Data ProtectionCybersecurity & Risk Management

Data Protection and US Tools

Data-Protection-and-US-Tools.jpg
252x252_arthur_heydata_882dfef0fd_c07468184b.webp
Arthur
27.01.2023

Data protection and the USA - US clouds and tools. How do I deal with data transfer to third countries?


When people in Germany, and indeed the entire EU, talk about data protection, this topic is always linked to the USA. Sometimes the focus is on the questionable practices of the American secret services, and sometimes on how technology companies such as Google, Amazon, or Microsoft greed for data. The latter at least seemed to be limited to an acceptable level by the Safe Harbor Agreement and later by the Privacy Shield Agreement.


But then came the ECJ's Schrems I and II rulings: with these two groundbreaking rulings, the court first declared the Safe Harbor Agreement and then its successor, the Privacy Shield, null and void, as they violated the recently adopted GDPR. According to the ECJ, the US intelligence services' extremely broad access to foreign user data made it impossible for American companies to comply with European data protection standards. International negotiations to establish a new data protection agreement have so far failed. Instead, the so-called standard contractual clauses have been created. These are contractual clauses approved by the data protection authorities that are intended to guarantee the security of European users' data on American servers through additional measures and controls. Although the ECJ has not found this solution to be illegal, it has cast doubt on it. According to the judges, even the most comprehensive contractual clauses are useless if American intelligence services want access to data.

Study highlights problems

So much for the legal side of the issue. It has been a long road to this day, but at least for the time being there seems to be a reliable solution.

Unfortunately, the practical side is not quite so simple: there are so many regulations to consider that a quick look online followed by downloading and filling out a few documents and templates is no longer enough to comply with the law. There is more to consider than having customers sign a consent form and read a supposedly complete privacy policy, especially when countries outside the EU (such as the US) are involved.

A recently published study by the Center for European Policy shows just how difficult it is to comply with the requirements: in her 70-page analysis, author Anja Hoffmann concludes that numerous companies are still violating the provisions of the GDPR on data transfer to third countries. Unsurprisingly, the most involved country is the USA. The data protection agreements may no longer apply and the legal situation is complicated, but this does not change the needs of the economy. The big tech companies and their tools remain unrivaled, and finding an alternative is not easy. The various cloud services, such as Amazon AWS or Microsoft Azure, are proving particularly problematic. But what options are there for companies to offer their services legally and efficiently?

Own data centers are not a solution

The classic answer to this question is to have your own servers: From a single home server in the office to gigantic, purpose-built data centers, there seem to be solutions for small and large companies. However, there are also disadvantages, such as comparatively high costs and complex maintenance. In-house systems are also much more susceptible to malfunctions and therefore less reliable, not to mention the complexity of handling them on a day-to-day basis. Just how serious these disadvantages are can be seen from the fact that Deutsche Bahn recently announced that it would be abandoning its own data centers and switching completely to US cloud services. According to a statement from Deutsche Bahn, no European competitor can keep up with the "high flexibility and availability of higher-quality services" from Amazon and Microsoft. 

So if large publicly owned companies are already opting for American solutions, what other alternatives are there?

American provider, European location

A relatively unknown solution is the use of American cloud services whose servers are located within the EU. Unfortunately, this is not possible with all providers, but their number is steadily increasing. As these servers are located within the EU, they are fully subject to the GDPR, and the data processing carried out there is not related to a third country. They are also (at least legally) outside the reach of US intelligence services. There are also some technical advantages: for example, the connection is often better, as the data does not have to cross the Atlantic first.

Unfortunately, however, not all data processing can be transferred to the EU; there are many reasons for this. Often your team is already used to working with a certain tool, sometimes you need a certain add-in that is not available for all platforms and often it is simply a cost issue. So what do you do if you are dependent on American tools?

And if there is no alternative?

In such a case, the first thing to do is to obtain information about the current legal situation and the respective provider. The European single market is extremely important for the big tech companies, so many of the cloud providers have made efforts to maintain their access to this market: Some have established European servers, as described above. Many have certified themselves with the European Commission. Transatlantic corporations have taken the opportunity to adopt intragroup data protection rules. There are some, albeit difficult, options.

However, the fact that a contractual partner/service provider states that it processes data following the GDPR does not necessarily mean that this is the case. The rapidly changing legal situation, which is often difficult to understand, especially for citizens of third countries, creates a lot of uncertainty.

This uncertainty could now lead to massive problems: The German data protection supervisory authorities now want to target companies nationwide. The focus will be on the use of US cloud services such as Amazon, Microsoft, and Google. According to the authorities, this will be based on several questionnaires that are currently being developed by a "task force" of the Federal and State Data Protection Conference (DSK). These questions are to be used as part of random checks to proactively approach companies. The data subjects must disclose which services they use and on what legal basis. If companies are unable to answer the authorities' questions satisfactorily, they will have to change providers. In addition, fines of up to 20 million euros can be imposed, a severe blow for companies.

External data protection officer


This step is justified by the "clear and unambiguous legal situation". However, the legal situation is only that clear and unambiguous for experts. For everyone else, it is almost impossible to assess when data processing is legal and when it is not. Furthermore, data processing is everywhere: office software, video conferencing services, survey tools, ... Nowadays, almost every process involves data processing. Even trained specialists find it difficult to keep an overview. The resulting additional burden is often too much for a company to bear alone. This is why more and more companies are turning to external data protection officers. They deal with current data protection laws daily, keep an eye on developments, and bring with them a wealth of knowledge and experience from which companies can benefit. 

We at heyData have many years of experience as external data protection officers. What sets us apart from our competitors is our use of legal tech. The cutting-edge combination of digital technology and law allows us to work cheaper, more thoroughly, and faster.