Working with the US: a good conversation on data security
How do you safeguard data protection at the international level? At the end of 2022, this question was the focus of the discussion 'The Dutch and US approach to data protection: moving forward together'.
Dutch data privacy experts, including Sandy Janssen from SURF, addressed collaborations between Dutch and US organisations during the meeting, and how they can improve their data security and privacy. The session was moderated by Josh Kallmer, Head of Global Public Policy and Government at Zoom. Zoom has improved their data policy and implementation in line with the GDPR by 2022.
Security goes hand in hand with privacy
The basics of privacy and security start with technology and are about technical measures to protect data such asthe security of a website, network or database in the cloud, which is most important. Marlon Domingus, Data Protection Officer at Erasmus University Rotterdam (and chair of the SURF Taskforce Beyond Privacy Shield) stresses that security goes hand in hand with privacy: "There is no zero-sum game. Privacy is just as important as security, for example: both should be given equal priority."
Data minimisation should be standard
One of the pillars of privacy is data minimisation. "Is it really necessary that you record when a user opens and closes a document, or when the document name is changed?" wonders Sjoera Nas, Senior Privacy Advisor at Privacy Company. As an international company, if you analyse the type of data and why you collect it, a conversation about privacy with local data protection authorities becomes much more productive. Tobias Guenther, Privacy Counsel at Zoom agrees: "At international technology companies that want to adhere to strong privacy and security standards, minimising data collection should be a default setting and one of the basic principles, in order to honour agreements with customers."
Data inventory
Another important step for 'privacy by design' is the inventory of the data a company processes. "It is important that companies look beyond personal data in content and include other types of personal data (e.g. telemetry data) in their privacy assessments," says Sjoera Nas.
Transparency about data processing
In-depth transparency about long-term data processing is also important. "Users do not want to be surprised that the provider they trusted is doing things with their data that they did not agree on," says Marlon Domingus. "Failing to be transparent results in users losing trust."
Data privacy plan with long-term strategy
Developing a robust data privacy plan, means also developing a long-term strategy: what will happen to privacy in 5 or 10 years' time under the influence of machine learning or AI? Can we foresee this now and respond accordingly? Rob van Eijk, Managing Director for Europe at the Future of Privacy Forum: "The main question is whether additional monitoring requirements should be developed for such innovative technologies that many companies are now starting to launch. It can be very costly to comply with these requirements, especially for SMEs that may not have the resources to conduct a Data Protection Impact Assessment (DPIA) for the AI-based solutions they use."
Companies and privacy communities need to be mindful of these developments. You need to be well on top of that, according to Sandy Janssen, Legal Counsel at SURF. "Data protection agreements go beyond just legal agreements, they are also about agreements on taking technical measures. The vendor must ensure privacy-friendly implementation of the application for the users who entrust the data to the vendor. This was also one of the pillars in our cooperation with Zoom, which worked hard to meet the expectations of our SURF members." For instance, Zoom has updated its processor agreements, end-to-end encryption is possible in both one-to-one and group calls since November 2020, it will soon be possible to store most data in Europe and helpdesk requests will be handled in the EU.
Government
In addition to these efforts, the privacy community and industry rely on the government given they have the crucial role to set legal and ethical frameworks, shaping future policies. A constant, international dialogue on the most acute data privacy issues, form the basis for strong, effective and global cooperation.
Executive order contributes to implementation EU-US Data Privacy Framework
While discussing examples of such collaborations, it appears that the experts welcome the new executive order recently signed by US President Biden. This is because it contributes to the implementation of the EU-US Data Privacy Framework. According to Rob van Eijk, it is a special decree: "The framework prioritises proportionality of data collection and storage, rather than reasonableness, which is a much broader concept. This means that it now leaves less room for interpretation, giving citizens more mechanisms to exercise control over their data. As a result, privacy becomes a fundamental right in this agreement."
Cooperation between Dutch and US organisations
On the other hand, the experts signal that privacy policies in the US and EU need to be better aligned. "In the US, for example, data is stored 'just in case' and that data can then be used for innovations, research and various other purposes. In the EU, we take a more cautious approach and base our policy on the principle that data belongs to the user. The EU-US Data Privacy Framework is a step in the right direction, bringing two privacy approaches closer together. There is still work to be done and this is why Sjoera Nas advises that Dutch and US organisations continue to actively work together to ensure the highest data privacy and security standards."