KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thanks a lot. Quick question up front, who has dealt with these data transfer issues already? Half. Who was there last year? Okay. So I'll try to kind of do a bit of the intro. I still need my PowerPoint on there for whoever is in charge of that technically.
Oh, perfect. Yeah. A short recap, what actually is the background of this data transfer issue for the people that didn't raise their hand? Basically we have this US surveillance issue in the background. We remember Snowden kind of disclosure that there is a lot of data capturing going on. There were all these demonstrations and so on. And from that we have a bit of an idea of how US surveillance works. There is kind of two types of surveillance. One of them is what's called upstream, which is kind of like getting the data off the backbone of the internet.
Where by now more and more of it is encrypted. So that's not that useful necessarily, but you can still get the metadata and see who is communicating with whom. And the other one is called Prism by now it's recall, it's renamed downstream. And the idea there is that they basically get the data from the big cloud providers in the internet providers because they usually also have to encryption keys. And that way you can get the information in raw. Because of the Snowden slides, we have a bit of a better understanding how all of this works.
Usually if you do mass surveillance discussions, it's very kind of cloudy, very kind of conspiracy like. But in this case you have a good idea of what really happens underneath the hood. And basically all of that works under Pfizer 7 0 2 deaths and American surveillance law. That in itself is usually, I think 17 pages, 18 pages, something like that, just at one paragraph. But if you dumb it down and make it very simple, it basically goes, goes on like that. It requires that there is an electronic communication service provider, so that's basically your US cloud provider.
That's important because not every American company falls under these surveillance laws. It's only these electronic communication service providers. The other thing you need is foreign intelligence information, which is broadly defined as anything that is relevant for the foreign conduct of the United States. So in in normal words, espionage, but it also includes criminal situations, terrorism, all of these other things. It's a very broad definition.
Now the interesting thing is you don't need a judge, you don't need probable cause, you don't need a criminal, you don't need any of these other elements that we usually have for phone tapping that works because this whole system is certified by an American court once a year. So they do not, they have a court involved, but the court doesn't individually say, okay, that guy's data we can actually look into. It just generally allows the surveillance system for a whole year. There's no decision making on the individual person other than the person tasking it.
And it works because part of that certification is so-called minimization and targeting procedures, which basically filters out American citizens and US persons. That's the interesting part about the surveillance situation is we're actually agreeing on both sides of the Atlantic that this is unconstitutional. Just that the US side says it's only unconstitutional for people that are covered by our constitution and that's American citizens. While the European side has this human rights approach where it would cover everybody.
And that is fundamentally how it works, that you kind of split the data into two. The data that is not covered can be used. The data that is covered by the fourth Amendment in the US you can't use. There is then basically a directive to the service provider, which requires a service provider to open up something like an API to pull the data. We had a very long running case where I'm not a little smiley down here, I'm like an Austrian citizen having a contract with Facebook.
Facebook passes the data onto the US and we know that it's captured at least twice, once in the upstream system and once in the prison system under Pfizer. That's one of the laws. The other one is executive order 12th three. I just wanna mention it. There's another thing, but I'm gonna go into the details there. Now what does the EU side of all of this say? Basically the EU says that you cannot as a general rule transfer data abroad, we have a general prohibition on data transfers outside of the European economic area. That is a very, very bold statement, but that's the law since 1995.
There are delegations if it's really necessary to transfer data. So if you send an email abroad, there's, there's options for that. If you have a contract partner brought that, there's an option for that. But if you want to do basically outsourcing, so send data brought because it's cheaper, easier, there's just like someone that does a better servers, then you have to go through one of these hoops and have one of these legal bases to transfer data. That generally works if you have a country where there's just no data protection act.
The other country, so there's another country where there's just a legal vacuum, you can fill it basically with contractual systems. So you have a partner in the US that signs a contract saying I'm following European principles. And then you can basically transfer data there. The problem in the US is that you also have to surveillance law so that guy can sign a contract, but he's not allowed, not allowed to follow it because the surveillance laws require that guy to actually follow the surveillance laws in the US.
And fundamentally what we have now for more than 10 years is a very basic conflict of law situation where the European Union says you need to provide privacy. The American says, says you basically have to help us with surveillance and as a company you're kind of stuck in the middle because you're gonna violate one of the two. What's the current situation after two judgements of the court of justice?
We currently have the situation that the Court of Justice, the highest court in the European Union found that these American surveillance laws don't just violate proportionality examples for, for, for fundamental rights. But they said that actually the essence of your fundamental right is violated.
That's, I know that's very legalese but that's a very extreme statement. The court of justice has never found a violation of the essence of a fundamental right ever. And usually in law that only exists for example, for torture. There's no proportion of torture and the violation of the essence means it's so extreme. We don't even have to start a proportionality test because you didn't even fulfill the basic requirements of human rights that we don't even start with a proportionality test here and that happened twice with the surveillance laws in the us which is quite extreme.
The current situation is therefore that we have to comply with the GDPR in the US if the data goes there. But we also have to comply with the charter of fundamental rights, which is the hu, the fundamental rights in on the European union level. So kind of the constitutional rights there. What does that mean in practice right now if we have any kind of these outsourcing situations, we usually have a problem right now that goes to US company. I wanna differentiate a bit because it's not that simple that anything that's in the US is terrible. There are situations where that's legal.
So for example, for necessary transfers, if you book a flight, if you send an email there or if you book a hotel, that's fine because it's necessary for the contract for example. But if you outsource your data to one of these electronic communication service provider, which is the big cloud providers, usually the big telco telcos, you usually fall under these surveillance laws. That also is true if the data is held in Europe. So a lot of these Microsofts and so on, were like, oh, but we have a server in Europe, everything's fine.
That's not true because American surveillance law goes so far as requiring that you provide any data where an American company has possession custody to control. That's the three magic word. So basically as long as they can somehow access the data, they have to forward it. Now that also means you can separate data to the level that you cannot access it anymore. So you have a sub provider in Europe where you factually not access it anymore. That would work. That is one of the solutions that is around that. That would be interesting.
But most of them currently don't do that because they wanna have their global system that they don't wanna differentiate. There is the option that you transfer data to a non Pfizer company. So if you're, for example in Austria we bought one of the steel mills there. That steel mill is not an electronic communication service provider. We can probably transfer data there without any problems. That is a situation that works. But usually with the big outsourcing that we have, we we run into troubles. So part three and probably the main thing I wanna talk about is what is the future?
Because beginning of last year there was a meeting between Biden and funder line and suddenly all these problems were gone in a minute and that's a wonderful magic trick and I just want to explain how this magic trick works in the background so that you all can think about if you are impressed or not impressed. What happened in the background is that once Ukraine happened, apparently the US used that to say, oh, now we have to stand together and show everybody that we like each other and how better to do that than having a data deal.
Some people also brought up that in the same meeting there was an agreement that we get American guests and some people put that next to each other. There is no evidence right now that that's true, but at least the impression happened to be around there. So what was this announcement? Basically they said that this privacy shield that the court of justice struck down stays as it is and there's not gonna be a big change fundamentally in how the system works.
What they will do is that they added additional executive order to kind of cover up for the mistakes that happened before and for the parts that didn't work. And that will introduce a proportionate and necessity test in the us I'm gonna get back to that and there is gonna be a so-called data protection court in the US. Now the court of justice criticized two things. It first of all said if you want to have redress in the US and you want to go to court and complain about the surveillance, there is no court, there is no place you can go.
So they tried to cover that prom with this data protection court and they said that the surveillance in itself is just so massive that it's disproportionate. So they have to kind of fix that problem somehow. The third at the fourth part that is now in the final executive order that was not announced at the beginning is kind of interesting because there is now a reciprocity system. So the US will only grant you this proportion and necessity limitation and data and the data protection court if European governments also grant these rights to Americans.
And that is a very interesting development because so far we have a very much national approach to these surveillance situations. It's kind of like if I'm an Austrian and the German secret service does something, I have no place to go. If the French do something on the Germans, there's no place to go. So we kind of still have this very nationalistic view on on surveillance and that in a global internet is not gonna work because you're always gonna be not citizen in most of the countries in the world.
And this reciprocity part could be actually quite interesting because if we move towards that, that could mean that among democratic countries we would cut to something that they call in the spy agreement. Like a system where basically your rights are the same no matter where your data goes. And that could limit a lot of these limitations on on data transfers and open it up again because you would have the same rights in the US as in in Europe for example, or at least equivalent rights that could be a path forward that really gets stuff done. It's kind of a trace in this.
I'm gonna explain on the next slides that it's not gonna work this time around, but we see a certain trend that couldn't long run fix the prom. Now what is an executive order? We all remember Trump and we all remember that he loved his Sharpies and these like pieces of paper where he signs it. That is an executive order usually and an executive order is an internal, an internal order by the boss of the executive that everybody below him is gonna do a certain thing or not.
It's kind of like when your boss tells you do this and not the other, you are bound by it because it's your boss but your client or your customer cannot sue you over it because it's an internal order. And that's exactly the same thing with the executive order. It's an internal document saying please do or don't, but it doesn't. It doesn't create third party rights. It doesn't allow you as a citizen to say it's in this order so therefore I sue you. And what they try to do is to get proportionality into that. Now I had that in the slide before this proportionality test in the eu.
EU is defined that it usually says okay there is, I don't know, data retention or some other kind of crazy thing that happens and they try try to kind of put it on a proportionality test and say is it proportionate or disproportionate? How far do they go into fundamental rights? Is that still okay in a democratic society or not? And the interesting thing is the court of justice found twice that this Pfizer surveillance system and Prism is a violation of the essence of your fundamental rights.
At the same time they will continue doing that but also say they will do only proportionate surveillance anymore. If anybody knows in the room how you can do all these things at the same time, do something that is not proportionate but still have it proportionate and still continue doing exactly what you did before. I don't know how they do it, but it now turns out in executive order that the magic trick is the following which is gonna have a US proportionality system that's just gonna be moved fundamentally to one side.
And the wording for that is that they call it an American interpretation of proportionality. So we use the same word now on both sides of the Atlantic. So all the politicians can say, yeah, we agreed we are gonna have proportionate surveillance, it's just gonna mean something different on the two sides and therefore not solve the problem. That's fundamentally what what they try to sell here. The second thing that they do is this data protection court.
So it used to be already under the old agreement that you could go to a privacy shield ombuds person that was that lady back then and that person is now renamed and called P C L P, this thing up there, not a big change. You will always get the same answer from that person. So if you complain about surveillance, let's say you didn't get a visa. If you wanted to travel to the us, you have to go to your national data protection authority wherever you are based in Europe, they will then raise that issue with the P C L P O and will get an answer back.
And the neat thing about that system is the answer is already pre-described in the executive order. It has the exact wording of what the answer is gonna be. So it's kind of like going to a court where you already know the judgment before you've even raised your case. And the answer is gonna be that first of all, they neither confirm nor deny that there was any surveillance. So they will not tell you if surveillance actually ever happened.
Secondly, they will tell you either it was all legal or it was not legal and if it was not legal we remedied the situation and you're not gonna be informed which one of the three are true or wrong in your specific situation. Now you may not be happy with that. So the added now a court, so if you're unhappy with that, you can appeal the promise. What are you gonna write in your appeal? Because you don't even know what happened. And the beauty is you only have to write one sentence like I appeal. That's good enough cuz you don't know what you're appealing about anyways.
And then you are gonna go to the data protection court, which is not a court, but an executive tribunal that is within the executive power in the US and that new court does exactly the same as that other person, just that it's gonna be more people issuing the same decision and it will have exactly the same wording that you had before. So that is the court or the redress that we're gonna have with this new system in the office at at our office in Vienna. I even got like a standard stamp that has exactly the wording.
So if anybody wants to kind of get judgments, we can produce them like crazy, not joke about it. The reality of that prom is the Court of justice also in the European Union has to deal with the judicial system in Poland or in Hungary. And they have to have applied the same article, Arti article 47 to say, oh, Hungarian, you know, appointment of judges is not good enough, but at the same time say that this is a proper court and that's gonna be very, very hard for the Court of justice to ever do.
So my prediction is that 90% plus this is gonna fail another time around, but just a bit of a background, there is much more in detail why these there are problems. The typical example is that also on the commercial data usage side, we usually under the GDPR need consent are another legal basis where full access data has to be necessary under the commercial principles. In privacy shield we're still in the status of 2000. They've never been really updated since 2000. You only haven't opt out limited access and so on.
So even on this commercial data usage side, it's gonna be very hard for the court of justice to accept it. The reality is they have not even ever gotten to that point because they've already stopped checking stuff when they were on the surveillance. So what is the short-term solution? We're gonna have this new deal that's gonna go back to the court of justice. The timelines were roughly these that there should be the priv, the final version around now we don't know exactly. We think we can usually challenge it in a couple of months and it would then be back at the Court of justice.
The court of justice can stop the application of the new system right away. Very unlikely to happen that happens.
10, 20% is the likeliness that they actually say right away, this is so crazy while we review it, we're gonna pause it. Very likely it's just gonna be there for one a half, two years, something like that. And very likely we're gonna have another decision that is negative for the, for the industry. That means for these one a half years they can say, oh, there is a legal thing and and I followed the law and everything's good. But for long-term perspective and long-term planning, it's probably not gonna help all too much.
So I think for good time we're gonna see this ping pong and unfortunately I can solve the problem. Like I can only kind of raise the issue here, but I just want to give some thoughts at the end of, of what could be long-term solutions. As I mentioned before, we're moving into this global age where everything is connected. So what we need is at least among democratic countries, this baseline guarantees that we give each other even within the European Union interestingly, because that part is right now exempt from E law. So e law doesn't apply here.
The next simplest solution would be that the US would just put a 20 judges there that just say yes or no in individual cases would be much cheaper than all the consultancy and all the craziness that happened after these judgments. But right now that's unlikely because in the US usually when you talk to politicians, they say, I'm gonna get voted out of office if I give rights foreigners. So I'd rather not do that. And that is right, not a problem that we have.
The very short term solution that we see is that there's just more and more this idea of having EU entity so that a big US company starts a separate entity in Europe that holds the data where they don't have access to the data anymore. That could also be a solution that the same services are provided, but just with a different structure in the background. And right now what's also happening is just this EU segregation or just having a a pure EU data, PR data holding system, which I'm personally not a big fan. I'm more of a globalist and would like to have this global internet.
But right now that's oftentimes the easiest and safest solution. I hope that was useful for you all. Thanks a lot and I think we have two, three minutes for some questions as well. Thank you Max, thank you for for being here. Unfortunately, there are no questions from the audience. So what is now the practical tip you have for companies and organizations?
Okay, yeah. Don't quote me on anything I'm saying right now for us, for ourselves, we usually, for our organization, we host everything in Europe. So my compliance was rather simple as send an email to our hosting provider saying, do you actually don't have any American subsidiaries, whatever, blah, blah, blah. They got an email back 10 minutes later, no, we don't. My compliance was done. Now that's not true. Like that's not realistic for a lot of bigger organizations.
So I think right now what could be an approach is that at least when there is new, you know, systems, new stuff that's put up, that that is just high on the agenda to not have that trouble. That may cost sometimes more to have like a local host or something. But if you think about the compliance costs of all the US cloud, then sometimes I wonder if it's not cheaper or makes people sleep and be more happy. I think for systems that are up and running, it's gonna be very hard to quickly change that.
My hope would be that the big American providers would gradually shift to like a European kind of system. They do that in China, interestingly because the Chinese are more serious about their localization laws.
Again, I'm not a big fan of that, but that could be one of the solutions that provides the same services without big drama. When you talk to American business, what are the large providers? I usually get the feedback that they say our customers haven't run from us, the authorities haven't enforced it yet, so why should we? And that is at least the answer I get most of the time right now. All right. Thank you very much. Please give Max again, take care. Thanks. Thank you for coming.
