There was major excitement in the digital world when the European Court of Justice issued its judgment on the Privacy Shield. After protracted wrangling, the data protection agreement between the European Commission and the USA was declared invalid. This consigned the so-called Privacy Shield to history. As a result, companies are now prohibited from using this agreement as a basis for data transfers.
This means that the frequently cited standard contractual clauses are of limited use as a legal basis. In its ruling, the ECJ made it very clear that compliance with data protection standards in another country must be checked on a case-by-case basis. However, experts agree that agreements between EU countries and the USA would not stand up to such scrutiny.
The decision therefore raises numerous questions: Which services are affected? Who is liable for violations? How can companies minimize their risk?
Facebook, Azure, cloud networks
First of all: the effects of the ECJ ruling are much more far-reaching than you might think. It is not only the usual platforms and cloud services such as Facebook, AWS or Azure that are directly impacted by the judgment. After the demise of the Privacy Shield, it is the “digital backbone” of our economy, the networks at the very heart of every company, that need to be looked at.
Where a network is managed from the cloud, personal data is also being processed there. The most prominent examples are SD-WANs, which are increasingly replacing MPLS lines or classic VPNs to network company locations and branches. But also our wireless LANs, which are now increasingly being implemented via “zero touch” from the cloud.
A look at the technology: SD-WAN
To understand the relationships, we should take a look at the architecture of the underlying technology: software-defined networking. SDN is so exciting because it enables the highly automated configuration and control of entire networks from the cloud. This functions by dividing the networks into a control plane and a data plane. The data plane includes the various hardware components such as the routers, switches and access points that are used to transfer the data packets. The control plane, on the other hand, is the control and monitoring level that specifies data paths through the network and continuously monitors it.
On this control plane—which all major providers now have in the cloud—personal data is continuously being processed. So of course the subject of data protection is acutely relevant here. The data processed there includes device-related information such as MAC addresses and IP addresses, but also login information, location data, specific information on how services are being used, as well as the names and e-mail addresses of network administrators. Not only is it possible to draw conclusions about individual users, it may even be possible to create entire user profiles for individuals.
Particularly delicate: Wi-Fi in schools
The example of schools and these times of digital learning reveal the full scale of the problem. Wherever software-defined networking is used to centrally configure, manage and monitor wireless LANs in schools, personal data from users and network administrators flow into the cloud.
Even everyday use of the school Wi-Fi by teachers and students is legally delicate—especially since the latter are generally underage and enjoy special protections under the General Data Protection Regulation (GDPR). The social media services they use and where students are located when they log into the network are easy to trace using personal data. Schools that do not address the related data-protection issues quickly risk massive data-protection violations and the legal consequences that follow.
For businesses, the danger of compliance violations is no less significant. In just about every SD-WAN, the control plane is used for the cloud-based processing of data from users and administrators. Where employees work anywhere at the head office or at a branch office on the company network, their personal data is collected in exactly the same way as that of supermarket customers who use the Wi-Fi hotspot in a store connected via SD-WAN.
Problematic – third-country law: With the exception of LANCOM and a few other manufacturers, the network market is dominated by the USA and Asia. There is a correspondingly high market share of SD-WANs and cloud-managed wireless LANs “made in the USA“ and “made in China“. However, the national law that these providers are subject to is contrary to the protection of personal data, as the ECJ clearly stated in its ruling of July 16, 2020.
Mitigating compliance risks
So the risk is in the detail. When a non-European network solution is operated “from the cloud”, personal data not only leaves the local network, it also leaves the judicial area of Europe. At the latest with the occurrence of the ECJ ruling, this represents a massive compliance and cost risk for user companies. Employees and customers—at schools: the schoolchildren and their parents—could take legal action against the resulting data protection violations and claim damages, and the data protection authorities could impose fines amounting to millions.
When planning an SD-WAN infrastructure or a cloud-managed Wi-Fi, it is imperative to ask which data leaves the local network and which legislation the network manufacturer is subject to. Are compliance and EU data protection requirements met? Is there an adequacy decision for the network provider’s country of origin that guarantees a comparable level of data protection? To be able to answer this question with a clear yes and to ensure legal compliance, the best move is to choose a European solution. Companies can be sure that they are retaining control of the data of their employees and customers, providing protection in compliance with GDPR. What’s more: You proactively minimize compliance risks and protect yourself from unpleasant consequences such as recourse claims and a loss of reputation.
Legal compliance “Made in Germany”
As a German manufacturer, we at LANCOM have always benefited from the stable legal framework that Europe offers us. Data protection and data security are valuable assets that are respected as a matter of course, not only by policy makers but also by many providers like us.
One consequence is that we host the public cloud version of our SDN solution, the LANCOM Management Cloud (LMC), here in Germany. This means that we can exclude data transfers abroad and offer our customers maximum legal certainty in terms of data protection and compliance. True to our motto: Secure. Networks.