Protecting international data exchange
Nearly all companies send data to other countries in the course of their daily work. For globally active groups this is a matter of course, but smaller and medium-sized companies from the coatings and paint sector also need to pay attention to this issue. After all, they also use office software, video conferencing systems, newsletter services, web tools or cloud services provided by American IT giants. Even though, in the first instance, the tools operate care of servers within the EU, data are still frequently stored by the parent group in the US or other countries. When it comes to personal data, such as names and postal addresses, mail addresses, bank details and order data etc., however, this is an issue, because the US is seen by the EU as a “non-secure third country”. Since the introduction of the European General Data Protection Regulation (GDPR), companies which commit breaches of data protection have been threatened with huge fines.
Sending data to third countries
The statutory regulations for international data protection vary depending on the countries between which the data is transferred. States outside the EU are divided into two groups.
a) Secure third countries
Secure third countries as defined in the GDPR are states which are certified by the European Commission as having appropriate levels of data protection. This means that national laws guarantee a level of data protection comparable to that found within the EU. The ranks of secure third countries currently include Japan, Switzerland, New Zealand, Argentina and Canada.
b) Non-secure third countries
Data transfer to non-secure third countries is permitted only subject to certain security precautions. Companies can have recourse to instruments including so-called “standard contractual clauses”: EU contract templates for data transfer to contract data processors in third countries and between two autonomous data controllers.
With such contracts, the contract processor or business partner undertakes to observe a level of data protection which satisfies the requirements of the GDPR. And yet, even standard contractual clauses are not enough on their own to ensure the legal security of data transfers to third countries.
Focus on the USA
The US plays a particular role in international data exchanges. After all, the large IT and internet concerns, such as Google or Microsoft, are American companies. The same is true of many relevant newsletter services, not to mention cloud providers. Data transfers between Germany and the US are therefore common practice.
No general regulation has been in place since the European Court of Justice ruled in July 2020 that the Safe Harbor and Privacy Shield treaties in force until recently were insufficient. Since June 2021, revised EU standard contractual clauses that make data transfer to many other countries more legally secure have been in place: these now require additional measures such as descriptions of the transfers, the security measures and how the organisations concerned deal with data processing subcontractors. They do not, however, make data transfers to the US completely secure across the board. Out of an abundance of caution, companies should in the first instance assume that US firms are simply not always able to implement these additional measures. The question which thus arises is how – alongside the application of the revised EU standard contractual clauses – companies can design their data use to be as secure as possible.
1. Encrypt data
Companies can add an extra layer of security by encrypting personal data, ensuring that they are encrypted during transfers and when they are stored. Data should ideally always be encrypted to keep damage to a minimum if things go wrong. However, a number of privacy-related technical aspects, such as the robustness and strength of the encryption algorithm, need to be considered even before encryption is introduced.
2. Use European servers
Data should where possible be stored by the company itself on European servers, which are therefore subject to the GDPR. This will not offer 100 % security, however: After all, despite the best efforts of those involved, administrators from non-secure third countries can get their hands on the data, data subsets may be outsourced, or the back-up servers used may be located in the US. This is why it is especially important for the data centre’s admin service to be situated in a country with a recognised level of data protection.
3. Exhaust all legal options
If contract data processors are commissioned in a non-secure third country like the US, companies should ensure that the service provider exhausts all the legal options to prevent the handover of personal data to the authorities in their home nations.
4. Look for alternatives
The best solution is sometimes to switch service provider and consider using alternatives to the Internet service currently being used which, although they may cost more, will use data centres in Europe.
5. Internal corporate rules
Company groups with subsidiaries in other countries also have the option of drawing up internal rules, known as binding corporate rules (BCR), which oblige foreign subsidiaries to adhere to European data protection law. This works like a data protection forcefield. But this will be stretched to its limits if the internal corporate rules conflict with the regulations in force in other countries.
6. Awareness raising and training
All the employees of a company, even those who are not directly responsible for data security, should be aware of and trained in the data protection issue. After all, very many employees will at some point in their working life have to deal with personal data. Alongside general awareness raising, therefore, thorough training regarding domestic and international data security should also be carried out.