Data Protection Between Cloud Brake And Cloud Accelerator
The General Data Protection Regulation (GDPR) has been in effect for three years. Hardly any other area was influenced as strongly as the cloud. But has the GDPR proved to be a barrier to cloud use or an enabler? Are the critics who are calling for a change to the GDPR right? Or is data protection a competitive advantage? Critics say that even the name of the General Data Protection Regulation sounds like bureaucracy. The effort for the implementation is too high because of all the documentation one can hardly get to the actual protection of the personal data one hears in discussions with companies.
Table of Contents
Not Only Do Business Associations Criticize
Anyone who now thinks that the supervisory authorities for data protection have no criticism of “their” GDPR is mistaken. Anyone who regularly speaks to the state data protection officers gets an entirely different picture. The supervisory authorities themselves are critical and see vague specifications, few concrete instructions for implementation, and even the wrong group of addresses; for example, when it comes to privacy by design is an essential requirement, but not the companies as so-called responsible. Still, only the manufacturers of IT solutions can fulfill this. Is the GDPR, therefore, a stumbling block for the cloud and other digital technologies, as surveys by the digital association Bitkom regularly show?
But Cloud Users Want Protection For Their Data
For example, if you look at Bitkom and KPMG’s cloud monitor over the years, data protection is seen as a challenge when using the cloud. Still, compliance with the GDPR is a crucial selection criterion for the cloud provider, and companies also fear those who are still not using cloud services are losing their data. So you want data protection in the cloud, but a different type of protection. What, for example, does Bitkom criticize in the “Balance sheet of three years GDPR”? There is a lack of EU-wide harmonization due to special national rules that use the opening clauses of the GDPR.
There are different positions of the supervisory authorities, even within Germany. The supervisory authorities see it very well. Similarly, they are unhappy about some supervisory authorities in other EU countries or neighboring German states. They hope and expect specifications and clear guidelines from the European Data Protection Board, which is very active here. Suppose companies that want to use the cloud are unsure about implementing the GDPR. This is undoubtedly an advisory mandate for the supervisory authorities, which must be better equipped. However, many points that can cause uncertainty are not caused by the GDPR but are also due to the complexity of the topic of data protection itself.
Cloud Privacy And The Privacy Shield Example
The extent to which data protection and the GDPR influence cloud use is shown by the end of the Privacy Shield. Many cloud users still haven’t taken the consequences. However, this is not due to the GDPR but to difficulties in the practical implementation of the judgment of the European Court of Justice (ECJ) in companies. In an information offensive on data transfer to third countries, the state commissioner for data protection and freedom of information in Rhineland-Palatinate, Prof. Dr. Dieter Kugelmann: “Anyone who has not yet reacted to the new legal situation should take action immediately.” As part of an information offensive, the state data protection officer has written to dozens of companies, associations, and government agencies in Rhineland-Palatinate to prevent violations when data is transmitted outside of Europe. According to a ruling by the European Court of Justice (ECJ) last year, some data transfers must be placed on a new legal basis.
The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate points out in the letter that has now been sent out: “I strongly advise that all data processing operations taking place in your company in connection with third countries be checked for their admissibility using the test scheme provided by my authority and to identify any need for action to stop or prevent data protection violations as quickly as possible.” Because they automatically process personal data, transferring it – often unknowingly – to countries outside the European Union or the European Economic Area. You are thus walking on thin ice in terms of data protection law. Over this year, it has been our task to check whether there have been data protection violations and whether sanctions need to be imposed. Before that, my employees want to raise awareness among companies and authorities again.” In the decision of July 16, 2020, the ECJ determined that transmissions to the USA can no longer be based on the so-called Privacy Shield.
The standard data protection clauses for data transfers to third countries are generally only sufficient with the use of effective additional measures if the person responsible examination has shown that an equivalent level of protection for personal data cannot be guaranteed in the recipient country. In many cases, the judgment of the ECJ requires a fundamental conversion of long-established business models and processes. The Court has also made clear its expectation that regulators “suspend or prohibit” improper transfers. In many cases, a transmission suspension can probably be achieved in a cooperative dialogue with the company. According to the supervisory authority, the available supervisory measures are used to react where this is impossible. According to the information letters that have now been issued, there will be random checks.
The Economy Can And Should Help Shape Itself
There is, therefore, an urgent need for action at many companies and their cloud use. There is no lack of specifications, but rather the implementation. This implementation makes sense because sanctions from the responsible supervisory authority could otherwise threaten. Data protection is considered a competitive advantage and essential to cloud users. Suppose there is a demand for more specific specifications for cloud services.
In that case, if the GDPR is suspected of unclear specifications, one should pay more attention in business to an instrument that was already mentioned by the EU Commission during the evaluation of the occasion two years of the GDPR but is still not used in the way the GDPR offers: the code of conduct. Look at the legal requirements for order processing according to the GDPR (necessary for cloud computing). You will see that not only data protection certificates are mentioned as possible evidence but also approved codes of conduct. Unfortunately, there are still not a significant number of these, although they could also help to settle cloud-specific issues.
Nothing Should Be Set In Stone
Three years of applicability of the GDPR would be a good reason for associations and companies to develop and approve other codes of conduct, as this will make the further implementation of the GDPR significantly easier. Therefore, the appeal again: It is worth considering all previous possibilities and instruments of the GDPR and using them to advance data protection and optimize the implementation of the GDPR. The drafting and approval of codes of conduct will take some time, but one can imagine that results can be seen more quickly here than with the complex EU legislation. The current GDPR can do more and offers more than has been used. Despite all the criticism and all the weaknesses of the regulation, it can still help to turn data protection into an advantage if means of design such as the code of conduct are also used.
Also Read : Log Files