Working with the U.S.: a good conversation about data security

Gegevensbeveiliging data vs

How do you safeguard data protection at the international level? At the end of 2022, this question was the focus of the discussion “The Dutch and American approaches to data protection: moving forward together. Dutch data privacy experts, including Sandy Janssen of SURF, addressed collaborations between Dutch and U.S. organizations during the session, and how they can improve their data security and privacy. The session was moderated by Josh Kallmer, Head of Global Public Policy and Government at Zoom. Zoom has improved their data policies and implementation in accordance with the AVG by 2022.

Security goes hand in hand with privacy

The basics of privacy and security start with technology and are about technical measures to protect data such asthe security of a website, network or database in the cloud, which is most important. Marlon Domingus, Data Protection Officer at Erasmus University Rotterdam (and chair of the SURF Taskforce Beyond Privacy Shield) emphasizes that security goes hand in hand with privacy: “There is no zero-sum game. Privacy is just as important as security, for example: both should be given equal priority.”

Data minimization should be standard

One of the pillars of privacy is data minimization. “Is it really necessary that you record when a user opens and closes a document, or when the document name is changed?” wonders Sjoera Nas, Senior Privacy Advisor at Privacy Company. As an international company, if you analyze the type of data and why you collect it, a conversation about privacy with local data protection authorities becomes much more productive. Tobias Guenther, Privacy Counsel at Zoom agrees: “At international technology companies that want to adhere to strong privacy and security standards, minimizing data collection should be a default setting and one of the basic principles, in order to be able to honor agreements with customers.”

Data inventory

Another important step for privacy by design is the inventory of the data a company processes. “It is important that companies look beyond personal data in content and include other types of personal data (e.g., telemetry data) in their privacy assessments,” says Sjoera Nas.

Transparency about data processing

In-depth transparency about long-term data processing is also important. “Users don't want to be surprised that the provider they trusted is doing things with their data that they didn't agree to,” says Marlon Domingus. “Failure to be transparent results in users losing trust.”

Data privacy plan with long-term strategy

Developing a robust data privacy plan, means also developing a long-term strategy: what will happen to privacy in 5 or 10 years under the influence of machine learning or AI? Can we foresee this now and respond accordingly? Rob van Eijk, Managing Director for Europe at the Future of Privacy Forum: “The main question is whether additional monitoring requirements should be developed for such innovative technologies that many companies are now starting to launch. It can be very costly to comply with these requirements, especially for SMEs that may not have the resources to conduct a Data Protection Impact Assessment (DPIA) for the AI-based solutions they use.”

Companies and privacy communities need to take these developments into account. You have to be right on top of that, according to Sandy Janssen, Legal Counsel at SURF. “Data protection agreements go beyond just legal agreements; they are also about agreements on taking technical measures. The supplier must ensure a privacy-friendly implementation of the application for the users who entrust the data to the supplier. This was also one of the pillars in our cooperation with Zoom, which worked hard to meet the expectations of our SURF members.” For example, Zoom has updated its processor agreements, since November 2020 end-to-end encryption is possible in both one-to-one conversations and group conversations, it will soon be possible to store most data in Europe, and help desk requests will be handled in the EU.

Government

In addition to these efforts, the privacy community and industry rely on the government given they have the crucial role to establish legal and ethical frameworks, shaping future policy. A constant, international dialogue on the most acute data privacy issues, form the basis for strong, effective and global cooperation.

Executive order contributes to implementation EU-U.S. Data Privacy Framework

While discussing examples of such collaborations, it appears that the experts welcome the new executive order recently signed by U.S. President Biden. This is because it contributes to the implementation of the EU-US Data Privacy Framework. According to Rob van Eijk, it is a special decree: “The framework prioritizes proportionality of data collection and storage, rather than reasonableness, which is a much broader concept. This means that it now leaves less room for interpretation, which gives citizens more mechanisms to exercise control over their data. As a result, privacy becomes a fundamental right in this agreement.”

Cooperation between Dutch and U.S. organizations

On the other hand, the experts signal that privacy policies in the U.S. and EU need to be better aligned. “In the U.S., for example, data is stored ‘just in case’ and that data can then be used for innovations, research and various other purposes. In the EU, we take a more cautious approach and base our policy on the principle that data belongs to the user. The EU-US Data Privacy Framework is a step in the right direction and brings two privacy approaches closer together. There is still work to be done and this is why Sjoera Nas advises that Dutch and U.S. organizations continue to actively work together to ensure the highest data privacy and security standards.”

Related posts