Safe harbour Europe
15 Dec 2020
Protect your company data effectively with European Cloud Providers and Software Manufacturers
The Cloud Act from 2018 gave US authorities the power to access company data, even if these data is stored in servers abroad. This affects all companies worldwide that have at least a branch office in the United States. The General Data Protection Regulation (GDPR) that also came into effect in 2018, became the counterpart to the Cloud Act and it represented a different legal standpoint in regards of data protection and data security at EU level. This new regulation had a far-reaching impact on European companies seeking for digital signature solutions. If a cloud provider has a branch office in the United States, it is obliged to grant access to the personal data of their customers according to the Cloud Act. The solution to this: working with a European provider.
July 17, 2020 will go down into data protection history. On this day, the Court of Justice of the European Union (ECJ) failed the decision that the level of data protection of the EU-US Privacy Shield was not compliant with the requirements arising from the GDPR. This agreement was designed to provide a mechanism to regulate data protection and data security requirements when transferring personal data. However, the Court contradicted in its judgement the Organs of the EU that had given green light to this agreement back in 2016. Back then, the idea prevailed that the United States possessed a data protection level equivalent to the EU standards. With the judgement of the European Court of Justice, this adequacy decision is now history.
One of the reasons, among others, was the strict judicial view on the Clarifying Lawful Overseas Use of Data Act (Cloud Act). It had been enacted to grant access to the data of US companies located across borders and not only to data of companies based in the United States with the purpose of criminal control. According to the ECJ, the Cloud Act also includes the collection of both personal and company data. A branch office in the United States would be enough for this purpose.
No personal data transfer to United States
According to the ruling in the ‟Schrems II” case, named after the Austrian data protection activist Max Schrems, there was a violation against the GDPR. As a consequence of Schrems and constant complaints against Facebook, significant obstacles have been placed on the path of personal data transfer to the United States. A valid adequacy decision according to Art. 45 DSGVO for the personal data transfer to United States will not be possible as a consequence of Schrems II. In turn, data transfer within the European Economic Area is compliant with the GDPR.
“Basically, all companies have to comply with their legal data protection obligations every time a personal data transfer takes place. With Schrems II this gets complicated, when a company opts for a cloud applications provider based in the United States,” says Hannes Harlander, Data Protection Manager at XiTrust. ‟In this case, there is even the real risk that upon request of the United States authority, data is disclosed from cloud applications, even without the obligation to inform the end user. In the worst-case-scenario, this could lead to a violation of the GPDR by the Data Protection Authorities (DPA), and this can get quite troublesome, since draconian penalties might be the result. These penalties could reach up to 20 million euros or even up to 4 % of global sales.
Obligation to provide evidence for companies
In order to avoid misunderstanding regarding the seriousness of data protection and security according to the GPDR, the Commissioner’s Office (ICO), a British data protection body, threatened the Marriott hotel chain in 2019 because of an infringement against the GDPR with a fine of an astounding 110 million euros: The company was made responsible for a leak that disavowed the data of millions of customers.
‟When European companies process personal data in the cloud, they are held responsible towards the DPA (Data protection Authorities) and they must provide evidence that the data protection level is compliant with the standards set by the European Union,” explains Hannes Harlander. By definition, this also includes software for the creation of digital signatures. The standard contract clauses between US providers and European customers is not enough according to the regulations established by the Schrems II judgment: Just like the US-software used, these agreements are not considered to be GDPR-compliant”. Harlander adds: ‟According to the current legal situation, the (legally) most appropriate solution is to choose cloud providers with data centres exclusively from the European Union, or alternatively, to choose a GDPR compliant European on-premises software solution at one’s own data centre.”
Least possible amount of data
All the processing of personal data from MOXIS to the cloud complies with the standards of the GDPR in a number of ways: in case of electronic signature folders, both the privacy by design and the privacy by default principles guarantee the fulfilment of the GDPR (see box), unlike comparable US-software. Both requirements are not “nice-to-haves”, but prerequisites for data protection and security within the European economic and legal area according to Art. 25 of the GDPR.
This specifically means that the amount of data processed in MOXIS according to the GDPR is as low as possible. Personal data is processed after being distributed and they are also stored separately. This data is also hosted in certified European data centres. This also means that companies that work with MOXIS are in full control of the processing of their personal data. MOXIS users are always able to provide evidence of compliance with all related legal provisions to the DPAs.
Privacy by Design & Privacy by Default: MOXIS is GDPR compliant
Privacy by Design: data protection through creation of technologies
- MOXIS fulfils data and privacy protection requirements when designing processing operations and data processing systems.
- With MOXIS, the planning, the architectural design, the modelling, the implementation and the use of data processing systems can be carried out efficiently without the minimal interference in personal data.
- European companies with a sense of responsibility are only allowed to use products that fulfil Privacy by Design requirements. Only this way they can guarantee the data protection authorities that their personal data is processed in compliance with the GDPR.
Privacy by Default: data protection friendly pre-configuration
- In MOXIS, all systems and configurations are set in a way that only the personal data required for the respective purposed is processed.