An article by Dr. Thomas Kremer, from 2012 to March 2020 Board Member Deutsche Telekom AG for Data Privacy, Legal Affairs and Compliance.
The integrity of European data privacy laws and standards is now under threat by a court case pitting the United States Department of Justice against Microsoft. The case, which is pending before the United States Supreme Court, concerns the issue of whether American companies can be compelled to turn over data stored outside of the U.S. A ruling against Microsoft could mean that U.S. courts would be able to issue orders calling for data stored here in Europe to be turned over to American government agencies. That must not be allowed to happen! It would amount to an attack on the sovereignty of European data privacy laws and standards, carried out via exploitation of state pressure on American companies.
What's more, the European General Data Protection Regulation (GDPR), which will enter into force in May 2018, unequivocally makes such access impermissible. Data stored in Europe may be transferred to countries outside Europe only when European authorities permit such transfer, in the framework of legal assistance. The GDPR, a legislative milestone, provides a reliable legal framework for both affected parties ("data subjects") and companies. It is an achievement that must not be permitted to be undermined. If the U.S. Supreme Court rules to the effect that American companies, at the behest of American government agencies, would have to turn over data stored in Europe, then American companies could find themselves facing a dilemma:
a choice between violating obligations to turn over data (American law) and violating prohibitions against turning over data (European law). That would be an unacceptable situation.
If the U.S. government is pushing for a legal resolution to this matter, European institutions need to make it clear that such a resolution can provide legal clarity only in that government's own country, i.e. in the U.S. itself. Such a resolution cannot be permitted to open the way to direct access to data stored in Europe.
There is good reason to fear, however, that the U.S. will resort to bilateral or multilateral agreements as a way of obtaining simplified access to data stored in Europe. European policymakers and companies should clearly reject such options as well. No lowering of European data privacy standards must be allowed.
Needless to say, all parties benefit from a reliable legal framework, and such a framework can include bilateral agreements. A reliable framework upholds the rights of data subjects and provides clarity for companies. But any such agreements with the European Union must not be allowed to compromise the rights that the General Data Protection Regulation (GDPR) accords to European citizens and companies. This is a position that Deutsche Telekom strongly supports. Any other position would amount to back-door undermining of European data privacy standards. It must be ensured that when foreign government agencies, acting within a legal assistance framework, order data to be turned over, their orders can be legally reviewed by domestic authorities and then directed, under domestic law, to those required to provide information.
Regardless of the discussion currently taking place in the U.S., Deutsche Telekom customers can rest assured that we will continue to safeguard their data. Our products and services conform to German and European high data privacy standards. This applies to "E-Mail Made in Germany," to our "Trusted Cloud" services for business customers, and to all of our other services. And nothing is going to change in this respect.
Deutsche Telekom's Data Privacy Advisory Board has reviewed the following position and expressed its full support for it.
From the above considerations, we derive the following demands:
- All government agency access to personal data must be subject to the law of the country in which the data are stored.
- Local laws have such primacy regardless of whether the relevant data stored in Europe are being stored by European companies or non-European companies.
- Court-ordered direct access, from third countries, to data in Europe, is impermissible and must remain impermissible.
- In addition, any indirect access must conform to the accepted principles for international legal assistance procedures.
- Bilateral agreements with the EU, providing for turning over of data, must conform to European data privacy standards and must not compromise those standards in keeping with a different legal understanding.