In 2021, enterprises will continue to encounter many challenges that they need to address: Strengthening data security, ensuring verifiable compliance with applicable data protection laws, and maintaining effective protection of intellectual property will continue to be persistent issues. For enterprises, all three of these aspects apply to their data exchanges with third parties and are particularly relevant for data flow to the USA – which creates a need for action. Data transfers from the EU to the United States urgently require a robust and long-term legal basis, especially since the trend to shift data to the cloud is ongoing and has been creating fresh precedents on a daily basis, amplifying the need for action. In the search for real data protection and digital sovereignty, the European GAIA-X project is therefore coming into focus as a potential remedy.
Note: This blog post is the first in a series of five dealing with data security and data sovereignty for enterprises. First we will explore which fundamental problems enterprises face in the transfer of data between Europe and the USA. For this purpose, we will discuss the most important legal foundations over the past years, including a closer look at the GAIA-X project which is planned to offer a European alternative for digital sovereignty as well as data protection in accordance with European standards. An assessment of this project’s current status as it pertains to companies will be made. Finally a prognosis will be proposed as to which viable paths enterprises can take regarding data security and maintaining control of their data.
From the Safe Harbour Agreement to the CLOUD Act: Data protection in Europe and the United States
It has long been known that Europe has a fundamentally different approach to data handling than does the USA. The storage, processing, and transfer of data - including data for commercial purposes - is handled much more liberally in the United States than in the European Union. Legislation that provides a legal framework for the handling of data at approximately the same level as the GDPR only exists in one single state: California.
On 1 January 2020, the California Consumer Privacy Act (CCPA) came into force; its goal is to strengthen data protection and provide consumers in California with more rights over what happens to their data and who can use it. The CCPA thus shows clear parallels to the GDPR both in its intention and objective. It has the potential to set a precedent in the US and serve as a template for future nationwide legislation, which constitutes an important step towards greater data protection and improved consumer rights. To date, however, the CCPA is limited to California and the US is still far from having comparable legislation on a national level.
To ensure that the personal data of European citizens was protected by GDPR-compliant rules after it had been transferred to the USA, deals such as the Safe Harbour Agreement and the EU-US Privacy Shield were drafted and implemented to address the shortcomings of nationwide data protection in the USA.
Legal pillars for European companies' data transfers to the US: Privacy Shield and Standard Contractual Clauses.
As it turned out, these agreements did not last very long: The European Court of Justice (ECJ) overturned them both as in practice they did not live up to the agreed data protection standards. The ECL’s rulings were a slap in the face for politicians (and well deserved, some might argue) who had passed the agreements despite warnings from data protectionists. The ECJ's rulings were also a clear indication that future agreements of this kind must deliver genuine data protection if they are to be upheld. This creates an impasse because US providers are subject to American legislation such as the PATRIOT Act, the USA FREEDOM Act, and the CLOUD Act, and these acts ensure that authorities and intelligence agencies have access to personal data of EU citizens. On top of this, there is also the concern and suspicion that commercially lucrative data from the EU can (and will) be tapped on the American side.
There has been a trend, on the consumer side but also from companies, to shift all things data to the cloud where US providers have the dominant market position. As a result, enormous volume of data continues to flow to the US, particularly via third-party providers.
Dominating the cloud market worldwide: US service providers.
The ECJ's rulings invalidated an important legal basis for the previous practice of data transfer to the United States in one fell swoop and created enormous pressure for European enterprises to act. As a result, they had to identify all affected data streams and promptly find a legally compliant alternative. According to data protection authorities, grace periods would not be provided, and violations of data protection regulations might incur severe penalties.
New Standard Contractual Clauses but the same old problem
In November 2020, two drafts of revised standard contractual clauses were published by the EU Commission to regulate the EU's international data transfers, including the transatlantic ones. The revised drafts were informed by recommendations from the European Data Protection Board and the European Data Protection Supervisor as well as the Schrems II ruling of the ECJ of July 2020. Standard contractual clauses are another crucial pillar for the legality of data transfers to countries outside the European Union. The most recent ruling of the ECJ evidently caused enough of a stir to warrant another hard look at them.
It remains to be seen to the extent to which the new Standard Contractual Clauses will hold up if challenged in court, especially given the underlying legal conflict between the GDPR and applicable US legislation (and data handling practice) which remains unsolved. As long as the large US hyperscalers, dominant in the cloud business, have to comply with American legislation, any agreements will probably do nothing more than kick the can down the road which will likely suffice until the ECJ's next respective ruling.
Scepticism about the new standard contractual clauses as a long-term solution is therefore warranted. Nevertheless, European enterprises require a remedy that provides permanent legal certainty. Solutions are needed that effectively guarantee data protection in practice and ensure genuine data sovereignty. The GAIA-X project was launched with precisely this objective in mind; late to the game, but with great expectations. European enterprise needs are pressing and their hopes are high.
- What is the German federal government's position on the underlying discrepancy in handling data in the EU and the United States, and does it offer any new approaches to solve this problem?
- What role and significance does the German government assign to the GAIA-X project in this context?
You can find out more on what the German government as co-initiator and driver said about the role of GAIA-X – and on their position on the underlying discrepancy in handling data in the EU and the USA – in this blog post.