With its current ruling on surveillance, the Supreme Court makes it clear that there will be no new EU-US Privacy Shield agreement.
For years now, the fundamentally different data protection views of the USA and Europe have made international data transfers between companies more difficult. Both the Safe Harbor Agreement and the EU-US Privacy Shield were declared invalid by the European Court of Justice. The reason was - to put it simply - in both cases the legally possible access to personal data of Europeans by US authorities. This cannot be brought in line with the requirements of the GDPR.
After the fall of the EU-US Privacy Shield due to the so-called Schrems II ruling, there was widespread uncertainty regarding the use of American applications. This was only resolved by the "final recommendations on the transfer of personal data after the Schrems II ruling" of the European Data Protection Board (EDPB). This recommendation creates clear and reliable guidelines to which companies must follow. Three central points are decisive for companies that use American cloud applications:
- Using American cloud services without further measures is not GDPR compliant (even if the servers are located in Europe).
- Standard contractual clauses are no longer sufficient to achieve GDPR compliance.
- The security solutions offered by cloud providers (such as Microsoft E5 license) are not sufficient to achieve GDPR compliance.
Hope for a legal solution
Since then, American companies with strong European business in particular have been hoping for a legal solution to the issue. Accordingly, the negotiations on a new EU-US Privacy Shield are the focus of attention. However, the question that actually arises is whether there can be a legal solution to a technical problem. As long as data is physically transferred to cloud applications, for example, there is always the possibility that unauthorized third parties - be they authorities or criminals - will gain access. Even if a new Privacy Shield should regulate the legal framework in the future, the actual problem - namely the risk of loss of personal data - will not be solved.
Latest DevelopmentsA recent Supreme Court ruling now calls into question all efforts at a legal settlement between Europe and the United States. In the "FBI vs. Fazaga" case, for example, the government was granted more freedom to invoke "state secrets" in surveillance cases. This makes it much more difficult for citizens to defend themselves against allegedly unwarranted government surveillance. As an aside, this ruling torpedoes Biden's efforts to present the US data protection level as sufficient for a new Privacy Shield agreement.
The EU Commission also does not expect a quick agreement on a new treaty with the USA. Thus, Margrete Vestager (Commission Vice President) can be quoted as follows: "We are striving with high priority to reach such an agreement with the Americans ... but it is not easy, to put it really understated."
The most obvious solution to all the data protection challenges relating to US companies would be their complete banishment from the European market. However, this scenario is neither economically viable nor realistic. The use of native security solutions from cloud providers also falls short as a solution. The example of data encryption makes the challenge clear: Whoever controls the encryption controls the data. Once the cloud provider encrypts data, there must inevitably be access to the unencrypted data. And thus the possibility of data access by authorities still exists. This can only be prevented by encryption that is completely under the control of the company and does not allow the cloud provider access to unencrypted data at any time. The cloud provider can comply with the authorities' request to hand over data with a clear conscience, because they only receive encrypted, unreadable data without any personal reference. At the same time, the company has the certainty of not only being GDPR-compliant, but also of controlling who gets access to critical data. Thus, personal data, trade secrets and IP are equally protected. It is not necessary to forego the use of American state-of-the-art technology - not only European, but ultimately also American companies benefit from this.
A legally intransparent situation does not have to become an insurmountable obstacle for companies in a specific case. Thanks to the EDPB's very clearly formulated recommendations for action on the Schrems II ruling, it is clear which requirements a solution must meet in order to achieve GDPR compliance:
- Data must be encrypted before it is transferred to the cloud.
- The cloud provider must not be granted access to keys and encryption at any time.
- A suitable solution must be state-of-the-art.
The patented multi-cloud approach of the eperi Gateway covers all these points. However, a suitable solution must not only meet legal requirements. The usual efficiency must be maintained and the workflow of the users must not be interrupted. In addition to GDPR compliance, the eperi Gateway offers:
- A solution that is transparent for the user.
- Maintaining familiar and efficient workflows.
- The preservation of the important application functions.
In summary, it can be stated that every company can benefit from the economic as well as process-side advantages of the cloud - with the right security solution in the background.
Download the whitepaper now free of charge or visit our website on the subject of GDPR-compliant cloud use and learn today how you can continue to benefit from all the advantages of the cloud in the future.
Do you have any further questions? We are at your service for a personal conversation. Contact us now!
Soweit dieses Dokument juristische Erläuterungen und Ratgeber enthält, so stellen diese unverbindliche Informationen ohne jede Gewähr für Vollständigkeit und Richtigkeit dar. Es handelt sich insoweit nicht um Rechtsberatung und die Eperi GmbH erhebt auch keinesfalls den Anspruch eine solche darzustellen oder gar zu ersetzen.