New US_EU Privacy Shield Agreement far off in the Distance

INITIAL SITUATION

For years, the fundamentally different data protection views of the USA and Europe have made international data transfer between companies more difficult. Both the Safe Harbor Agreement and the EU-US Privacy Shield were declared invalid by the European Court of Justice. In simple terms, the reason in both cases was the legally possible access to personal data of Europeans by US authorities. This cannot be brought into line with the requirements of the GDPR.

CURRENT STATUS

Following the fall of the EU-US Privacy Shield due to the Schrems II ruling, there was widespread uncertainty regarding the use of US applications. This was only resolved by the "final recommendations on the transfer of personal data following the Schrems II judgment" of the European Data Protection Board (EDPB). This recommendation creates clear and reliable guidelines that companies must follow. Three key points are decisive for companies that use American cloud applications:

• Using American cloud services without further measures is not GDPR compliant (even if the servers are located in Europe).
• Standard contractual clauses are no longer sufficient to achieve GDPR compliance.
• The security solutions offered by cloud providers (such as Microsoft E5 license) are not sufficient to achieve GDPR compliance.

HOPE FOR A LEGAL SOLUTION

Since then, American companies with strong European business in particular have been hoping for a legal solution to the issue. Accordingly, the negotiations on a new EU-US Privacy Shield are the focus of attention. The question that actually arises, however, is whether there can be a legal solution to a technical problem. As long as data is physically transferred to cloud applications, for example, there is always the possibility that unauthorized third parties - be they authorities or criminals - will gain access. Even if a new Privacy Shield were to regulate the legal framework in the future, the actual problem - namely the risk of losing personal data - has not been solved.

LATEST DEVELOPMENTS

A recent Supreme Court ruling now calls into question all efforts to find a legal solution between Europe and the USA. In the "FBI v. Fazaga" case, the government was granted more leeway to invoke "state secrets" in espionage cases. This makes it considerably more difficult for citizens to defend themselves against allegedly unauthorized government surveillance. Incidentally, this ruling torpedoes Biden's efforts to present the US level of data protection as sufficient for a new Privacy Shield agreement.

The EU Commission is also not expecting a new agreement with the USA to be reached quickly. Margrete Vestager (Vice-President of the Commission) is quoted as saying: "It is a high priority for us to reach such an agreement with the Americans ... but it is not easy, to say the least."

SOLUTION

The most obvious solution to all data protection challenges in relation to American companies would be to ban them completely from the European market. However, this scenario is neither economically viable nor realistic. The use of native security solutions from cloud providers is also not a solution. The example of data encryption makes the challenge clear: whoever controls the encryption controls the data. As soon as the cloud provider encrypts data, there must inevitably be access to the unencrypted data. This means that there is still the possibility of data being accessed by the authorities. This can only be prevented by encryption that is completely under the control of the company and does not grant the cloud provider access to unencrypted data at any time. The cloud provider can comply with the authorities' request to hand over the data with a clear conscience, as they only receive encrypted, unreadable data without any personal reference. At the same time, the company has the certainty that it is not only working in compliance with the GDPR, but can also control who has access to critical data. This protects personal data, business secrets and IP in equal measure. It is not necessary to forego the use of American state-of-the-art technology - not only European companies benefit from this, but ultimately American companies too.

CONCLUSION

A legally opaque situation does not have to become an insurmountable obstacle for companies in specific cases. Thanks to the EDPB's very clearly formulated recommendations for action on the Schrems II ruling, it is clear which requirements a solution must meet in order to achieve GDPR compliance:

• Data must be encrypted before it is transferred to the cloud.
• The cloud provider must not be granted access to keys and encryption at any time.
• A suitable solution must be state-of-the-art.

The patented multi-cloud approach of the eperi Gateway covers all these points. However, a suitable solution must not only fulfill legal requirements. The usual efficiency must be maintained and the user's workflow must not be interrupted. In addition to GDPR compliance, the eperi Gateway:

• A solution that is transparent for the user.
• Maintaining familiar and efficient workflows.
• The preservation of the important application functions.

In summary, it can be stated that every company can benefit from the economic as well as process-side advantages of the cloud - with the right security solution in the background.

Do you have any further questions? We are at your disposal for a personal consultation. Contact us now!