Börsen-Zeitung (June 8, 2018): Data Transfer Trouble (Translation from the German original „Daumenschrauben beim Datentransfer“)
New EU regulation makes data exchange with countries more difficult – Threat of more legal disputes
Author: Heidi Rohde. © Börsen-Zeitung. All rights reserved.
Börsen-Zeitung, 6.8.2018, Frankfurt – Few European laws were as difficult to create as the European General Data Protection Regulation (GDPR), which has been in force since May 25 as the world’s most comprehensive data protection ordinance. And few are as difficult to understand in their impact as the regulation, which contains 47 specific rules on the protection of personal data. These include, among other things, consent requirements for data collection, the “right to forget”, the right to object to personal profiling, the obligation to report “incursions” into databases, data portability regulations and other protection provisions.
While experts in almost all sectors praise the standardization of regulations and requirements within the EU and see progress towards a “Level Playing Field”, also vis-à-vis the large U.S. data holders, which now must also comply with the regulation in their business within the EU, the criticism of the complexity of the regulation remains. The strongest point of criticism is that there were no cost-benefits assessments prior to the introduction of the regulation.
Many companies are particularly overwhelmed when it comes to the provision and classification of data that they sometimes must provide to third countries for various legal reasons. In particular, this applies to requests for information, investigations or legal proceedings that require data transfer to the U.S. as part of eDiscovery, as Michael Becker, Managing Director at Consilio, told the Börsen-Zeitung. The eDiscovery company, which provides companies and law firms with targeted support in data preparation and processing, points out that “conflicts between EU data law and competing legal systems are likely to increase in the future.” Especially with data requests from the U.S., for the companies concerned there is often a dilemma to have to supply data on a large scale while at the same time being as restrictive as possible with personal data. The GDPR will exacerbate this situation. In the U.S., only certain types of personal data are protected, such as health-related information; many others may be used freely.
The new data protection law will require “undoubtedly a great deal of effort” for companies, admits Becker, who nevertheless sees progress in the regulation because “clear rules” now apply in the handling of data. According to Becker, companies that rely on service providers such as Consilio have the knowledge that their data is stored and efficiently managed in the cloud with high security standards.
In light of exploding data volumes, data administration and management for a company on their own is now a challenge, especially for medium-sized companies – which are sometimes still at loggerheads with the Cloud. A specter that many see as a consequence of the GDPR is an abusive wave of lawsuits, a risk that Becker does not want to rule out. It is “to be expected” that corresponding legal disputes will increase, for example by individual employees of companies constructing data protection violations upon termination of employment and starting blackmail attempts.
Overall, however, the lawyer believes the GDPR has achieved a reasonable balance between manageability and effort. The protection of “immaterial assets” has been clearly upgraded.