Data protectionists warn German companies of the high risk of fines

With the Meta Judgment, they now have a sharp sword in their hands. The Irish data protection authority recently decided that Facebook had not adequately protected the data of EU citizens from access by US authorities and imposed a fine of 1.2 billion euros on parent company Meta. Management plans to appeal the decision.

Most companies are still relaxed on the outside, but nervousness is growing in the background. When asked, Bayer has already announced that it will “review the verdict internally”.

The big three dominate the market

Without Amazon Web Services, Microsoft and Google, there is hardly a European company that organizes its business anymore. The cloud services of the American providers make it possible to work from home, connect factories and logistics and are the basis for artificial intelligence. According to the market researcher Synergy Research, the market share of the big three is currently 72 percent and is constantly increasing.

However, this dependency is questionable. After complaints by data protection activist Max Schrems, the European Court of Justice (ECJ) came to the conclusion in two proceedings that the USA did not have a comparable level of data protection to that in the EU due to the far-reaching powers of the secret services, and overturned the agreements that formed the basis for the Data transfer served – first “Safe Harbor” in 2015, then “Privacy Shield” in 2020.

The cloud service providers offer the option of processing customer data largely in European data centers. With the “EU Data Boundary”, Microsoft, for example, pledges to “considerably” reduce the flow of data from the EU. Without a connection to the head office, however, it becomes difficult, for example when updates or error analyzes are pending.

>> Read also: “Siting out is not a good idea”: Like Meta, German companies are also threatened with high EU penalties

Data protectionists also point out that companies based in the USA must also hand over data to authorities if they are stored abroad – this is required by the Cloud Act, which has been in force since 2018. “This is the case, for example, when access rights have been set up for maintenance and support purposes,” explained Hamburg data protection officer Kühn.

Decision against meta closes backdoor

So far there has been a way out: the EU Commission has made so-called standard contractual clauses available to companies. Additional data protection measures are agreed via them. Thousands of European companies are likely to exchange data with US locations on this basis.

However, the Irish data protection authority declared this auxiliary solution ineffective with its decision against Meta. The standard contractual clauses are binding for the processor of the data and the recipient, “but they cannot bind the US authorities,” the authority said at the request of the Handelsblatt.

The construct is “unable to solve the problems associated with US law in connection with state surveillance by US authorities”.

According to estimates in legal circles, courts throughout Europe will soon follow this interpretation: The Irish authority, which is considered to be business-friendly, was forced by the European Data Protection Board (EDPB), in which the national data protection authorities coordinate themselves, to vote against Meta by majority vote. Several lawyers report that this line is already making itself felt in ongoing proceedings.

“Decision with Europe-wide signal effect”

The decision is making waves among lawyers. “This is a decision with a Europe-wide signal effect,” said Tim Wybitul of the law firm Latham & Watkins, who specializes in data protection law and represents several corporations.

The combination of a strict interpretation of the law and a fine in the billions requires companies to carry out a “new risk assessment”. At least as long as the decision stands in court.

>> Read here: Authorities want to go to the cloud, but are not allowed to

“Companies are in a dilemma,” emphasized Wybitul. “When two legal systems collide, it is hardly possible to behave in accordance with the law.” As long as the situation has not been clarified, it is about minimizing damage.

In other words, the legal departments are trying to find a solution – and hope that the authorities will accept it as soon as proceedings arise.

However, if the supervisory authorities find violations, it can be expensive. The General Data Protection Regulation (GDPR) gives the possibility to impose fines on corporations that account for up to four percent of global annual sales – i.e. can add up to billions.

In the five years since May 2018, in which the regulations have been in force, European authorities have already imposed fines totaling 2.7 billion euros in more than 1,500 publicly known cases, as the commercial law firm CMS has determined.

How Bayer, Deutsche Bank and Mercedes are reacting

The judgment from Ireland is being examined under high pressure in the legal departments. However, most companies are still calm. For example, Deutsche Bank, which uses technology from Google and Oracle, does not consider the meta case to be comparable to its own partnerships.

“The storage of personal EU customer data within the EU has been and remains the basis for application migration to the cloud,” the group said. The bank can choose the applications in which region they would be operated. “In this way, we ensure that preferences and specifications for data location are met.”

However, companies have long been aware of how sensitive the issue is and are investing a lot to forestall criticism. Deutsche Börse, for example, refers to an initiative for the auditing of cloud services, called the Collaborative Cloud Audit Group, “to ensure the agreed necessary technical and organizational measures”. The company also uses measures such as encryption. Mercedes, in turn, has had its own data protection guidelines recognized by the EDSA as binding internal data protection regulations (Binding Corporate Rules – BCR).

Bayer points to the role of politics. For a long time there has been a problem “ensuring an appropriate level of data protection in the USA that is equivalent to that of the EU in order to enable data exchange with corporations in the USA”.

All attempts by the European Commission to provide the economy with a means have so far failed. The group emphasizes that it is based on the case law of the ECJ. “In the event of a request from a European data protection authority, we are confident that we can answer it satisfactorily.”

Overwhelmed by SMEs?

The crux: What corporations with large legal staffs may still be able to handle poses challenges for small and medium-sized companies. According to the Bitkom industry association, legal uncertainty has increased since the Privacy Shield Agreement was abolished. “Standard contractual clauses and case-by-case assessments are obviously not enough and in any case overwhelm small and medium-sized companies in particular.”

It is therefore more necessary than ever to act. Stefan Brink, former data protection officer for Baden-Württemberg and now head of a research institute, warns that anyone who uses the services of American companies without special protective measures must expect massive penalties.

“With the record fine from the Irish supervisory authority, this issue has finally been brought into focus,” Brink told the Handelsblatt. “It is therefore absolutely obvious that all other authorities will now also take action and increasingly control and sanction data transfers to the USA.”

In Germany, companies have already been targeted by the supervisory authorities for using American cloud services. The procedure will be coordinated in the “Taskforce Schrems II” of the data protection conference (DSK) of the federal states and the federal government under the direction of Berlin and Hamburg, said the Hamburg data protection officer Kühn the Handelsblatt. “The aim is primarily to turn off or secure the transfers.” Fine proceedings have not yet been initiated.

Hope for new agreement

From the point of view of companies and data protection experts, a new agreement that regulates transatlantic data traffic is urgently needed. It was only in October that US President Joe Biden signed an Executive Order detailing the measures that the US will take to conclude a possible new data protection agreement with the EU.

Negotiations are currently underway. According to EU diplomats, an agreement could be reached by the end of July. “The details have not yet been clarified, but there is a possibility that the Data Privacy Framework can represent a possible legal basis for the transfer of personal data to the USA in the future and legal security would thus be guaranteed,” said data protection officer Kühn.

However, it is uncertain whether the new agreement will withstand a review by the ECJ. Activist Schrems has already announced a lawsuit. Despite “a few small improvements” to the two previous agreements, not much has changed in substance. He does not think that the judges at the ECJ will be impressed, Schrems told the “Tagesspiegel Background”.

“Rather, they should feel fooled because the EU Commission is presenting them with more or less the same thing for the third time.”

Collaboration: Bert Fröndhoff, Franz Hubik, Andreas Kröner

More: Record fine for Meta in EU data protection dispute