Rolf H Weber · Dominic Staiger Transatlantic Data Protection in Practice www.ebook3000.com Transatlantic Data Protection in Practice Rolf H Weber • Dominic Staiger Transatlantic Data Protection in Practice www.ebook3000.com Rolf H Weber Faculty of Law University of Zurich Zurich, Switzerland Dominic Staiger Zurich, Switzerland ISBN 978-3-662-55429-6 ISBN 978-3-662-55430-2 (eBook) DOI 10.1007/978-3-662-55430-2 Library of Congress Control Number: 2017947497 © Schulthess Juristische Medien AG, Zurich - Basel - Geneva 2017 Co-Publication with Schulthess Juristische Medien AG ISBN 978-3-7255-7715-6 www.schulthess.com Published by Springer-Verlag GmbH Berlin Heidelberg 2017 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer-Verlag GmbH Germany The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany Foreword Information technology and communication tools have fundamentally changed the way in which humans as well as businesses operate and interact The caused challenges include automated data processing between machines as well as artificial and swarm intelligence being able to draw conclusions from a wide range of data The global data flows are exposed to many different legal frameworks of sovereign nation states The lack of legal interoperability leading to a fragmentation of the normative environment jeopardizes the success of the technologically possible information exchanges This assessment is particularly relevant in the field of data protection law The different levels of data privacy rules in the European Union and in the United States of America have already provoked many political and legal debates This publication analyses the potential conflicts in the light of their risks to enterprises and the way in which US-based cloud providers react to the uncertainties of the applicable data protection rules Furthermore, the study provides recommendations on how to navigate the practical challenges and limitations in this field based on a lack of awareness related to the precise consequences of the processing operations within an enterprise in view of the given data protection framework The legal considerations are relying on an empirical investigation done with US cloud providers The qualitative interviews conducted during July and August 2016 in California were set up in an open format with an introductory phase and a subsequent focus an data protection and data security issues based on the experience of the interview partner This (otherwise not chosen) combination of empirical and normative work allows the development of new insights into the difficult application of data privacy laws V www.ebook3000.com The authors would like to thank Dr Bonny Ling, PostDoc Research Assistant at the Center for Information Technology, Society, and Law of the Law Faculty of Zurich University for the linguistic review of the manuscript and the Foundation for Academic Research of the University of Zurich (Stiftung für wissenschaftliche Forschung an der Universität Zürich) for the financial support which made this research possible Zurich, in February 2017 VI Rolf H Weber / Dominic N Staiger Table of Contents Foreword V Table of Contents VII List of Abbreviations XIII Bibliography XVII I Books, Journals and Website Materials XVII II Statutes XXXI Part 1: Introduction A Trans-Atlantic Privacy Challenges B Characteristics of the Cloud Environment I Overview II Cloud Governance Approaches III Political Context of Regulating the Cloud C Functions of Technology and Law in the Context of Privacy 10 I Technical Solutions 10 II Flexible Laws and Regulations 13 Part 2: Legal and Regulatory Framework 16 A Regulatory Concepts for Data Privacy 16 I Overview of Influencing Factors 16 II Technology-Based Model 17 III Market Forces 19 IV Behavioral Factors 19 B Data Privacy as Policy and Regulatory Topic in the EU 20 I Tensions between Fundamental Rights and Regulatory Frameworks 20 II EU Digital Market Strategy 22 III Data Protection Law Reform 24 VII www.ebook3000.com Table of Contents C Principles of Data Protection and Privacy in the US 26 I Evolution of Data Protection in the US 26 II Current Data Protection Framework 27 D EU Data Protection Framework 30 I Processing Authorization 31 II Processor v Controller 32 III Data Transfers Outside the EU 35 IV Information Requirements 37 V Fines and Penalties 38 E US Data Protection Framework 39 I Introduction 39 II Privacy Act and Wiretap Act 41 Privacy Act 41 Wiretap Act 41 III US Surveillance Framework 42 Patriot Act 42 Foreign Intelligence Surveillance Act 43 Cybersecurity Information Sharing Act (CISA) 46 US Freedom Act 47 Use of Metadata 51 Use of Big Data 52 IV Sarbanes-Oxley Act 53 V Selected State Statutes 54 F International Trade Law and Privacy 55 I EU Data Protection Law and GATS 55 General WTO Law Principles 55 Grounds for Justification of Trade-Restricting Measures 57 II Privacy-Related Plurilateral and Regional Trade Agreements 59 VIII Table of Contents Part 3: Practical Implementation of Data Protection Environment 62 A Industry Feedback on Data Protection and Security Challenges 62 I Interview Set-up 62 II Cloud Trends and Challenges 63 Introduction to Cloud Services 64 Costs in the Cloud 64 Latency in the Cloud 65 Identifying Personal Data 66 Security Risks 66 III Unique Challenges of Start-Ups 67 Key Challenge for Start-Ups 67 Entering the EU Market 68 IV Processing of Sector-Specific Health Data 69 B Business to Business in the Cloud 71 I Current Developments 71 New Technology 71 Contractual Innovation 72 Challenges for Cloud Vendors 73 Business Consultation Trends 73 Transatlantic Cloud Data Centers 74 II Ancillary Business Services 74 SaaS Human Resource Tools 75 SaaS Application Monitoring 77 Customer Success in the Cloud 79 SaaS Legal Services and Discovery 80 4.1 SaaS Attorney Tools 81 4.2 Discovery in the Cloud 83 4.3 Trends Identified by Law Firms 85 SaaS Communication Tools 86 Extension: Public Services in the Cloud 88 IX www.ebook3000.com Table of Contents C Business to Consumer in the Cloud 88 I Data Protection Implications 89 II Consumer Protection 90 D Big Data Analytics Challenges 91 I Research Issues 92 University and Business Cooperation 92 Big Data Research 92 Anonymization and Big Data 93 II Regulatory Gap 95 III Behavioral Targeting 95 IV Government Data Release 97 United States 97 1.1 Government Data Collection 97 1.2 Freedom of Information 98 1.3 Open Access 99 European Union 100 E Discrimination Based on Data 101 I Big Data 101 Key Elements 101 Credit Scoring 103 Employment 103 Higher Education 104 Criminal Justice 105 II Use of Personal Data in Big Data Processing 106 F Compliance and Risk Mitigating Measures 109 I Privacy Management Programs 110 Achieving Data Protection Compliance 110 Privacy Operational Life Cycle 112 Communication and Training 113 Response to Data Protection Issues 114 Compliance Toolbox 115 Contractual Measures 116 II Non-disclosure Agreements and Internal Protocols 118 X Interview (SaaS) implemented in the various cloud systems This includes decoupling infrastructure and a mapping across all available (contractually agreed) jurisdictions AWS offers 4-7 different deployment models that allow for compliance with the EU data protection la was they allow a sole processing in the EU A: Are compliance cost with regard to data protection an issue or can a provider such as AWS offer complete packages for smaller businesses? B: Yes, costs are always an issue The EU data protection laws add another layer of complexity For smaller providers having a certified and secure structure provided by AWS is essential in being able to prove compliance A: How you in your daily work ensure the security of your clients cloud systems and what you look out for? B: We generally offer everything from a simple check to a full assessment which includes policy and procedures, disaster recovery systems IV Interview (SaaS) A: Please briefly explain your business operation B: We store and manage legal documents for big enterprises in the cloud and facilitate the hiring of specialized attorneys for various projects A: What types of data you process? B: We process various forms of data Our job is mainly administrative as we facilitate the billing of attorney hours and enable an efficient selection process Our clients upload their data which could be anything from a NDA to a sophisticated commercial contract or M&A transaction to our cloud server from which our attorneys access the data This data is siloed off from other data to make sure only the client and attorney get access to it We don´t know and not want to know what is in the documents We only collect the document IDs which contain information on our client and the type of document However, we not know who the other party is nor what the content of the document states 145 www.ebook3000.com B Interview Summaries A: Do you use your own servers or a third party vendor? B: The software we use is our, however, infrastructure-wise we use Amazon Web Services A: What is your main concern in relation to data protection within your company? B: As we are storing a lot of confidential information that contains legal privilege as well as commercially valuable information our main concern is a data security breach This is why we vet out attorneys very carefully and require them to fulfill a two layer authentication in order to login to our systems Furthermore, they are required to encrypt their hard drive on their laptops in order to ensure nobody can gain access to data through a lost or stolen device They receive a list of specific requirements from us at the beginning which they must implement and we then check whether this has happened Often there are a few things missing which is based on the fact that attorneys are often not so familiar with the technology Sometimes they complain that the login process is too complicated but we then explain to them the risks involved with the data they handle and that this is necessary to protect their clients A: Do you sometimes get push backs from your business clients on how you handle data? B: Sometimes the more sophisticated clients send us a list with questions on our processing operation we must answer So far everyone was happy with the response we provided Sometimes smaller enterprises raise questions as to the security of our cloud storage In these cases we show that large international corporations with sophisticated IT and legal teams have evaluated and trust the way we handle things This goes a long way in convincing clients We are in the market for years now and we have experienced a slightly higher awareness to data breaches However, as we are dealing with large commercial clients they understand the risks involved and that no system is 100% save Our main concern is that the login credentials are shared by our customers within a department and thus this could lead to a data breach We make sure we inform the customer of these risks and highlight them in our contract 146 Interview (SaaS) A: Do you have any exclusion clauses or cloud insurance to limit liability? B: We use the standard contractual exclusion clauses which exclude liability beyond what is outside our control We only have a general insurance but no special insurance for data security breaches or the cloud operation per se As we are growing this may be something to look into A: How your clients and their attorneys communicate? Through your platform? B: We not have a communication tool on our platform but we are trying out Slack (a cloud based communication tool) Most of this communication is still done by phone A: Do you carry out any analytics? B: Yes, we use the document ID data to compile reports for our clients such as how many leads on potential investments a certain party has sent them Additionally we collect information contained on scorecards to calculate the average turnaround time of documents such as non-disclosure agreements as well as escrow percentages and so on A: Do you have any sensitive information on your servers such as health data? B: I would say no We not want to know what the documents contain, thus I cannot give you a definitive answer on that Our clients are mostly financial institutions, real estate firms, thus it is unlikely that they would store such data on our servers A: Are you thinking of expanding to the EU? B: We are currently not pushing this actively Some of our clients have offices in London and would want us to also offer services there but so far we have not considered this option as the EU laws are very diverse and not an ideal market for us as we seek to process high volume legal documents We have had clients dealing with issues in a transaction involving a confidential sale of a EU based company and the issues involved in transferring data for due diligence purposes to the US But we have not so far 147 www.ebook3000.com B Interview Summaries been directly affected by these laws as we only deal in the US B2B business currently V Interview (Consulting) A: What are the main concerns of your clients in regard to data protection? B: We see clients are having various issues with locating data For example, when a Chinese company has a subsidiary in the EU and the US During a discovery process one must analyze the systems and ensure that the data can only be viewed on screen in China but no alteration can be made This is a far from optimal solution as one could take a photo from the screen However, the reality is that compromises must be reached In relation to discovery and EU data we had to deal with employee data In this context, a US company acquires waivers from their employees which is generally not a problem However, in the EU specialized labor attorneys are necessary A: Having a look at disclosure and data protection, have you experienced problems with third party disclosure? B: Yes, we have mostly dealt with this issue by getting to court to grant indemnity in certain cases However, it is easy to argue as third party that local laws would be violated by the disclosure This is a fine line to walk and it depends on the circumstances If you are the party generally you will not be able to get away with it A: Yes, the Microsoft case dealing with disclosure of data on an Irish server has at least closed the argument of extraterritoriality of the stored communication Are there other forms of data that present issues for your clients? B: We see issues in relation to health data for example in pharma studies which are hard to anonymize Here a court protection order is essential when disclosure is sought during a discovery procedure A: You use a cloud infrastructure for your data? B: For discovery we use AWS together with one of the big discovery companies such as EverLaw or Logical However, we vet every vendor very 148 Interview (Consulting) carefully This includes onsite checks during which I have a look at the security and infrastructure This includes a security assessment and technology testing as well as sometimes penetrative testing by a third party A: Do you see trends or changes on the side of your clients with regard to data protection? B: Most customers use disclaimers with escape clauses which grant them the flexibility to react to changes in data protection law in order to get out of M&A deals or other transactions This has become an increased risk in the last years We also see a higher use of employee records in relation to a varied number of issues relating to performance or compensation The UK vote to leave the EU has also sparked change and may require a shifting of the server locations to other Member States A: Is there a trend where to move the data in the EU? B: Switzerland is generally seen as country where data can be transferred in and out easily There would be some hesitation to move the data to Germany as the framework there is too strict However, the costs in Switzerland are a big factor A: Is there a trend to use more private cloud or you see an even distribution? B: The trend has been to use a private cloud as it is simply more secure There are many public cloud offerings out there which use hybrid cloud infrastructure which is anything but safe These tools are highly effective for example there is great project management software out there However, the risk is when this is combined with internal communication (i.e Slack) and the risk for unwanted disclosure rises These tools could be used to breach a formerly secure system which is why many large corporations have concerns when using these A: Why is the security of these systems not improved? B: Mostly these systems are designed by young start-up companies which want to provide a service at low cost This requires hybrid cloud use Furthermore, the dichotomy of ease of access and security is still hard to 149 www.ebook3000.com B Interview Summaries bridge For us as a law firm or out clients we cannot recommend using these systems A: How you protect against unwanted access in your firm? B: Our access is on a need to know basis There have been various cases in which first years have left law firms to join investment firms after supplying them with merger information which they gained access to through the electronic documents Today, only a person on a case gets access to it Often our attorneys may not know what other cases the firm handles as they not have access to any case files beside their own cases A: Have there been any changes or reactions after Snowden? B: Yes, especially the Panama Papers have had an impact Since then security has been further prioritized in law firms and other companies A: Do you use standard software such as Office 365 in the Cloud? B: We use Office storage in the cloud which allows us to store data HIPAA compliant Microsoft provides a good solution in this regard which is adjusted to the type of data However, we have a problem with using the software remotely as this allows Microsoft to push updates at their will without our approval This may create problems with our security systems or infrastructure and may compromise the integrity of our systems Without a function to object to such updates we cannot use this system VI Interview (SaaS) A: Please explain your business operations, I understand you are providing a SaaS monitoring service? B: We are a leading provider of performance monitoring of applications These services are either provided on premises on the infrastructure of the customer or on a SaaS solution in the cloud for which we use AWS Our customers with sensitive data such as banks tend to opt for the on premises version of our offering Let me explain the way in which it works: 150 Interview (SaaS) The so called agents monitor according to the type of service the customer has chosen performance of databases, servers, java engines etc They then take the information and send it to the control which is the brain of the processing operation In the most sophisticated version we can monitor the performance of the entire infrastructure end to end However, at no time we see the content that is processed This is very important to us and is implemented in the architecture of the system We also ensure contractually that the customer does not design any application to allow us to access data For example take the example of an e-commerce shop It is accessed through a browser or shopping app of which we monitor performance The most personal data we get in this context is maybe the IP address of a person in order to ascertain the area from which the data originated A: Why did you select the AWS system? B: It is the biggest player on the market and offers the full package of price security and scalability A: Do you have any products that collect personal data or allow for analytics? B: We only have one product that is currently being developed that may include a minimal amount of personal data It is a log product that mines the log files for analytics again in order to identify issues However, in this process the mentioned IP addresses as well as geo data is collected The client is, however, able to insert all sorts of information into its log files We are trying to prevent this by clearly stating in the contract that this is not to happen and that the client will be liable for any data that comes from these files should there be personal data included Some of our clients rely on their own on premises infrastructure and in these cases we are bound by their technical constraints However, we always contract proactively against access to personal data In this regard our software engineers make sure that our software does not allow access to anything else than performance data 151 www.ebook3000.com B Interview Summaries A: have you seen any shifts in relation to the contracting with a view to data protection? B: Yes, data security terms in contracts are becoming much more explicit Often we will see a list in form of an annex including a wide variety of scenarios which will be defined as a data security breach as this will ultimately play a role when one of the parties seeks damages In the US the risk allocation is not so much done by law but rather through commercial practice There has been no or limited FTC enforcement in this regard Most vendor contracts seek a carve out for data breaches which ultimately shifts the unlimited liability of a security breach on us as service provider We don´t want this risk and we cannot actually take on this risk as it would potentially ruin us What we are also seeing is a shift from data breaches to an introduction of essentially the same liability through the breach of confidence provisions These breach of confidence provisions not have a liability cap and the client will argue that the breach involved confidential data which will trigger the liability provision Our focus in these cases is to clearly distinguish both a breach of confidentiality and a data security breach This is done by having a large annex which will include all particulars of each available scenario and thus will allow a categorization of the risk into two categories for which we then can agree on liability caps A: What you in relation to the EU data protection framework? B: We have a subsidiary in the UK which carries out the privacy protection audits We have acquired a form for these procedures which lists all the steps and factors we need to account for In the transfer context we use mostly model clauses for controller to controller and controller to processor contracting when we are engaged as a customer This includes a deŠ’•ŽȱǮ™•Š¢‹˜˜”ȃȱ˜ȱ‘˜ ȱ Žȱ‹ž¢ȱœ˜ Š›ŽȱŠ—ȱœŽ›Ÿ’ŒŽœǰȱ‘Žȱdecision-making process, information on what data is collected and transferred to whom and where Often arguments arise in the classification of service providers where it is unclear whether a party is a controller or processor In these cases we mostly agree on a processor agreement as both arguments can be 152 Interview (SaaS) made and the contracting party does not want to take on the obligations of a controller Our UK subsidiary has received a power of attorney from all EU subsidiaries to enter into these model clauses which enables us to only make on agreement for the EU A: Have you explored the possibilities of using BCRs? B: Yes, we are currently looking into that However, the downside are the costs involved On the positive side it is a good marketing instrument as it signals to our customers that we have one framework for their data processing Our C-Level is also interested in the security aspects of the BCRs One other market trend we have seen is also the uncertainty around the steps necessary to achieve compliance and a closer focus on what the actual product does Most software developers will now focus on security related product features built into the design This is also a demand by our business customers A: Do you see any movement when it comes to analytics or Big Data? B: Yes, there is a trend to use more analytics However, for our service personal data is not necessary, so we are very free in using Big Data and analytics VII Interview (SaaS) A: Please describe your service offering to me B: We provide for an electronic discovery platform which enables our clients to conduct an efficient and targeted discovery process The data is currently supplied to us for preparation and then uploaded into the cloud from which the customer can conduct its discovery process We are hoping that over the next months we can finalize our preparatory steps such as adjusting formats etc in the cloud without the needs to get the data on premises 153 www.ebook3000.com B Interview Summaries I can recommend the Field Guide to Data Privacy Law book by Lothar Determan which gives a good example of the compliance issues with regard to data protection A: Thank you I will check that one out How you approach the issue of data protection? B: We have encountered various issues in relation to data protection, privacy and confidential data Currently we mainly only operate in the US However, as we service large international corporations we also see requests pertaining to other jurisdictions such as the UK and Australia In order to explore these issues we have recently opened a subsidiary in Australia with a local instance of our service aimed at enabling electronic discovery in Australia This instance runs on the AWS systems in Sydney With a tool called NewX we can soon get the data directly and transfer it into our system called Everlaw Some compliance questions that have come up so far touch on the unique nature of the national law in Australia In order to have an Australian domain we had to register a business there which then must be accompanied by a trade mark A: Where you feel that data protection may become the biggest concern for your business? B: Our systems are self-learning and currently this process is hindered by boarders as for every instance we must relearn the system This leads to work being done twice and efficiency being lost When we are able to mingle data across various instances the accuracy increases Also we would like to aggregate anonymous data in order to improve user experience Often we seek consent for actions that go across jurisdictions However, as the data volume and types of data are so vast the consent may touch upon third party rights and thus is not necessarily adequate The recent second circuit decision in the Microsoft case has at least set the signal that the courts will reign in the national legislation which intends to expand its scope beyond the US This trend is beneficial for enterprises seeking legal certainty as to how to operate and which laws to apply when dealing internationally 154 Interview (SaaS) Our architecture is designed in a way that that nothing remains on our Œ•’Ž—Ȃœȱœ¢œŽ–œȱŠ—ȱ‘ŠȱŠŒŒŽœœȱ’œȱ˜—•¢ȱ™˜œœ’‹•Žȱ‹¢ȱ ˜ȱ Š¢ȱ’Ž—’’ŒŠ’˜—ȱ through so called tokens With regard to discovery in foreign jurisdiction we have used systems were the data is only displayed in a foreign jurisdiction without being stored there This is how we get around the copyright issues as there is no ȃ™Ž›œ’œŽ—ȱœ˜›ŠŽȄǯȱ‘Žȱ•’’Š’˜—ȱŽ¡ŒŽ™’˜—ȱ’—ȱ‘ŽȱȱŠŠȱ™›˜ŽŒ’˜—ȱ•Š ȱ also enables us to carry out our operations as we process data for the litigation of our clients A: Do any issues arise in the context of processing this valuable client data in the cloud? B: Mainly the issue that most often is raised related to the security of the data Our data shares the underlying hardware in the cloud however there is an encryption layer to prevent the data from being accessed by the other instance A: How you account for the data protection and compliance risks in your contracts? B: We generally use compliance checklist in order to limit our exposure However, the power to shift liability comes down to leverage meaning which party wants the contract most In any case the processing infrastructure must be ready for review which is why the AWS ensures that it maintains certifications and other documents enabling an assessment of compliance with security, data protection and other relevant laws As we are working with some of the major corporations we are able to leverage their contracts with AWS in order to get better prices for our cloud instance AWS already provides the best protection which provides immediate compliance with most of the important laws Our main concern at the moment lies in the fact that we need access to the data for cloud development whereas our clients want to ensure restricted access In order to address the issues raised by our access we have strong protocols and NDAs in place which ensure that our team does not disclose 155 www.ebook3000.com B Interview Summaries any information As part of our security strategy we conduct external penetration testing and we also have a protocol in cases of breaches as well as with regard to the notification requirements Another point is the need to update the software We routinely push updates into the cloud in order to improve service quality and reduce risks If one of our clients would not want the update we could no longer ensure the security of the system We also work with staggered releases which start with the US and then expand to the EU By the time the EU version is released we will already have eliminated some of the issues that may have presented themselves in the US version A: Dou you have any insurance against risks? B: We have general liability insurance however for the future we may look at further insurance options A: How did you develop your software? Did you rely on any third party software? B: We started off with a blank sheet and programmed our own software Of course we rely on other software which we license because it would not make sense for us to develop it For example language recognition tools which can translate or identify language are already developed and are a commodity for which we would pay This allows us to focus on the core of our business which is to develop the most efficient and reliable electronic discovery tool VIII Interview (CaaS) A: Please describe to me your business operation B: We are a Cloud Communications provider that offers a wide range of communication tools such as SMS, Web-meeting tools, Fax and GLIP which is a communication tool similar to SLACK A: Where is your data being processed? In the cloud or on premises? 156 Interview (CaaS) B: Generally, the data flows through our cloud however we have on premises devices such as headsets or VoIP equipment that is used by our clients A: Do you also offer your service to EU customers? B: Yes we currently have a UK product Our ecosystem consists of the server connection, devices used on premises and the endpoint At some stage a local storage may also come into play A: How you achieve compliance with the EU data protection laws? B: For any transfers of EU data to the US we use the model clauses which enables us to offer customer service from the US for our EU customers DZȱŽȂœȱŠœœž–Žȱ‘Žȱ˜••˜ ’—ȱœŒŽ—Š›’˜DZȱ˜ž›ȱȱ‹žœ’—ŽœœȱŒžœ˜–Ž›œȱžœŽœȱ your communication tool GLIMP One of the UK employees communicates consumer data to a customer representative of the same company in the US This would require a separate justification which falls outside the scope of your contractual clause How you ensure against such use? B: Such a use if of course a problem which we cannot totally control Of course our contract will prohibit such a transfer and our employees are also informed not to use the tool in such a way However, we have very little power to prevent such a use This obligation rests on our contracting party to ensure that it complies with the data protection laws A: How you perceive liability in your contracts? B: The boilerplate agreements are always in favor of the vendors We look for certifications, security terms as well as compliance undertakings with regard to privacy when negotiating a contract Interestingly the EU has evolved around protection of a person whereas the US data protection has focused on industries A: Are you concerned about the fines in the GDPR? B: They are surely an important factor but we are trying our best to be compliant These fines are only attributed if a party has not taken the necessary action whereas we are doing our best to comply We therefore 157 www.ebook3000.com B Interview Summaries not see the risk of a third party creating liability for us by using our service to be a major concern A: How government access rights impact your business? B: This is of course a concern that we take very seriously We encourage clear procedures for government requests and appropriate safeguards However, we also limit the amount of data that we collect Generally we only collect metadata and not the communication itself In our chat function the rule is general first in first out which means that the customer sets the maximum storage it wants Once this is reached the last message send will be deleted and so on We also prohibit certain types of data such as health related data If they want to use this type of data we will terminate the service as otherwise the costs of the service provisioning would eat of any revenue If they want HIPAA compliance a new contract must be entered with higher costs and the appropriate safeguards A: So where are your servers located and what service you use? B: Our EU servers are located in Switzerland and Amsterdam The main reason for these centres are the central location and the good internet connectivity as well as local laws A: Where you see the biggest challenges for data protection and your industry for the future? B: The challenge with data is to understand and know what a company is doing with it The cloud technology as well as the evolution of mobile devices make it increasingly difficult to understand how the data processing is carried out and what data is combined with other data sets BigData and IoT devices will enable formerly unseen connection and analytics which could be used for good and bad However, it should be left to the individual to decide to be subject to such a processing 158 Interview (IT Security) IX Interview (IT Security) A: What trends to you see in the data security field and your line of business consulting? DZȱŸŽ›ȱ‘Žȱ•ŠœȱŽŒŠŽȱ Žȱ‘ŠŸŽȱœŽŽ—ȱŠȱ›˜ ‘ȱ’—ȱœ˜ȱŒŠ••ŽȱǮ™Ž›œ˜—Šœȃȱ‹ŽȬ ing used more widely This means that individuals are using alternate aliases and accounts for different actions which leads to the erosion of privacy to a certain point Also a change in security through more sophisticated encryption which is virtually unbreakable has become the norm in communication Intelligence folks track individuals so called shadows which is becoming increasingly difficult Thus the topic of attributing data to an individual is a core concern in this area I would recommend the book Hide behind the shadows which addresses these issues A: What are the security trends and issues on an international scale when it concerns cloud computing? B: Data is stored and m˜ŸŽȱŠŒ›˜œœȱǮ‘Š›œȃȱ ‘’Œ‘ȱŠ›ŽȱŠȱ›Žšž’›Ž–Ž—ȱŠœȱ the data needs to be stored for liability and redundancy across various data centers A: Would it be possible to store cloud data only in the EU or are there other factors to consider? B: If the data would only be stored in the EU the redundancy and availability would be limited This is the great challenge between technology and the needs of the law A: From a compliance perspective what are the main challenges for technology companies? B: The main issues surround the question of who, what when and where The attribution aspect of data is important for choosing the correct laws Then there is the law itself with the issues of subject matter jurisdiction Here in the US the various state laws differ substantially Mostly customers segment data into EU and non-EU customer data Even US data is often replicated outside the US for example when someone travels the server 159 www.ebook3000.com .. .Transatlantic Data Protection in Practice Rolf H Weber • Dominic Staiger Transatlantic Data Protection in Practice www.ebook3000.com Rolf H Weber Faculty... Demographically Identifiable Information Denial of Service Data Protection Authority Data Protection Directive Data Protection Impact Assessments Data Protection Management Systems Data Protection Officer... III Data Protection Law Reform 24 VII www.ebook3000.com Table of Contents C Principles of Data Protection and Privacy in the US 26 I Evolution of Data Protection in the US 26 II Current Data