Spot checks in companies by data protection authorities

Those who still have their heads in the US clouds may soon be brought back down to earth. High fines for data protection violations have been a topic of discussion from the very beginning. However, as stated by Handelsblatt, German authorities are now intensifying their investigations regarding the use of U.S. cloud solutions.

Data transfer based on the Privacy Shield agreement is no longer possible

An ECJ ruling handed down on July 16, 2020, resulting in the EU-US Privacy Shield being overturned, provides the context for this. Until then, the agreement had served as the legal basis for the transfer of personal data to the USA, thus being the basic prerequisite for compliance with the General Data Protection Regulation (GDPR).

The agreement was declared void because there is a significant contradiction between the EU GDPR and U.S. laws, specifically the Cloud Act and the Patriot Act. These laws grant US authorities far-reaching rights when it comes to data transferred to the USA. They can oblige American providers to grant access to personal data and sensitive company internals as well.

European cloud solutions could offer legal certainty

Cloud storage services, video conferencing solutions, project management software, collaboration tools... a large proportion of companies rely on digital tools for communication, data management and collaboration on a daily basis. The importance of cloud solutions in this regard became apparent at the latest with the onset of the first lockdown, when a large part of the workforce was forced to switch to home offices in order to keep the pandemic at bay. Without these services, however, the change would not have been possible.

Cloud providers from Germany or the EU, such as Stackfield, are subject exclusively to German or European law - hence they are not affected by U.S. laws. For companies this means nothing less than legal certainty. However, if you take a look at national businesses, you will find that the amount of "native" solutions is still relatively low. Numerous companies continue to rely on solutions from US cloud providers - and thus risk violating EU law.

German data protection authorities will undertake deeper investigations

Since the Privacy Shield agreement was overturned, the news have regularly reported incidents, violations and further developments on the subject of data protection. As early as March, there were calls for a ban on Microsoft solutions in the administration. Most recently, a court ruling on the use of the newsletter provider Mailchimp attracted attention and brought the ongoing discussion about the use of U.S. cloud solutions further into focus. It became clear in this case that the conclusion of standard contractual clauses alone is not sufficient. Now, authorities want to expand their investigations.

The aim is to proactively approach companies throughout Germany in the course of spot-checks, asking them to state why they are using tools from U.S. providers. Questionnaires developed by the "task force" of the German Data Protection Conference (DPC) will form the basis for this.

In case the justification fails to be convincing, the company will be required to change providers, as DSK Co-Chair Johannes Caspar told Handelsblatt. However, there could also be heavy fines in case the company fails to fulfill its obligations.

For companies, data protection is a major challenge

The reason why US tools are still so strongly represented on the German market is largely due to the fact that US providers still enjoy a monopoly position in many areas. Microsoft, Amazon and Google "rule the world wide web" and they lead the digital development in many areas. Many of their solutions have been in use within the companies for years. This alone makes it difficult for companies to switch. The lack of alternatives from the European region in some areas also makes it - quite mildly put - an extremely arduous task to find substitutes.

Are hopes for a new data transfer agreement in vain?

Many see the solution to the problem in a renegotiation of a Privacy Shield successor. However, this was not the first time a data transfer agreement between the U.S. and the EU has been overturned. Safe Harbor, the predecessor agreement, met a similar fate. Previous agreements have thus failed, which is why it can be assumed that renegotiations will also be on shaky ground. "If laws like the Cloud Act remain in place in their current condition, agreements like the Privacy Shield will remain under critical eye, and for just as long, there is also a risk that these agreements will be overturned," says Christopher Diesing, COO at Stackfield.

In this context, data protection experts also see a massive need for action in other areas as a matter of priority. What needs to happen in the long term is a strengthening of data sovereignty and self-sufficiency in the digital market. Last year, Berlin's data protection commissioner Maja Smoltczyk already called for a relocation of "all personal data stored in the U.S. to Europe."

However, U.S. giants still dominate the market and in order not to be economically disadvantaged, companies feel a pressure to rely on U.S. solutions.

They do exist: secure alternatives from Germany and the European Union

Yet there are secure alternatives from the European region that can guarantee legal certainty: Cloud storage services that enable data protection-compliant file management on German servers, and project management and collaboration solutions like Stackfield that fully comply with the strict guidelines of the GDPR.

Stackfield includes a variety of the tools that companies use every day, in a closed system that meets all the requirements of the General Data Protection Regulation and is protected to the highest standards. Users can expect not only legal certainty and the certainty that there will be no need to change providers in the long term, but also the highest level of security for all sensitive data - and this includes not only personal data, but also critical company internals. Client-side end-to-end encryption will prevent even the provider from being able to access the companies data.