DATA PRIVACY IN EUROPE
RC: Companies are more reliant on electronic data now more than ever, and the level of usage will only increase. What risks arise when handling and storing all this data, including situations where it is transferred across national borders?
Simon: Of course, this trend is gathering pace as companies depend on electronic data exchange; nearly any key business process is based on it. So, electronic data itself, is an asset of a company. Furthermore, companies’ data volume is increasing. As a consequence, companies tend to outsource data processing, but they are faced with risks of different nature: handling and storing ‘big data’ can be handled efficiently only with cloud solutions. In practice, however, there are no suitable standards with respect to cloud solutions for data storage and management under which companies can manage data with legal certainty. This applies especially to the question of access rights, deletion rights and proof of data security for cloud solutions. Furthermore, existing legal standards for data transfer outside of the EU, which comprise standardised contracts of the Commission, do not offer the flexibility needed for complex structures. Moreover, it is very difficult to organise the international transfer of data in complex structures with any legal certainty. Although the EU Commission has drafted standard contracts, they cannot be adapted to national requirements abroad. This legal context is aggravated by the fact that, in Europe and abroad, companies find different legal standards for these forms of economic collaboration. So, these legal risks are the result of the complexity and uncertainty of the legal framework applicable to the company. Furthermore, data handling and data storing became contingent to external attacks. Of course, data service providers often are more professional in data processing than a company itself may be. But the risks remain when transferring data, as cases of data attacks by national security authorities have shown. In this context, economic espionage remains one of the primary risks. The challenge for each company is to protect the data transferring infrastructure against data attack. As a result, one of the discussions in Europe has been to establish a ‘closed European data infrastructure’ in order to avoid data attacks by institutions based outside the European Union.
Jan-Mar 2014 Issue
International Association of Privacy Professionals
Mayer Brown International LLP