At least since the GDPR went into effect, data protection should be at the top of your agenda. However, when it comes to selecting cloud software systems, the applicable legislation is often negligently violated.
In case your Cloud Provider is located outside the EU
Today, every cloud provider is obliged to take sufficient technical and organizational measures with regard to data protection and data security.
This also includes regulations on any subcontractors, such as hosting providers or integrated software components. Both of these are part of the so-called Data Processing Agreement (DPA). However, experience has shown that these are rarely checked comprehensively by the contractor, e. g. the hotel, before they are concluded – with dangerous consequences. Since last year, there has been a very significant court decision that for all those cases in which either the cloud provider itself or one of its subcontractors is not based in the EU or EEA but outside. This applies to many large soft-ware providers, especially in the hotel industry.
Background: Protection from US Authorities
In July 2020, the European Court of Justice (ECJ) declared the successor to the Safe Harbor Agreement, the so-called Privacy Shield Framework between the U.S. and the European Union, invalid. This means that personal data transferred to recipients in the USA on the basis of this agreement may NOT be transferred there anymore. This affects cloud software providers as well as hosting companies in the USA, as well as all subcontractors in the USA. Anyone who processes their guest data using a US cloud software provider or stores it in a hosting environment in the USA is therefore committing a data protection violation – insofar as this continues to take place against the background of the Privacy Shield – which can be punished with a fine of up to 4% of last year’s global turnover.
The reason for the court ruling is the fact that the Privacy Shield cannot provide sufficient protection for data stored by US companies against access by US authorities, as it binds US companies but not government investigating authorities in the USA. The EU court, which a few years earlier had also overturned the Safe Harbor agreement as a predecessor regulation, sees this as a serious violation of the high European data protection standards for the protection of the data subjects, in the hotel sector primarily the hotel guests.
The Privacy of Hotel Guests
This legal opinion is quite understandable and has a great significance especially for the hotel industry. On the one hand, hotels try everything to protect their guests and their privacy. On the other hand, however, the guests’ data is often transferred to a country outside the EU, such as the USA, without their knowledge or consent and thus made accessible to the authorities there.
Especially some guests of luxury hotels would probably have their hair stand on end if they knew this.
So be cautious, when it comes to selecting cloud software systems!
About the authors
This article is co-written by Dr. jur. Robert Selk and Dr. Michael Toedt.
Dr. jur. Robert Selk, a lawyer specializing in IT law, is a partner at SSH Rechtsanwälte in Munich. He received his doctorate in 2002 in the field of Internet and data protection law. The focus of his parallel master’s postgraduate studies was European and international business law (Master of Law, LL.M.). For many years, his practice has involved computer, Internet and data protection law as well as trademark, copyright and competition law. Dr. Selk is also appointed as an external data protection officer in various internationally active companies, works extensively as a speaker on IT and data protection law, and is a member of, among other things, the legislative committee on IT law of the German Bar Association and co-chairman of the “Data Protection” specialist committee of the German Society for Law and Information Technology. In addition, he regularly publishes legal articles.