Germans may be rejoicing in the streets in the last days thanks to the recent World Cup win, but as well as soccer, Deutschland is also raising the bar for data protection. Here’s what makes German data protection laws safer than Manuel Neuer’s gloves.
Over the past weeks, Germany was filled with scenes of uncharacteristic abandon, with dancing in the street and beer-soaked celebrations. But our fantastic World Cup victory aside, by midweek it’s back to business as usual. And that business, for many, is data protection. And it’s a serious business – with hundreds of US companies flocking to EU servers and services to provide damage-limitation for post Patriot Act loss of customer faith.
A Global Move
The trend started already at the end of last year. In the wake of mass government surveillance, IT companies began to emigrate from the US to Europe. The main reason for this was to limit extensively the reach of the NSA to monitor traffic and data, but the push itself came from falling sales and worried global customers who began to wonder if big IT firms are actually able to protect their sensitive data and privacy. Companies reacted by moving data centers to Europe, many of them to Switzerland and Germany, where the data protection laws are the most progressive in the world, and privacy is handled with greater care and respect.
Already at the beginning of the year, Canadian data center service company Peer 1 warned that a change in data hosting is coming. Peer 1 surveyed businesses about storing data in the US and the effects of the Snowden revelations on their decision-making. It turned out that around 25% of UK and Canadian IT decision-makers plan to move their company data outside of the US as a result of the scandal.
Another key finding was that the majority of companies now value security more than low latency. Nearly 80% of respondents said they would rather host company data in a facility that is highly secure but where they may incur latency, rather than hosting in a guaranteed-ultra-low-latency facility where security is compromised.
A Matter of Trust
Over the first half of the year this perception expressed in the survey took action. U.S. technology companies have reacted in a variety of ways. Netsuite Inc. which offers a cloud-based suite of applications used to manage accounting, supply chains and other business processes, decided late in 2013 to accelerate the construction of data centers in Europe because customers and prospects were increasingly concerned about violating pan-European and country-specific privacy laws.
IBM and Amazon.com have each stepped up the pace of data center construction around the world. Cisco Systems has embarked on an ambitious project to help telecom and Internet service providers outside the United States establish national clouds that would comply with the increasingly nationalistic laws and regulations it expects to see enacted around the world.
The major scorers in German Data Privacy
Since then, companies have realized that digital privacy laws in Germany are a blessing. Here are the main differences that set it apart from US counterparts. Here are the main scorers…
- No sectorial loopholes
US law does not protect all personal data. It rather follows a sector approach, according to which personal data processed in certain industries is protected – but others are not. In contrast to this, Germany (and the EU) has a comprehensive data protection law without sectorial loopholes. It protects any and all personal data. Any processing of personal data requires either consent by the data subject or a statutory permission that explicitly allows the collection and use of the data.
- Even stricter rules for New Media
The German Telemedia Act [Telemediengesetz or " TMA"], contain even stricter rules than the general Federal German Data Protection Act. Telemedia service providers (which includes webshops, mobile commerce, newsgroups, music download platforms, video on demand (VOD), internet search engines, emails and even simple company websites) have to inform users in detail about the "character, extent and reason" of the collection and processing of user-related data.
- No legal obligation to US Intelligence
Thanks to the Patriot Act and the US Foreign Intelligence Surveillance Act, US companies are obligated to hand over data stored in their systems to US authorities, even if such data is stored in the EU. A company based in Germany (or the EU), with no US affiliates is not subject to the US jurisdiction and is under no legal obligation to grant access to the data it stores to US intelligence authorities.
- Strict requirements for non-EU data flow
In sharp contrast to the American law, any transfer of personal data outside the European Economic Area is still subject to particular strict requirements, and an adequate level of data protection must generally be safeguarded by the recipient. And if a violation occurs, German data protection laws generally grant foreigners the same rights as Germans to seek legal actions. In the US however, it’s almost impossible for foreigners to sue.
- “Data minimization” and purpose limitation
But most importantly, German data protection laws incorporate the principles of data minimization and purpose limitation. That means that generally only as much data may be collected as necessary to pursue a certain purpose and the data may only be used for the purposes it was collected for. A company is legally accountable if it violates these rules.
Sounds like a World-Class winner to us… What do you think?