Above: Joerg Thomas. Photos courtesy Huawei.
Originally published in Newsday BusinessDay on January 21, 2021
“In 2020, we never had a dull day in privacy,” said Dr. Felix Witter, a Partner with Fieldfisher, foreshadowing the issues that arose in an hourlong discussion on data protection hosted by Huawei on Tuesday morning.
For Witter, the top issues for Europe arose in the wake of Schrems II, a judgement delivered by the European Court of Justice in July 2020.
The ruling brings into sharper relief the differences between the data protection regime in the European Union, governed by the General Data Protection Regulations (GDPR) in force since May 2018.
GDPR has since become a benchmark for privacy regulations and other regional legislative efforts have been modeled on its scope.
The legal challenge by privacy activist Maximillian Schrems forced the court to reconsider the EU-US Privacy Shield law and how it works in practice after Schrems pointed out that data gathered by Facebook in Ireland was headquartered in their US offices and potentially accessible to US intelligence agencies.
Data transfer and sharing are governed by Standard Contract Clauses which spell out the terms and understanding governing data that crosses geographic boundaries, but the clauses haven’t ’been updated fast enough to match evolving situations and gaps in practice have become glaring.
“There’s a very significant difference between “only local” and “also local” data traffic,” Witter said.
“These clauses also don’t override local legislation,” warned Joerg Thomas, director of Huawei’s Data Protection Office.
Thomas also warned of conflicts that arise in the enforcement of data protection transfers, particularly when there are competing interests.
“Data can be exported if it is encrypted at a level that cannot be broken by the government of the receiving country,” Thomas said of GDPR.
“But this is happening at the same time that there is a push for weaker encryption that allows government oversight, in the interests of battling terrorism.”
Compounding the issue is the unevenness of application of GDPR within the union. Each sovereign nation has its own Data Protection Agency (DPA) and the only thing that they all seem to have in common is a measured approach to enforcement.
While the law may be the same across the European Union (EU), an uneven application and enforcement of fines has encouraged a surge in class-action lawsuits, as citizens take to the courts rather than approach state data protection agencies for a response to perceived infractions of GDPR.
This became a critical issue when data sharing increased dramatically as analysis of covid19 infection surged and an unprecedented level of data about individuals began crossing geographic boundaries as the world worked to take the measure of the virus and its capacity to spread.
From January 01, 2021, the UK now also finds itself outside the GDPR, despite having been deemed in compliance for the last two years.
Post-Brexit, the UK will now have to bring its data transfer protocols into compliance with the requirements of the EU and will probably have a window of six months to do so.
Ramsés Gallego, International Chief Technology Officer, Cybersecurity Micro Focus, believes that “The opposite of security is not insecurity, it is complacency.”
Gallego warned businesses to seek out “shadow data,” information that exists in a company without the awareness of IT or legal and isn’t subject to the organisation’s oversight systems.
“You can have security without privacy, but you cannot have privacy without implementing proper security systems,” he said.
“The business that’s on the rise in this troubled epoch is cybercrime.”