Claus Ulmer, Global Data Privacy Officer, on the Corona warning app, Schrems II and the challenges of the future, on the occasion of European Data Protection Day.
Mr. Ulmer today is the European Data Protection Day. That shows the importance of data protection in Europe. A current example is the so-called Schrems II ruling by the CJEU in July 2020, which had far-reaching effects on the transfer of personal data to third countries, in particular the USA. What measures have been taken at Deutsche Telekom so far and how could data processing also be ensured in the future?
Claus Ulmer: A milestone 40 years ago for European data protection. At the time, Germany chaired the Committee of Ministers of the Council of Europe. The birth of "Data Protection Convention 108" was celebrated. Since then, European data protection has continued to grow in importance and strength.
Quite right, a good example is the CJEU's decision with the ruling regarding Max Schrems vs.Facebook that the Privacy Shield agreement between the EU and the US (Privacy Shield) is invalid. The Privacy Shield was intended to establish a so-called adequate level of data protection in the USA. The ruling did not include a transition period. Data transfer to third countries on the basis of the Privacy Shield was therefore immediately prohibited. The lack of a transition period was, of course, a challenge for companies and their data protection officers. On the one hand, we were well prepared for this because Deutsche Telekom had not relied on the Privacy Shield before, but had worked with the so-called standard contractual clauses, which set higher standards per se.
However, the ruling also set new requirements beyond this, which had to be and still have to be reviewed. In addition, we had to clarify whether all operational areas had complied with our requirements not to reference the Privacy Shield. Therefore Group Privacy (GPR) launched a central "Schrems II" project together with BuyIn, Deutsche Telekom Service Europe (DTSE), Deutsche Telekom IT (DT IT), the operational data privacy contacts ("data privacy bridgeheads") and the Privacy Implementation chapter, among others. Together, we are working on the tasks resulting from the ruling. The international subsidiaries have set up their own projects for this purpose. GPR is involved and monitors their progress regularly. In addition, together with our contractual partners in the USA and other third countries, we are examining whether and what further measures are required.
Our project has specifically developed a guideline for handling data transfers to third countries, which has been widely communicated. This also takes into account the recommendations of the European Data Protection Board on the interpretation of the CJEU ruling, which are currently available in draft form. These recommendations are very restrictive and pose considerable challenges for the Group.
Against the background of the CJEU ruling and the restrictions on processing in third countries, especially the USA, does Europe need a European solution for cloud services?
Claus Ulmer: We need solutions for both: for our own cloud services and for international data transfer. Companies with strong international networks, such as Siemens, at least need solutions for intra-group data transfers. The situation is different in the cloud business, for example. Sales in cloud computing are rising steadily. The main providers of cloud services are currently by far the American providers such as Amazon, Google and Microsoft. Here, many European customers have virtually no alternative. They find themselves in a state of dependency. In view of the strict interpretation of the Schrems II ruling by the supervisory authorities, we need a data-sovereign European solution, at least as an alternative.
The "GAIA X" initiative could create a high-performance and competitive, but above all trustworthy data infrastructure for Europe. This could avoid dependence on large companies or states. But there is literally a long way to go. In addition, the internal discrepancies in the GAIA-X project that we are seeing between individual participants must first be resolved. There is already a dispute here about whether there should be a fixed standard, the French CISPE standard, or whether the idea of open standards should be used as a basis. We advocate open standards, provided they are approved by the European Data Protection Board. This would include German standards, such as the EU Cloud Code of Conduct or the cloud certification standard "Auditor". Both are currently in the European approval process. Even if non-European partners can participate in GAIA-X, it is crucial that the European culture and values are safeguarded and remain untouched. Otherwise, not much would change in the status quo, which is dominated by providers outside Europe, and the immense effort would not be worthwhile.
SAP and Deutsche Telekom developed the Corona Warn app on behalf of the RKI. When it comes to the effectiveness of the app, there is always the question of data protection and whether data protection should not take a back seat. What is your stance on this?
Claus Ulmer: Together with SAP, we as Deutsche Telekom have developed this app as one of many building blocks in the fight against the Corona pandemic. In accordance with the requirements of the German government, the user ID is stored in a decentralized manner. In other words, on the smartphones of the people you meet. Also, no location data is stored. In the meantime, the app is also being used across countries, making it easier to interrupt chains of infection internationally. The most important thing in our current context, however, is that the data protection in the app works and we have not detected any malfunctions in this regard so far. The decentralized approach has proven to be correct and the pseudonymization methods used are sufficient.
Unfortunately, data protection as such is repeatedly stylized as the "opponent" of the right to health in public discussions, media and online platforms such as Twitter or Facebook. This is a populist comparison and misses the point. It is not a question of data privacy versus health. With the appropriate legal regulations, "data privacy" can, of course, be reduced or even eliminated altogether. But this is not expedient, because as the State Commissioner for Data Protection in Baden-Württemberg, Stefan Brink, correctly points out: "Data protection and voluntariness are not the disadvantages of the app, but the best arguments for its use."
In reality, the issue is the acceptance of the app by the population. People will only use the app if they can trust the processing of their data. At the moment, a lot of people in Germany do; by the beginning of January this year, a good 25 million people were using the app. If someone wants to turn the app into a tracking and tracing tool, they are doing so with the risk that the acceptance of the app will decline, making it less effective, meaning that fewer people would download or use the app. The logical consequence would be that the state would have to oblige citizens to use the app and also track this. For example, citizens would have to be checked on the street to see if they have their smartphone with them, or at least the smartphone on which the app is. I suspect that the proponents of such populist demands have not thought their own idea through to the end. For example, what is the impact of the fear of possible misuse of the app if it stores our movements and our social contacts and that is also evaluated by the state? These are just two objections that need to be considered.
If we dare to look ahead. What will be the most important data protection issues we will have to face in the next few years?
Claus Ulmer: We are continuing to digitize our world continuously and in ever faster cycles. As a result, data protection will also take on an increasingly important role. We data protection experts must always stay on top of the technology, which means we must constantly learn how to provide good data protection. On the other hand, developers and innovators must always keep data protection in mind when designing their solutions. Good data protection enables the creation and implementation of new ideas because it protects free thinking. At the same time, users of new solutions must be able and allowed to feel secure. Trust that data will not be misused must be further strengthened. And this is not a continental-regional task. We will struggle around the world to develop a uniform understanding of data protection. Some countries, including the U.S. by the way, are already on the way. Ultimately, the European system will certainly not be the only one.
But the trust of customers and users will certainly take center stage even more than it does today. We will be looking very closely at the innovative power of artificial intelligence. The integration of the virtual world and the real world is also an important issue. Augmented reality can be used in many areas, all of which need personal information to process in order to support us properly.
We remain curious about the future!