Berlin With negotiations on a new data protection agreement between the European Union and the United States not progressing, German companies are calling for a temporary solution to transatlantic data traffic from the European Union Commission.
“What companies across the European Union and on both sides of the Atlantic need now is legal certainty for data transfers and a clear political signal of support,” read a joint letter from SucculentsAnd the ThyssenKrupp And the SPD Economic Forum to the European Union Commission. “Until a new data protection agreement is agreed between the United States of America and the European Union, a transition strategy is needed.” The German government received a similar letter in March.
The signatories to the letter addressed to the two Vice Chairs of the Commission, Valdes Dombrowskis and Margaret Westager, and the Commissioner for Justice of the European Union Didier Reynders, react to a ruling issued by the European Court of Justice (ECJ) starting July 2020 regarding the exchange of data between the USA and the USA. Europe. The letter is available for Handelsblatt.
At the time, the judges rescinded the “Privacy Shield” agreement, stating that the United States did not have a level of data protection comparable to the level of data protection in the European Union, and thus the data was not sufficiently protected against access by US secret services. Many US cloud services violate the European General Data Protection Regulation (GDPR). Fines of up to 20 million euros can be imposed on companies using the services anyway.
Today’s top jobs
Find the best jobs now and
You are notified by email.
As for transferring the data to the United States, there is “virtually no secure legal basis for companies,” according to the letter to the commission. Uncertainty in the economy is correspondingly large. Rather, the situation represents a “very serious obstacle to taking further decisions regarding investments and economic activities.” Therefore, the signatories of the letter from Brussels are calling for “coordinated steps at the European level to ensure law-compliant amendments in the transfer of data.”
Time is of the essence
An interim solution is outlined in the position paper attached to the letter. Other German companies were involved in crafting the paper, including Siemens And Allianz as well as American technology companies such as MicrosoftAnd the AmazonAnd the The Google And the The social networking site Facebook.
It describes the various protection measures that comply with the European General Data Protection Regulation (GDPR), including the so-called Standard Contractual Clauses for data transfer between the European Union and third countries. Or technical precautions such as “encryption of the data stored using the keys by the client”.
With the standard contractual clauses, according to the European Court of Justice, those affected have the option to have legality checked by the responsible data protection authorities in a particular case. It is still illegal to use such clauses without the necessary additional safeguards, said Stefan Brink, the data protection officer in Baden-Württemberg.
The “notorious, secretly meeting” Visa courts in the United States, as SPD digital politician Jens Zimmerman once described them, is also problematic. Fisa stands for “Foreign Intelligence Surveillance Act” – a US law under which classified agencies like the National Security Agency and security agencies like the FBI and others are allowed to search foreign user data without a court order.
Time is of the essence. Because data protection advocates in Germany want to focus nationally on using US cloud services. Hamburg’s data protection commissioner, Johannes Kaspar, recently told SPIEGEL that so far there has been a “enforcement deficit”. This has to change now with cross-border samples, and questionnaires will be coordinated.
To address privacy concerns, Microsoft launched a far-reaching attack on products this week. Customers in the European Union in the future should be able to process and store their data by Microsoft exclusively in the European Union. The world’s largest software company announced, Thursday, that the technical adjustments will be completed by the end of next year.
Along with Amazon and Google, the US group is one of the world’s three largest cloud service providers and operates data centers in 13 European countries – including Germany, Ireland, France and Sweden. “We will not have to transfer any data from these customers outside of the European Union,” Microsoft President Brad Smith said in a blog post.
Microsoft’s new offering of “European Union data limits” is aimed at corporate and public sector customers, not private users. The commitment will apply to all central Microsoft cloud services – Azure, Microsoft 365 (including Microsoft Office and Teams), and Dynamics 365.
Privacy advocate praises Microsoft
“We have already started the technical preparations so that our centralized cloud computing services can save and process all personal data of our corporate and public sector clients as quickly as possible only in the European Union if they so desire,” as stated in the blog entry by Smith.
Hamburg data protection advocate Caspar praised the software company’s progress. With its offer to “limit EU data,” Kaspar told Handelsblatt, Microsoft is setting “standards that we hope competitors will follow.”
However, the head of the authority does not see the problem being over, as the companies have been operating without an adequate legal basis since the European Court of Justice ruled on the ‘Privacy Shield’. Caspar said moving individual services to the European Union did not solve “the general problem of incompatibility of the two legal systems.” “The need for a legally secure, rights-compliant method of exchanging data remains huge if transatlantic cooperation in business is to continue to operate smoothly in the future.”
On the one hand, the supposed access of US secret services to data could be technically undermined if clients themselves effectively protect their cloud data. Microsoft chief Smith points out. “Many of our services put control over data encryption in the hands of customers.” This might be used by keys that are not managed by Microsoft, but by the customers themselves. “We protect our customers’ data from unauthorized access by every government in the world.”
Data protection advocate Caspar says this is the “ultimate solution to mandating US service providers with personal data.” “If decoding by the provider can be excluded, data can also be stored around the world on the basis of standard contractual clauses,” he said.
However, it should be noted that service providers can remove encrypted data from their data centers at any time even without displaying stored content and thus affecting availability. “Such a scenario, however, is not technically excluded by Microsoft’s current efforts.”
More: ITU calls for an end to penalties for data protection violations