For the crucial decision of choosing a cybersecurity provider, a major criterion should be the geographical location – and hence the applicable data privacy law. We summarized the most important differences between the European Union and the USA regarding data processing for you.
European Union
Privacy and data protection rights are fundamental rights and part of the most central guiding principles of each EU member state as well as the EU law and the Charter of Fundamental Rights of the European Union.
Data protection authorities are independent and exclusively responsible for monitoring compliance to data protection.
Security agencies require court order to access any data stored on servers. The powers of national security agencies end at their national borders.
US security agencies are not allowed to access non-US companies’ servers within the European Union.
Server can be accessed only on probable cause, e.g. following a police report or in case of sufficient evidence for a committed crime, yet only to the extent permitted by the respective court order.
Affected individuals and organizations must be provided extensive opportunities in order to safeguard their interests early on, already at the investigation stage.
USA
National security has priority over privacy and data protection. Data protection is part of consumer protection law.
The Federal Trade Commission is an authority primarily enforcing antitrust law and responsible for protecting consumer privacy and data security.
Security agencies may access data stored within the United States and abroad without involving the courts, if the servers are controlled by US companies or their subsidiaries.
US companies and US cybersecurity providers are obliged to surrender data under US law.
Security agencies are administrative authorities following directives. Servers will be accessed based on political directives.
Affected individuals or organizations do not have to be informed about their data being accessed or in any case of conducted surveillance.
EU-US Privacy Shield
Transferring personal data
The EU Commission allows personal data to be transferred to the USA only if the US company complies with the high European data protection standards, has obtained appropriate certification and has been named in the Privacy Shield List.
Directives of US authorities
US security agencies are not bound by the companies’ self-commitment within the scope of the Privacy Shield agreement. This means that data and knowledge still have to be transferred to the USA following US authorities’ directives.
Conclusion
Data transfer without respective notification
Any data that is transferred to the USA, any data a US company or US subsidiary has access to and any data that is stored on any server of such companies is subject to US law and can potentially be accessed by US authorities without a necessity to inform affected individuals and organizations.
US security before data protection
The self-commitment of US companies to EU data protection does not ensure data protection in the USA due to the extensive investigative powers of US security agencies which, strictly speaking, undermines the EU General Data Protection Regulation.
