One of the most urgent IT questions that companies and municipalities alike are currently asking is: Who can I entrust sensitive data to? An answer to this is becoming increasingly difficult, especially given that there is currently no regulation for data transfer between Europe and the USA.
After the European Court of Justice (ECJ) overturned the existing regulation on the so-called “Privacy Shield” in July 2020, US authorities and the EU Commission are working on a successor model. However, an agreement has so far failed due to possible access rights to the data by US secret services.
However, without a valid regulation, there is great legal uncertainty as to what is permitted in terms of data processing and what is not. A series of court judgments are now creating facts – and could thus further complicate the digitization projects of companies and administration.
Because all companies, authorities, but also schools that want to process their data in some way are potentially affected by the problem. After all, US providers such as AWS, Microsoft and Google are market leaders for IT infrastructure from the cloud, and their services promise scalability and innovation.
Top jobs of the day
Find the best jobs now and
be notified by email.
But there is also the danger that secret services in the USA could access the data. The German General Data Protection Regulation (GDPR) therefore prohibits any transfer of personal data to a non-EU country. Unless a country can guarantee an “adequate level of protection” of that data. This is currently not the case in the USA.
Procurement Chamber comments on sensitive issue in data transmission
But what does that mean in concrete terms? The Baden-Württemberg Public Procurement Chamber recently dared to venture into sensitive data protection territory and approached the issue. The judges in Karlsruhe ruled that a transfer of personal data to a third country also applies if the server is operated by a company based in the EU that belongs to an American group. It is therefore sufficient to have “conceivable” access options through the parent company.
>> Also read here: “Privacy issues”: Regulatory authority targets Instagram, Tiktok and Clubhouse
Thilo Weichert, former data protection officer of Schleswig-Holstein and now an expert in the network data protection expertise, sees it similarly: The transmission of data to the USA is a problem, the data protection regulations there are not in line with the GDPR.
And even storing the data on a server in Germany or Europe is not enough, because the USA would have access to the data “without legal control” due to laws such as the “Patriot Act”. He therefore describes the decision of the Baden-Württemberg Public Procurement Chamber as “not entirely surprising”.
Based on the ECJ ruling, other courts also confirmed that data protection must be strictly defined. The district court in Munich, for example, ruled in January of this year that Google fonts could not be used on a website because the group could thus obtain the IP address of the user.
“The use of IT service providers with a US connection can result in the IT service provider not fulfilling these guarantees if the personal data is not sufficiently protected against access by US authorities.” A spokesman for the Federal Data Protection Commissioner
In December last year, the administrative court in Wiesbaden had already banned the use of a US cookie manager. Although the specific ban had been lifted in a higher court, the uncertainty among users about the data protection compliance of US services remained.
The current decision of the procurement chamber was about the fact that a platform for digital discharge management for hospitals, Recare Deutschland GmbH, had been awarded the contract in a public procurement procedure, although it used a subsidiary of a large US tech provider for data processing.
On the other hand, a competitor, Pflegeplatzmanager GmbH, complained that with its offer it would not transfer any data from patients and those in need of care to a third country. The court stated that Recare should have been excluded from the public procurement procedure. It is “irrelevant whether the server through which the data is made accessible is located within the EU,” was the reasoning.
Now the Higher Regional Court must clarify the question
The decision is not yet final, Recare has appealed to the next higher instance, the Higher Regional Court (OLG) Karlsruhe. The Higher Regional Court has scheduled a hearing for August 31, 2022, after which a decision will be made.
Check carefully whether these service providers could be obliged to release the data under US law.
(Photo: IMAGO/Metodi Popov)
The Federal Data Protection Commissioner (BfDI) does not want to comment on the court’s decision on request. However, a spokesman points out that public authorities should only use service providers who offer sufficient guarantees that the GDPR will be complied with.
“The use of IT service providers with a US connection can lead to the IT service provider not fulfilling these guarantees if the personal data is not sufficiently protected against access by US authorities,” it says.
Whether this danger actually exists depends on the “specific data processing”. The BfDI therefore advises checking carefully whether these service providers could be obliged to release the data under US law.
>> Read here: This technology is changing cyber security – and the world of work
Stephan Schuldt, lawyer at the Gruendelpartner law firm, which represents Pflegeplatzmanager GmbH during the proceedings in Baden-Württemberg, says: “The challenge will be to create legally compliant foundations and solutions in individual cases.” providers and their European subsidiaries would no longer be permissible per se.
Municipalities feel left alone
But the obligation to ensure that data access by US secret services is excluded lies with those who use these services – with companies, municipalities or schools. A mammoth task, especially when IT tasks can only be performed on the side, such as in schools or small town halls.
Philipp Stolz heads the staff office for digitization in the municipality of Salach in Baden-Württemberg, which has a population of almost 8,000. His municipality affords an external data protection officer who can be consulted on GDPR questions.
“In small municipalities that only have five employees, you won’t be able to worry about data protection.” Philipp Stolz, Office for Digitization in Salach, Baden-Württemberg
“But in small municipalities that only have five employees, you won’t be able to worry about data protection,” says Stolz. Of 38 municipalities in his district, only seven have anyone who takes care of digital issues full-time. Otherwise, the topic is often looked after on the side – by the mayor, for example.
>> Read here: How offices (could) become digital
There is not much support from the federal or state government, reports Stolz. However, there are more and more bans: the state data protection officer recently banned the MS Office 365 cloud service for all schools in the state.
In order for the affected IT companies to be able to continue selling their products, some of them are reacting to data protection concerns. They develop offers with special security, referred to in marketing jargon as “sovereign clouds”.
Google customers, for example, can use the American group’s infrastructure, but leave operation and control to T-Systems. Employees of the Telekom subsidiary are supposed to control access to the servers.
Microsoft is pursuing a similar concept: Delos Cloud, a joint venture between SAP and Arvato, is to operate the US group’s cloud services in its own data center in the future, for example for customers from the public sector.
The goal: Authorities from the USA should not have access to the data of European citizens and companies through this construct. The companies promise that data protection is already built in.
More: Limits to data storage: Tech giants are building “sovereign” cloud services