Blog posts by Karsten Kinast

The Impact of the new EU Data Protection Regulation on the Finance Industry

After several negotiations und multiple drafts of the General Data Protection Regulation (GDPR), its final text was adopted in April 2016. The GDPR updates the current EU Data Protection Directive according to the technological developments that have taking place during the last 20 years. The GDPR applies to all member states in the same way and also does not make a distinction between industries or sectors; however, the new provisions may have a higher impact in certain sectors or industries, as they will be subject to stricter requirements regarding the processing of personal data.

The finance industry, including comprises banks, investment funds, foreign exchange services, etc., is one of the sectors that will be subject to stricter requirements:

  • Especially the fact that the data processed might relate to bank accounts, the financial situation of customers or their financial and patrimonial solvency leads to a stricter data protection regime under the GDPR as it requires that the undertaken data protection measures must reflect the quality of data appropriately, which evidently is considered to be of highest nature. In other words: Finance Industry by Law is supposed to be a Leader in Data Protection and any potential breach would mean a higher sanction than in other businesses that might follow similar e.g. illicit procedures (fines go up to 4 % of annual turnover of a group or up to 20.000.000,00 EUR)
  • The GDPR acknowledges the according risk as well, therefore, data breaches occuring at financial institutions may be subject to the obligation to inform customers if the breach is likely to cause them a significant damage, so that they can take adequate precautions. Data breaches in this business field need to be reported to Data Protection Authorities within 72 hours.
  • Generally, the appointment of a Data Protection Officer is mandatory for any institution belonging either to the public sector or if core activities involve large scale processing of sensitive data. This usually should be the case for any company in the financial sector. However, under the GDPR, financial information is not explicitly considered sensitive data but considered to be a risk to the rights and freedoms of data subjects, for example in cases of identity theft or fraud. Therefore, Privacy Impact Assessments will be also mandatory for financial institutions in order to identify risks and minimize potential damages or data breaches and implement accordingly a tailored data protection strategy (privacy by design).

One of the main assets for financial institutions is its customers, this is why prior information and consent will play even a more important role than before in order to reach compliance. Consent must be unambiguous and explicitly referred to each processing purpose. The use of general contractual terms will not be sufficient for the proof of consent.

The GDPR will become effective in May 2018 and by this date, organizations and businesses should be compliant with its provisions.

Rebuilding the safe harbor is necessary

A current decision of the European Court of Justice (ECJ) concerning the practice of transferring data from Europe into the USA brings many companies on both sides of the Atlantic to unrest: Many comments and publications spread the rumour that storing personal data on servers in the US is with immediate effect automatically illegitimate. However, that is not quite right. There are still many possibilities for carrying out data exports into the USA rightfully.

Do enterprises that e. g. use cloud services from US-American providers have to act quickly now and retrieve their data or that of their customers? Even if the content of the information is not really sensible? Do companies otherwise have to expect high penalties?

Single case inquiries

The decision of the European Court of Justice (ECJ) doesn't make data transfer from Europe to the United States for the more than 5000 Safe Harbor registrated companies illegitimate per se. However, the Data Protection Authorities of the member states are now empowered in single cases to examine companies that transmit data on the basis of Safe Harbor into the United States or let it being processed there. In case of offences against the law the Data Protection Authorities may prohibit the transfer of personal data into the United States with a formal prohibition order as ultima ratio.

According to some regulating authorities the decision has also consequences for the standard contractual clauses and Binding Corporate Rules (BCR) published by the EU Commission as alternative to Safe Harbor, since the ECJ judgement grounds on the fact that administrative bodies in the USA are able to take hold of any data, mainly on the basis of the Patriot Act (see the box). This is naturally also possible when data is exported into the US not on the grounds of Safe Harbor, but on the basis of other instruments such as standard contractual clauses or BCR. A further decision hereupon remains to be waited for. National and European  Data Protection Authorities will play a central role in this process. According to the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) it has still to be examined "if and how far data transfers into the USA are to be suspended".

New Agreement in preparation

Already since 2013 the EU and the United States are negotiating a new Safe Harbor Agreement with an eye to European standards. It therefore doesn't have to be excluded that national resp. regional European authorities agree upon a transition period in which no concrete examinations through the Country supervisory authorities and thus no prohibition notice against companies are going to take place. Corresponding agreements on a regulatory level are being expected in the next days. 

A prerequisite could be that the governments agree upon a new Safe Harbor by a certain point of time. Like this the regulatory authorities would shift the pressure built up by legislation away from the companies to - at least temporary - the acting political decision makers. Substantially the upcoming negotiations between the transatlantic partners are likely to deal mainly with the access on European data on basis of the Patriot Act - besides the up to now too superficial realizations of the Safe Harbor rules and the thereby inappropriately carried out self certifications in the concerned companies.

Possible Alternatives

As shown Standard Contractual Clauses or Binding Corporate Rules (BCR) can be alternatives to Safe Harbor and a legal ground for every international data flow. Even if the  Hamburg Commissioner seems to see this differently, these other mechanisms have hardly lost their applicability and validity by the ECJ decision, last but not least since this ruling only dealt with Safe Harbor. The British Information Commissioner's Office for Data Protection and the Luxemburg Government, which holds also the EU presidency at present, share this opinion. Regarded logically the same argument as for Safe Harbor could be applied to these two alternatives, since the Patriot Act and other US Acts don't differentiate between the legal grounds on which data is being exported into the USA.

Couldn't you then deem any intra-European data flow to be invalid if there was any national act enabling authorities or governmental bodies in the way the Patriot Act does? If you look for example on the according UK acts they appear pretty similar to what the Patriot Act provides. Taken that, anyone believing that now BCRs are not capable of justifying transatlantic and other data flow any more must logically vote for a stop of intra-European data flow as well.

Patriot Act

This law was enforced by the USA as consequence of the terrorist attacks on September 11th, 2001. It allows US authorities in certain cases anytime to access data of US-American companies and their customers. This applies also information stored on servers of European subsidiaries. According to many companies this counteracts the older Safe Harbor Agreement from the year 2000, which includes clearly defined safeguard measures for transferring personalized data between Europe and the USA.

Cloud, Data Protection & Liability

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided.

Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his way of working. Problems arise so far in particular with respect to the public cloud.

In order to avoid liability risks and to achieve a better perspective on business continuity, it is in your interest as the contractor to remain „master of the data“.

Some existential needs arise from this:

1. Open, transparent and detailed information from the service provider about its technical and organizational measures and the legal framework of services.

This is usually the case in practice. However, seen from your perspective as the service contractor, it is not always verifiable to a degree required by the relevant laws in order to avoid you to be liable for errors originally committed by the service provider while providing the services.

Challenge your Service Provider for his documentation of technical and legal measures. Don't expect him to be sufficient just because he is representing a large organization or is offering the best price on the market.

2. The implementation of coordinated security measures on the part of cloud providers and cloud users.

In order to comply with local legislation and your own corporate policies, cloud providers need to apply more than just their own rules to the services provided to you. As usually seen in practice, providers do have difficulties to move beyond their own terms and conditions and listen to your legal and corporate needs.

If the Service Provider does not offer to customize the terms of delivering his services to your needs, it's not your Service Provider.

3. Transparent and clear service and data protection agreements (Controller-to-Processor Agreements), in particular with a regulation respective the site of the data processing and the notification of any change of location.

The contractual dimension decides on the compliance of the use of cloud services and gains in the wake of a non-European cloud again immensely in importance.

Have all contractual documents checked professionally. You will not be able to estimate the legal implication unless you're an expert in international data protection laws. If you accept the wrong legal contracts, it will be your liability whatever the service provider decides to do with your data.

4. The submission of current certificates relating to the relevant technical infrastructure.

The certificates should ensure information security as well as portability and interoperability through independent testing organizations. There are sometimes certificates awarded that affect only parts of the necessary measures.

Don't trust certificates as if there were given by god. The idea of a certificate is not to allow you stop thinking. Make up your own mind and don't blindly follow the mainstream.

5. The problem with cloud services involving non-EEA countries is that - in particular U.S.-American - authorities sometimes access personal data / Personal Identifiable Information (PII) without any legal cause (according to a European perspective) and without complying to the principles of proportionality and purpose limitation on personal data / PII.

These accesses imply a data protection violation committed by the European contractor – not necessarily the international cloud service provider – against employees, customers and other service providers.

If only one of your companies is based within the EU, you have to be aware of the fact, that it is much harder and often even impossible for your company to remain compliant with the data protection laws if your service provider is placed outside the EEA. On the economic side, this means that you either have to add the risk of damages and fines from non-compliance to your ROI calculation, which could easily turn it upside-down, or stay with service providers placed inside the EEA.

This article has originally appeared in the KuppingerCole Analysts' View newsletter.

Cloud Compliance Remains a Challenge

The cloud is reality – but still legally controversial in the details. So what do we need to consider for the future with regard to liability, especially as there are few practical alternatives for data management in the cloud and many already see the cloud as unmatched in value from an economic viewpoint?

Over and over again, references are made to the cloud’s problems with multiple national and international data protection laws. Among other things "sensitive data" - for example, health data - internationalization presents huge legal problems with data management in the cloud. The problem, though, is not seen this way by all supervisory authorities responsible for data protection.

Often underestimated, however, is the fundamental legal point of criticism regarding the lack of data sovereignty of the cloud user and the lack of control options for the cloud provider. Questions abound, such as:

  • Where does the data reside?
  • Are technically necessary copies deleted as required by law?
  • Can the cloud user see, understand and control the data security with his/her provider?
This problem field is clear but it appears less helpful if it’s stated as: "classic data protection does not function in the cloud". You can, however, get closer to the truth if you note that the cloud's own manner of functioning has not yet been recognised by law as regards the aforementioned control options - at least not in Europe. The legislators now demand, for example, control over the service providers to whom one entrusts his/her own data or that from third parties. This control only functions with the help of transparency in regard to important questions:
  • Who can currently access the data?
  • As regards third party data, can I learn these points from the cloud provider when my own customer wants to know this from me?
  • In short: am I still master of the data?
  • Can I even still accept responsibility for the data entrusted to me or do I fail on the factual power of the cloud provider and the technically functional method of the cloud?
As to the question of control options, you should put your cards on the table and demand that the European legislators revise their own regulations for the cloud that acknowledge the missing control possibilities as collateral damage to the cloud. It seems feasible to subject cloud providers, in return, to specific obligations so the basic concepts of data protection pursued by the control rights can be achieved by an alternative route. Should an established legal conception – the necessity of the control principle – be abandoned in order to help a modern type of data management out of the juridical problem area? Or will data protection do its job of protecting the citizen only if complete visibility and control continues to be codified?

Occasionally legislators and bureaucrats represent that one must simply reinterpret the current data protection legislation: A technical interpretation of the data protection law would solve the problem. Analogously, a meaningful technical solution does not have to stand in the way of unfashionable, non-IT oriented law. That sounds compelling. A revision of the data protection law would thus not be necessary at all. Caution is called for once again: As opposed to the copyright law, data protection law is not commercial law. Data protection is a personal right. Hence, the interests of the citizens in data protection principally ranks behind a technical and thus economy-friendly interpretation of the law. As a result, the issue of control and data sovereignty in the cloud remains unresolved to date.

This is the reason why it is occasionally claimed that the cloud is "illegal," or even “extra-legal”. This is certainly not the case. Yet the obligations with regard to liability law are not to be underestimated with regard to data sovereignty and the cloud customer. As such, you may be liable, under certain circumstances, for possible shortcomings of the cloud provider although you only purchased the cloud service. This always involves the chain: Cloud provider – Cloud customer – Customer of the cloud customer. As a cloud customer, you are in the middle and must ensure a proper level of data protection to your own customers which is simply not offered as depicted, and with regard to control, is also not realisable, because the data in the cloud is ubiquitous and, for example, no specific information can be given as to the whereabouts of the data.

Even if one accepts this problematic liability and takes the risk of data protection non-compliance further aspects of the cloud are also problematic in terms of data protection legislation. This concerns, for example, data quality. Especially as regards the already mentioned sensitive data which may, if at all, only be brought into the cloud if a detailed examination of this individual case appears to be admissible. This depends on the technical framework conditions, but also on the Terms and Conditions of the provider.

Further discussions concerning the legality of the cloud could involve:

  • Data access through third parties, especially legal authorities (not only data protection, but also knowledge/trade secret protection)
  • Technical-organisational measures (not only available, but rather also documented and manageable)
  • Subproviders (missing transparency regarding their linking, technical-organisational measures implemented)
  • Terms and Conditions
The following always applies (as already mentioned): If I myself "purchase" the cloud and use it to provide services to third parties, I cannot, generally, disclaim responsibility; I must be liable, if need be, for the above mentioned "purchased" deficiencies to my contractor, my employees etc.

EU-Service Level Agreements for Cloud Computing – a Legal Comment

Cloud computing allows individuals, businesses and the public sector to store their data and carry out data processing in remote data centers, saving on average 10-20%. Yet there is scope for improvement when it comes to the trust in these services.

The new EU-guidelines, developed by a Cloud Select Industry Group of the European Commission, were meant to provide reliable means and a good framework to create confidence in cloud computing services. But is it enough to provide a common set of areas that a cloud-SLA should cover and a common set of terms that can be used, as the guidelines do? Can this meet the individuals’ and business’ concerns when – or if – using cloud services?

In my opinion it does not, at least not sufficiently.

Having a closer view at the Guidelines from a legal perspective and thus concentrating on chapter 6 („Personal Data Protection Service Level Objectives Overview”), they appear to offer no tangible news. The Service Level Objectives (SLOs) that are described therein do give a detailed overview about the objectives that must be achieved by the provider of a cloud computing service. However, they lack description of useful examples and practical application. I would have imagined some kind of concrete proposals for the wording of a potential agreement. Any kind of routine concerning the procedure of creating a cloud computing service agreement would be a first step, to my mind, to increase the trust in cloud computing.

Since the guidelines fall short especially in this pragmatic aspect, their benefit in practice will be rather little.

As a suggestion for improvement one could follow the example of the ENISA „Procure Secure“-guidelines. They do focus on examples from “real life” and show what shall be comprised in a cloud computing contract. And they support cloud customers in setting up a clearly defined and practical monitoring framework, also by giving “worked examples” of common situations and best-practice solutions for each parameter suggested.

Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00