The European General Data Protection Regulation (GDPR) poses a certain amount of work for companies when data are to be stored or processed outside the EU. Rebekka Weiß, Head of Trust and Security at Bitkom, explains where problems crop up in exchanging data with third countries, what options are available, and where the pitfalls lie.
Update: Following the European Court of Justice’s Privacy Shield decision, we asked her for her assessment.
• Whether with the USA or the UK – GDPR-compliant data exchange with third countries is complicated.
• On July 16, the European Court of Justice pronounced a ground-breaking decision on the subject.
• In light of that decision, the rules that formerly governed exchanging data with the USA may well not be adequate any longer.
Ms Weiß, how did you come to be involved with data privacy?
I was already aware of how important the topic was while I was still a student – which is why it became my main field of study back then. Later, I worked in the data privacy department of the Ministry of the Interior. That was just when things began heating up around the European General Data Protection Regulation (GDPR), shortly before it was adopted. Then I got to build up my knowledge further with studies for a master’s degree in Glasgow on copyright, e-commerce and intellectual property. That curriculum focused extensively on EU law. A further step led me to eBay, where I honed my sense of the practical side of things. By now, I’ve been working in data privacy for a good ten years.
And now you’re working for the Bitkom industry association, where you head the unit for Trust and Security.
It was especially my masters’ studies that made me aware of the field’s connection with policy, and working with an association was a logical next step. And since I wanted to have an effect in digitalisation, that meant Bitkom. So I applied right off for three positions here. These days I’m mostly working from home, like most of the rest of the team as well.
The coronavirus crisis has brought a big increase in working from home, but also in use of the Cloud. A lot of people have got into the Cloud without the right preparation. What were their typical mistakes?
How complicated things got depended on how well the company was positioned beforehand. A lot of them were in such a hurry at the start that they overlooked making some important contracts, like an agreement about contracting-out data processing. You always need one of those if a company is going to hand over data to be stored or processed further by third parties. They had to fill in that gap later. Anybody who had lawyers in-house was usually in a better position. So that kind of problem cropped up less at large companies. Those who had never dealt with digitalisation before at all faced special challenges. Then too, there was often a lot of uncertainty about which Cloud services can be used for what processes, and which ones you’re better off without.
What should companies watch out for when they want to store personal data or business-critical data in the Cloud?
One out of every three companies is already using Cloud services, and the figures are rising. Using the Cloud is an important feature for companies, but it needs proper legal safeguards. From the viewpoint of data privacy, for any Cloud application you need the contract I just mentioned about third-party data processing. It needs to precisely describe the processing procedures. It should also include the necessary security measures. There are model contracts for the purpose, but they need to be customised. If I’m selecting a provider who stores data outside the EU, I have to follow the related rules. For example, for a transfer to the USA you might rely on the Privacy Shield, or on what are called “standard contractual clauses”.
How do standard cont ractual clauses differ from the Privacy Shield?
They have different bases. I can use standard contractual clauses for any third country. The Privacy Shield is an agreement with the United States by which the EU intends to ensure that the US level of data protection conforms to the one in Europe. There’s also something called an “adequacy decision,” which guarantees that a country’s data protection complies with the GDPR. The EU Commission decides on that for each country separately. For instance, those decisions have declared Switzerland, Japan, Canada and Uruguay equivalent to the EU. Which means that after a “no-deal” Brexit, it would be easier to store data in Uruguay than in the UK.
How is data exchange with third countries governed by standard contractual clauses? What are the core points?
The standard contractual clauses are prescribed by the EU. The safeguard they provide applies only if they’re adopted without changes. There are also appendices that have to be modified for each case individually.
That’s because these are individual agreements between two companies. Yes, there are models available, but certain parts have to be negotiated individually each time – such as technical or organisational measures for data security. Things like that are tailored to the individual process, to the specific data processing itself, so they have to be revised accordingly. You have to precisely describe the underlying data processing, which is usually project-specific, which means there will also need to be regular revisions if there’s any change.
Exchanging data with the USA in particular is apparently a problem. Why?
The Privacy Shield works like its forerunner, the Safe Harbor arrangement. Companies can be listed if they confirm their GDPR compliance. But to some extent there are distinctions by type of data. For example, personal data might be excluded because the company isn’t listed for that. So if you want to use that kind of data, you can’t work with the Privacy Shield. Then the company would have to switch to something like the standard contractual clauses – but those would have to be negotiated with each company individually. Those procedures are under scrutiny right now. There’s controversy about whether standard contractual clauses can provide adequate protection under the GDPR. The European Court of Justice (ECJ) just handed down a decision on the matter on July 16.
What was involved in the ECJ case?
The case was brought by Maximilian Schrems, with Facebook on the other side. It was lodged in an Irish court, but that court referred it to the ECJ to get clarification of basic questions about the GDPR. Putting it simply, it was about whether a level of data protection compliant with the GDPR can really be ensured in the United States by using the Privacy Shield or the standard contractual clauses. The sticking point is the possibility that US authorities might be able to access data stored with US companies. The question was whether that affects the level of data protection so seriously that GDPR-compliant protection is no longer assured.
What’s hanging on the decision? What should companies expect, for instance?
The decision will have a massive impact on global data exchange, because effectively immediately, the Privacy Shield has been declared invalid, and can no longer offer a basis for data exchanges with the USA. Additionally, the ECJ’s comments on standard contractual clauses also cast doubt on any exchanges based on those, because in its decision the court transferred to the data supervision authorities the task of reviewing in each individual case whether the standard contractual clauses can be an effective basis for data transfer. The court did not fundamentally call the efficacy of the standard contractual clauses into question, so they can still be used for international data transfers. But following the decision, we assume that the contract clauses for data transfers to the USA will soon be reviewed by the regulatory authorities. Depending on how that review turns out, they might not be an adequate basis in the future.
What do you advise at the moment for companies that would be affected?
Any company that bases its processes on the Privacy Shield has to make a switch directly, at the very least to standard contractual clauses. They must also expect that they’ll need to make additional changes. New agreements will have to be made with every individual business partner in the USA.
Every company should review whether it has alternatives to the former procedures. You might start with processing on the basis of a user’s consent. Companies might also start looking more for alternatives in other countries, as we’ve already been able to see in connection with Brexit. But that’s likely to be rather impractical with particular regard to the USA and its Cloud providers. Bitkom is currently getting more inquiries about that. There’s quite a need for advice. Anybody who’s interested can get a guide from Bitkom on processing personal data in third countries (German). And for consultations we have our own subsidiary, Bitkom-Consult, which will be happy to help out.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.