In times of megacrises, this atmosphere was really good: optimism and harmony characterized the 7th German-American Data Protection Day, which took place in the Munich House of Bavarian Business in the spring. The Bavarian Business Association (vbw) hosted the event in cooperation with the US Consulate General and the Bavarian State Office for Data Protection Supervision.
A major topic was on the agenda: the new Trans-Atlantic Data Privacy Framework (TADPF). The cumbersome term stands for a new data protection agreement with which the EU and US government want to deliver what companies have been expecting for years: the legally secure basis for data exchange with the USA.
Such an agreement is urgently needed. With the General Data Protection Regulation (GDPR), there have been uniform EU-wide standards for data protection for almost 5 years. But 60 percent of German companies operate data transfers in third countries, according to the Bitkom industry association in Berlin. The USA comes first with 59 percent.
It's about $7.1 trillion
This top position is no coincidence. Bavaria's industry also uses the US cloud providers Amazon, Google, IBM and Microsoft. 40 percent of the hyperscale data centers in the global cloud infrastructure are in the USA. Almost every company that uses tracking services for their website ships there. This also applies to the use of global service providers who offer security support around the clock. The US government puts the value of the data protection-related business between the EU and the US at an incredible 7.1 trillion US dollars.
The big problem so far: National security was far more important to the White House than protecting sensitive data from consumers and citizens. Since the revelations by Edward Snowden, it has been known that mass surveillance of data is part of everyday life for the US secret and security services.
2 agreements already failed
Another difficulty: So far, EU citizens in the USA have hardly been able to legally defend themselves against the misuse of their data. An ombudsman was provided; only - despite the well-known data protection scandals - he had not processed a single complaint.
Because of these two chronic shortcomings, the Austrian data protection activist Max Schrems managed to overturn two data protection agreements between the EU and the USA at the same time with lawsuits before the European Court of Justice (ECJ): Safe Harbor and Privacy Shield. Depending on your point of view, you can find it sensational, frightening or embarrassing. In fact, there is no legal certainty when transferring data to the USA.
According to European data protection authorities, companies would have to encrypt data in a complex manner and carry out a so-called Transfer Impact Assessment (TIA) before each data transmission - an examination of the effects of the transmission of their data on the persons concerned.
According to a Bitkom survey, 91 percent of German companies use the contract model adopted by the EU Commission, so-called standard contractual clauses for data transfer to the USA, as a makeshift. However, there are doubts as to whether the data recipients in the USA can implement these clauses. Many of these data transfers could be illegal, and companies could be fined. The economic damage is considerable. Meta, parent company of Facebook and Instagram, has threatened to shut down its social media in Europe.
"It is not impossible for companies to transfer personal data to the USA, but it has become very complex and expensive," criticizes IHK lawyer Rita Bottler. "This is an intolerable situation for thousands of companies and a burden on our economy." The positive: the EU and the USA are willing to change that. In March 2022, they agreed on a new data protection agreement.
Bavaria's Minister of the Interior, Joachim Herrmann (CSU), emphasized at the Data Protection Day that a reasonable solution is needed that serves to protect sensitive data of citizens, but at the same time does not hinder economic development. This is the basis of numerous applications, from artificial intelligence to the Internet of Things to cloud and software use.
Value-based counter-model to China
The minister praised the GDPR surprisingly clearly. Herrmann agreed with US Consul General Timothy E. Liston that the digital world needs a positive counter-model to China's approach to using data to control and oppress society. The value-based understanding of data protection in Europe has meanwhile also had a positive influence on the discussion in the USA. "Our partner has really worked hard," said Herrmann about the executive order signed by US President Biden in October 2022.
Premiere for EU
What has actually never happened before: the US President is restricting access by his security authorities. The evaluation of personal data of EU citizens is only possible to a limited extent. In the future, the secret services will have to prove that this measure is "proportionate" and "necessary". In addition, a new two-stage complaints mechanism should enable EU citizens to seriously object to the collection of their data by US authorities for the first time. The so-called Privacy and Civil Liberties Oversight Board is to keep a close eye on the secret services so that they cooperate sufficiently with the complaints procedure.
The US government has made its move. The EU Commission then initiated a procedure to adopt an adequacy decision. The EU would thus certify a comparable level of data protection, which would be the legal basis for free and unhindered data traffic with these US companies.
EU sees itself "on course"
However, the Data Protection Day also revealed that the whole thing is not running smoothly. Two EU committees have requests for improvement or are fundamentally skeptical. Bruno Gencarelli, head of the data protection department in the EU Commission's Directorate-General for Legal Affairs and Consumer Protection, nevertheless sees the EU on course. Work is being done to eliminate the weaknesses pointed out by the ECJ. He therefore expects the EU adequacy decision this summer. In the end, the approval of the member states is crucial.
"Have to pack it now"
In the discussion, Michael Will, President of the Bavarian State Office for Data Protection Supervision, also called it "quite fantastic" how both sides acted. Will assured that he would certainly not sue. "We have to get on with it now!" he urged everyone involved. There is no time to lose anyway, elections are coming up in the USA.
IHK lawyer Bottler also notes the effects of the executive order and its positive assessment by the EU Commission: "The legal situation for EU citizens in the USA has already changed positively."