With the Cloud Act of 2018, US authorities have secured access to company data, even if it is stored on servers abroad. This affects any company in the world that has at least one branch in the USA. The General Data Protection Regulation (GDPR), which has also been in force since 2018, has changed the legal concept of data protection and data security at EU level. This has far-reaching consequences for European companies looking for a suitable solution regarding digital signatures. Under the Cloud Act, if a cloud provider has a location in the USA, both traffic data and the personal data of its customers can be accessed. The solution: a purely European provider.
17 July 2020 is likely to go down in data protection history. On this day, the European Court of Justice (ECJ) ruled that the EU-US Privacy Shield does not constitute an adequate level of data protection with regard to the GDPR. The agreement had regulated data protection and data security for the transfer of personal data. In its judgement, the court contradicted the legislative bodies of the EU, which had given the green light for this in 2016: at the time, it was assumed that the USA also had an equivalent level of data protection according to EU standards. With the judgement of the ECJ, this ruling on adequacy is now history.
Among other things, this was due to the somewhat stricter judicial view of the Clarifying Lawful Overseas Use of Data Act (Cloud Act). The Cloud Act was introduced to allow access to data stored by US companies all over the world for the purpose of fighting crime, instead of just data stored in the USA. According to the European Supreme Court, the Cloud Act therefore also covers the retrieval of personal data and company data. All it takes is a company location in the USA.
No personal data to the USA
The “Schrems II” judgement, named after the Austrian data protection activist Max Schrems, sees this as a serious violation of the GDPR. As a result of Schrems’ ongoing feud with Facebook, the transfer of personal data to the USA has now hit a major roadblock. Schrems II now excludes a valid adequacy decision pursuant to Art. 45 GDPR with regard to the transfer of personal data to the USA. At the same time, the transfer of this data within the European Economic Area is considered GDPR-compliant.
“Generally speaking, companies must fulfil their legal obligations to protect personal data every time this data is transferred. According to Schrems II, things always get complicated when companies decide in favour of a US-based provider of cloud applications,” says Hannes Harlander, Data Protection Manager at XiTrust. “There is a real risk here that data will be released from cloud applications at the request of US authorities, even if the end users have not been notified.” In a worst-case scenario, this could mean that the data protection authority (DPA) deems the responsible party to be in breach of its obligations under the GDPR, and then things could get uncomfortable. After all, they could face severe penalties. These include liability sums of 20 million Euros or even up to 4% of the company’s global annual turnover.
Discover MOXIS for your company.
Find out more about the leading eSignature platform, enjoy the benefits of legally secure digital signatures, save time and costs.
Companies must provide evidence
In order to prevent misunderstandings about the seriousness of data protection and data security under the GDPR, the British data protection supervisory authority, the Information Commissioner’s Office (ICO), threatened the hotel chain Marriott with a fine of an incredible 110 million Euros in 2019 for violating the GDPR: The company was accused of a leak that compromised the data of millions of customers.
“If European companies process personal data in the cloud, they, as data processors, must prove to the DPA that they comply with the level of data protection required in the European Union,” explains Hannes Harlander. “Naturally, this also includes software designed to create digital signatures.” The standard contractual clauses between the US provider and the relevant (European) customer are generally no longer sufficient following the Schrems II judgement: just like the US software used, these agreements are routinely deemed not to be GDPR-compliant. Harlander: “According to the current legal situation, the (legally) safest solution is to opt for cloud providers with associated data centres exclusively from the European Union – or alternatively a GDPR-compliant European on-premises software solution in your own data centre!”
Smallest possible data volume
MOXIS’ processing of personal data in the cloud fulfils the requirements of the GDPR in several respects: firstly, the principles of privacy by design and privacy by default as defined by the GDPR are always upheld in the electronic signature folder, unlike comparable US software (see box). Both requirements are not “nice-to-haves”, but rather basic prerequisites for data protection and data security in the European economic and legal area in accordance with Art. 25 of the GDPR.
Specifically, this means that the amount of data processed in MOXIS is minimised in accordance with the GDPR. Personal data is processed and stored separately – hosted exclusively via certified European data centres. This also means that companies working with MOXIS have full control over the processing of their personal data. MOXIS users are always able to demonstrate compliance with their data protection obligations and all related legal requirements to the DPA.
Privacy by Design & Privacy by Default: MOXIS is 100% GDPR-compliant!
Privacy by design: data protection by technical design
MOXIS fulfils the data protection and privacy requirements when it comes to the design of processing activities and data processing systems.
Planning, architecture design, design, implementation and the use of data processing systems are effectively designed in MOXIS with the least possible intrusion on personal data.
Responsible European companies may only purchase products that fulfil the privacy-by-design requirements: This is the only way that processors can guarantee to data protection authorities that their personal data is processed in compliance with the GDPR.
Privacy by default: data protection-friendly default settings
All systems and default settings in MOXIS are designed in such a way that only the personal data required for the respective purpose is processed.