The EU General Data Protection Regulation (GDPR) increases the pressure on European businesses to ensure transatlantic data transfers are legally watertight. Since the legal situation in the US is highly uncertain, however, all personal data should be encrypted and pseudonymized before they leave the EU region.
For companies in the EU, data traffic with the USA is clearly of the utmost significance: Many companies use cloud computing solutions from providers who are based in the United States, for example, or operate their servers there. The entry into force of the GDPR further highlights the problem that US data protection law is unable to fulfill the provisions as set down by the EU.
Safe Harbor wasn’t safe enough
This problem last reared its head with the agreement of the US-EU Safe Harbor Framework in 2000, with which companies in the USA could agree to complying with specific data protection principles. In 2015, this Framework was conclusively declared invalid by the Court of Justice of the European Union (CJEU), which argued that the USA was not a safe third country for data processing. This judgment was a response to the excessively broad remit granted to US authorities that permits them to eavesdrop on communications and data flows even without probable cause – courtesy of the US Patriot Act. A further problem was the limited rights of EU citizens regarding the correction or erasure of their data. The invalidation of the Safe Harbor Framework initially meant that every transfer of personal information from the EU to the USA was illegal – and some businesses were duly fined as a result.
Follow-up model also strongly criticized
Its successor, the EU-US Privacy Shield, has been in place since 2016. This new framework sets out stricter data protection standards for US companies while redefining data access by US authorities, the exercising of legal rights by data subjects in the USA, and certain review mechanisms. Yet the EU-US Privacy Shield has also been strongly criticized from the outset, with serious legal concerns being raised not only by data protection organizations but also by MEPs and civil-society actors.
While the US companies participating in the EU-US Privacy Shield agree to comply with certain data protection standards, they are still subject to US law and, if push comes to shove, must comply with requests for information from the authorities. In reality, US intelligence services may continue to access, archive, and process the personal data of EU citizens with essentially no effective restrictions in terms of scope or oversight.
Trump erodes trust in data protection
To add fuel to the fire, one of Donald Trump’s very first official acts as President was to sign an executive order (EO) in 2017 for “Enhancing Public Safety in the Interior of the United States”, which has powers to void data protection guarantees previously granted to non-US citizens. Accordingly, it is entirely possible that the Trump EO will annul the Judicial Redress Act passed by the Obama administration shortly before the end of his tenure. This Act permits EU citizens to seek redress from US authorities in cases where US companies are in breach of data protection law. Trump’s executive order could also spell the end of the EU-US Privacy Shield itself.
EU data protection activists have watched developments with dismay for a while now: they have drawn up a comprehensive list of the failings of the EU-US Privacy Shield, with one key criticism being the fact that the US Government has yet to appoint anyone to the role of the ombudsman who is intended to hear data protection cases from European citizens. They are calling on the EU Commission and the US administration to begin negotiations without delay about how to work through their long catalog of criticisms. If no improvements have been seen by May 2018 – the date of entry into force of the EU GDPR – they have announced their intention to take their case to the CJEU.
Encryption and pseudonymization offer a workaround
So how can European companies master the increasingly difficult balancing act of reconciling the strict provisions of EU privacy law with falling data protection standards in the USA? The only practical approach here is to takes steps to ensure that personal data actually never leave the company or EU territory. This also has the benefit of preventing access by cloud providers – whether based in the US or elsewhere. In technical terms, this is made possible by solutions such as the eperi Gateway, which uses encryption and pseudonymization to render sensitive personal data unreadable before they pass through company boundaries on their way to the cloud. These data are not decrypted until they are transferred back into the company to the user. The user also maintains full control over the cryptographic keys and processes throughout the entire life cycle of these data. For users, the process is entirely transparent: they simply work as normal with their cloud application.
Since data encrypted or pseudonymized in this way are no longer classified as ‘personal data’, they are not subject to the strict data protection framework of EU law. Companies simultaneously save themselves the considerable effort of documenting conformity with data protection legislation such as the EU GDPR – and especially if they are utilizing cloud services and support from external service providers for contract data processing.
With the encryption and pseudonymization of personal information, EU companies can fulfill their legal data protection responsibilities as regards their customers, suppliers, and employees. In the future, legal violations risk heavy fines and loss of reputation.
