 16.
The case was brought by Maximilian Schrems, with Facebook on the other side. It was lodged in an Irish court, but that court referred it to the ECJ to get clarification of basic questions about the GDPR. Putting it simply, it was about whether a level of data protection compliant with the GDPR can really be ensured in the United States by using the Privacy Shield or the standard contractual clauses. The sticking point is the possibility that US authorities might be able to access data stored with US companies. The question was whether that affects the level of data protection so seriously that GDPR-compliant protection is no longer assured.
The decision will have a massive impact on global data exchange, because effectively immediately, the Privacy Shield has been declared invalid, and can no longer offer a basis for data exchanges with the USA. Additionally, the ECJ’s comments on standard contractual clauses also cast doubt on any exchanges based on those, because in its decision the court transferred to the data supervision authorities the task of reviewing in each individual case whether the standard contractual clauses can be an effective basis for data transfer. The court did not fundamentally call the efficacy of the standard contractual clauses into question, so they can still be used for international data transfers. But following the decision, we assume that the contract clauses for data transfers to the USA will soon be reviewed by the regulatory authorities. Depending on how that review turns out, they might not be an adequate basis in the future.
Any company that bases its processes on the Privacy Shield has to make a switch directly, at the very least to standard contractual clauses. They must also expect that they’ll need to make additional changes. New agreements will have to be made with every individual business partner in the USA.
Every company should review whether it has alternatives to the former procedures. You might start with processing on the basis of a user’s consent. Companies might also start looking more for alternatives in other countries, as we’ve already been able to see in connection with Brexit. But that’s likely to be rather impractical with particular regard to the USA and its Cloud providers. Bitkom is currently getting more inquiries about that. There’s quite a need for advice. Anybody who’s interested can get a guide from Bitkom on processing personal data in third countries (German). And for consultations we have our own subsidiary, Bitkom-Consult, which will be happy to help out.
Author: Uwe Sievers
