Die Anforderungen an den transatlantischen Datentransfer sind komplex. Wir haben hierfür drei einfache Hinweise für Unternehmen erarbeitet und geben praktische Arbeitshilfen für das Transfer Impact Assessment...

#datenschutz #dsb #tia #tadpf #dpf

https://www.bvdnet.de/neuer-angemessenheitsbeschluss-fuer-datentransfers-in-die-usa-ist-da/

#teamdatenschutz aufgepasst, nur noch diese Woche: Sichern Sie sich den Frühbucherrabatt für unsere Herbsttagung vom 18. bis 20. Oktober in München!

Wir haben ein umfangreiches Programm: #ki, #datenschutz im Behörden und Beschäftigtendatenschutz sowie das brandaktuelle Thema #TADPF - und dazu zahlreiche #LFDI, Vertreter aus Ministerien und viele #DPO, die aus ihrer Praxis berichten. Wir freuen uns auf Ihren Besuch.

Programm, Anmeldung und weitere Infos hier: https://www.bvdnet.de/herbstkonferenz-datenschutz/

The @DPCIreland’s decision ordering Facebook to suspend transatlantic #dataflows ignores the vitality of EU-US data transfers to trade & business. CCIA calls for swift implementation of @POTUS’s EO new data protection safeguards for EU citizens. #TADPF

https://ccianet.org/news/2023/05/ccia-statement-on-irish-decision-regarding-eu-us-data-transfers/

The @DPCIreland’s decision ordering Facebook to suspend transatlantic #dataflows ignores the vitality of EU-US data transfers to trade & business. CCIA calls for swift implementation of @POTUS’s EO new data protection safeguards for EU citizens. #TADPF

https://ccianet.org/news/2023/05/ccia-statement-on-irish-decision-regarding-eu-us-data-transfers-2/

The @DPCIreland’s decision ordering Facebook to suspend transatlantic #dataflows ignores the vitality of EU-US data transfers to trade & business. CCIA calls for swift implementation of @POTUS’s EO on new data protection safeguards for EU citizens #TADPF"

https://ccianet.org/news/2023/05/ccia-statement-on-irish-decision-regarding-eu-us-data-transfers-2/

Gestern hat die Europäische Kommission das Verfahren zur Annahme eines Angemessenheitsbeschlusses für das EU-US Data Privacy Framework eingeleitet, der den transatlantischen Datenverkehr fördern und die vom #EuGH in seinem #SchremsII-Urteil geäußerten Bedenken ausräumen soll.
#TADPF #privacymatters
Der Entwurf des Angemessenheitsbeschlusses findet sich hier: https://commission.europa.eu/system/files/2022-12/Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf

Reading through the recent @dsk decision against M365 and let's just say, deep sigh.

First off, nothing good ever starts from a conclusion like this: "The evaluation of the AK Verwaltungs came to the conclusion that "on the basis of these documents, no data protection-compliant use of Microsoft Office 365 is possible"

Page 2 is breathtaking in how it admits (unless my machine translation is wrong, and #teamdatenschutz , please correct me if I'm wrong) that it considered _nothing_ other than "an assessment limited solely to selected legal requirements of the GDPR, but not a complete data protection assessment of the Microsoft 365 cloud service, b) essentially an investigation based on the six from the AK Verwaltungs 2020 identified contractual defects."

So, no technical analysis at all. Nary an investigation into how M365 is being used, or even the entire relevant #contract.

For the love of cats, I really hope the machine translation is just buggy, because if not, that is appalling.

Pages 3-4 discuss a major complaint -- the DSK's objection by Microsoft of the #legitimateInterests basis for #processing #PersonalData.

Page 4 also discusses the (lack) of improvements between the regulatory working group and #Microsoft particularly around the type and #purposes of #processing data and the types of personal data being processed. This admittedly, does seem like an easy fix, and I'm not entirely sure what Microsoft's representatives were so hostile to making this change. It's basic #transparency.

Page 5 calls out the telemetry and diagnostic data. On this, I wish the DSK had gone into greater detail. That's one area where it all feels very shadowy to me.

I'll admit here that the machine translation of Sec. 3.3, para 2 likely isn't clear. I'm not entirely following why Microsoft, as a processor, would be responsible for issuing instructions ... to the customer/#controller? I honestly dont' know.

Page 6, Sec. 3.6 - the DSK calls out that updates to sub-processor lists include only 'planned changes' but not specifics on the 'planned changes' to subprocessors. If by specifics, they mean more details on the sub-processor's processing, I can understand. Otherwise, I've no idea what they're getting at here.

Page 7, Sec. 3.7 - now we get into the real meat of things: Any use of M365 involves a #transfer of data to the United States, and that makes everyone sad.

One useful note: Allegedly, Microsoft's #EUDataBoundary will maybe possibly launch in December of this year!

The DSK also reaches a sensible conclusion but without the necessary introspection: Namely that "the supervisory authorities have so far not been able to identify additional protective measures that could lead to the legality of the data export" as you can't process only encrypted data in all contexts everywhere. When data is in use, it's almost always in cleartext.

Maybe if they say it a bit louder, that would help.

After reading all of this, I have no idea how this will play out. Obviously, the German DPAs have no authority to bar Microsoft in Europe (that's Ireland's call). But they can cause endless amounts of pain for German conrollers wishing to use M365, which is probably most of them.

Unsurprisingly, they offer _no_ solutions to this legal hell -- a few parting notes about how the EU Data Boundary might be a thing, or the US #TADPF might help (or not).

Hopefully, smarter folks than I can offer some guidance on how to sort this one out.

cc: @wchr @dataprotection @DataProtectionNerd @floort @neil @DaraghOBrien @robertbateman@mastodon.social