I want a "Red Teaming"
Michael Schneider
In April 2016, the European Union laid the foundations for a new data protection law with the introduction of the General Data Protection Regulation (GDPR). This regulation standardizes and harmonizes the rules for processing personal data by private companies and public agencies across the EU.
One of the primary aims of the reform is to strengthen the rights of internet users, providing them with more control in the future over how internet companies (Google, Facebook, Apple, WhatsApp, etc.) use their personal data.
The previous EU Data Protection Directive 95/46/EC from 1995 that the new law will replace was considered to be out of date in many respects and difficult to apply from a practical standpoint. In addition, some key technical developments were not taken into account, either at all or to a sufficient degree. The new General Data Protection Regulation aims to consolidate the patchwork implementation of data protection in the national law of individual Member States to ensure consistency throughout Europe. Unlike the old directive, which had to be implemented individually by the EU Member States, the General Data Protection Regulation will be valid in all EU Member States with immediate effect from 25 May 2018.
At the same time, the GDPR provides Member States with substantial regulatory flexibility. However, implementation thereof will constitute a massive task for national legislature given the amount of time available – there is only one year remaining until the General Data Protection Regulation enters into effect, and the various national data protection laws need to be adjusted in conjunction with this.
Switzerland is well positioned in this regard because the GDPR and the Swiss Data Protection act are, according to an opinion offered by a group of attorneys, ‘comparable’ (German link). However, the GDPR must be assessed on the basis of the revision of the Swiss Data Protection Act that is currently underway. The EU will only recognize the Swiss law as adequate if the Swiss Data Protection Act largely conforms to the corresponding EU law. Otherwise, the critical exchange of data between companies in Switzerland with companies in the EU would be severely affected and made unduly difficult.
Following the abolition of the Safe Harbor Agreement in October 2015, the new General Data Protection Regulation clearly points the way towards the restructuring of data protection in the EU. While it may not have been explicitly stated, the GDPR will expand EU data protection to the US, as even data giants such as Facebook, Google, Apple, etc. will be held to account to a much greater extent in the future.
In this sense, it is a positive development that the practice of US intelligence agencies (such as the NSA) – a practice that has rightly been criticized – will now finally face stiffer opposition. This is because transmitted data has never been sufficiently protected against access by the US authorities and intelligence agencies. Parallel to the Swiss-US Privacy Shield, the GDPR will now also ensure that Swiss transmissions of personal data to the US are subject to the same standards as the standards that apply in the EU. This is extremely important for the legal certainty of economic transactions and, in particular, the free exchange of data between Switzerland and the EU – especially in the commercial sphere.
Whether or not this will actually have an effect on the comprehensive monitoring activities conducted by the US authorities is questionable and remains to be seen. These monitoring activities are too massive and wide-ranging, because they include everyone and all electronic means of communication as well as all data transmitted (including the content of communications) without distinction, limitation or exception.
There is, however, an optimistic quote by the philosopher Peter Sloterdijk on this subject: Digital Colonialism – Europe’s Struggles on the Internet (German link):
Europe’s data sovereignty has been restored.
And:
If Europe were capable of speaking with one voice, it would long ago have been one of the major economic powers. It would have developed its own search engines and social media that would not be subject to a massive program of spying on citizens by paranoid security agencies. Our so-called “American friends”, by contrast, seem to continue to promote any development that turns Europe’s weakness into an additional basis for their strength.
Seen this way, one could interpret the objectives of the GDPR as helping to strengthen Europe’s newly gained data sovereignty.
However, we should be cautious about being to euphoric: This is because Europe, which currently finds itself under serious attack, will – given the overarching government objective of ensuring security – also increasingly place its legitimate security interests above its citizens’ liberties, including their right to informational self-determination. The GDPR will not change anything in this regard. (However, the European Court of Justice ruled in 2014 that the Data Retention Directive, an effort to combat terrorism, was invalid, therefore placing basic rights above the fight against terrorism.)
Data protection must be accorded a fundamental role in what is increasingly becoming an information society.
The fundamental right to informational self-determination protects citizens against the unlawful and improper use of their personal data and places an increasing obligation on companies to abide by this right. In addition, increasingly stringent legal requirements and the growing expectations of customers are creating greater challenges for companies.
Failure to comply with or observe data protection requirements is now a serious risk factor that may, in addition to the damage it could cause to a company’s image or reputation, lead to personal liability on the part of management staff. Nevertheless, demonstrating compliance with data protection requirements offers companies a competitive advantage and an excellent way to stand out from the rest.
Because of their role as data processors, companies are now finding themselves increasingly thrust into the public spotlight. A number of scandals related to data protection has led customers to respond more critically and made them realize that compliance with data protection requirements is an important quality characteristic. As such, they want to see demonstration of such compliance. These developments require greater awareness on the part of management and new ideas for developing appropriate strategies for dealing with the fresh challenges presented by data protection.
Information technology is now ubiquitous, pervading all aspects of life. As a result, personal data is now collected, processed and used almost everywhere. In addition, technological innovations, particularly in the areas of the Internet of Things (Evernet), cloud computing and mobile computing with Big Data, are leading to exponential growth in the volume of data. Contextual awareness will, by way of example, allow IoT components (with the help of sensors and special communication devices) to collect information about users and their habits, environment and location as well as great amounts of other sensitive data (e.g. health information such as heart rate, weight, blood pressure, etc.) and adjust their behavior accordingly. As a result of these trends, genuine threats to informational self-determination are not being recognized or are being recognized too late and with a considerable delay (data breaches).
At the same time, there seems to be a new level of nonchalance, with users handling their own personal data and the data of others with clear insouciance (social media). For example, carefully crafted messages on social networking platforms provide a simple entry point for social engineering or the systematic collection and aggregation of social relationships and personal data for the purpose of, for example, identity theft or the assumption of a false identity by exploiting the detailed information that is revealed.
Due to these trends and rapid technological progress, it is easier than ever to gain access to relevant personal data. The concept of the transparent consumer, patient, customer, employee and citizen has, unfortunately long since become a reality through the use of modern analytical tools and Big Data aggregation.
The notion of data protection as a means of safeguarding an individual against the unauthorized and inappropriate use of their personal data is a subject of major interest once again thanks to the new EU GDPR. Many people now understand that the right to informational self-determination is a basic democratic right that society and its citizens must demand in order to ensure that it does not become lost.
Some key aspects surrounding the regulation for companies and individual informational self-determination will be discussed below. The full text of the regulation is available at privacy-regulation.eu.
This will prevent communication with data giants such as Facebook, Google, Apple, WhatsApp, etc. from being accessed by others and strengthen enterprise-friendly rules for the domestic digital market (under the motto of EU reform: Better protection of privacy online and new business opportunities).
Developments in data protection will continue to preoccupy companies in the future and pose major challenges. In a first step, they will have to modify current mandatory documentation and procedures by May 2018 in conjunction with the GDPR.
In doing so, it must be made clear that the regulation in no way affects legal departments alone. Senior management will also be directly involved. In particular, management must establish the importance of data protection and build the necessary pressure and offer support for modifying internal rules, developing case studies and specific scenarios and providing the necessary tools and resources. In doing so, a risk-based approach is essential.
Companies should therefore deal with data protection questions fundamentally and at an early stage:
Depending on the business activity in question, other international standards will have to be taken into account that – in the worst case – may be in conflict either with one another or with national regulations as well as with the GDPR. A well-known example in this regard is the US Sarbanes-Oxley Act (SOX), which is rooted in an Anglo-American culture that – as previously noted – attributes much less weight to privacy protection than is customary in Continental European.
Data protection incidents must be recognized as an important risk factor in risk management. This is not limited solely to the direct consequences of a violation of the above standards and laws. Dealing with the aforementioned risks requires adequate risk management on the part of companies. Data protection is now an important quality factor that all companies need to take seriously.
As such, updating current internal directives, regulations and policies regarding data protection policies is not a one-off act in response to the switch to the GDPR in May 2018 – it involves the continuous implementation of data protection in the future as part of the company’s business processes and data protection efforts. This will only be successful if the management of data protection risks is institutionalized throughout the company across all corporate levels and units.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!