6 minute read
Transatlantic: the Future of Data Security and Data Protection
Max Schrems, the lawyer and privacy activist, discusses the current and potential developments in data protection with a focus on the iGaming sector.
Schrems II ruling continues to have a significant impact on businesses worldwide, following the European Court of Justice judgment which invalidated Privacy Shield in 2020. While others were all talking about it, Internet Vikings in collaboration with Holm Security proudly hosted a live webinar session with the man himself — Max Schrems. Lawyer, author, and privacy activist, Max became famous for his campaigns against Facebook for privacy violations, and complaints under GDPR against Amazon, Apple Music, DAZN, and other big tech companies.
The most interesting part of the webinar featured a Q&A session between various stakeholders, who posed realworld concerns directly to Max. The resulting discussion detailed in-depth what application of the judgment actually means for iGaming.
Max, as a world-renowned privacy activist with substantial knowledge of the subject, what would happen if somebody's data ends up in the NSA data center?
M.S.: Such problems could stem mainly from conflicts of interest resulting in actions ranging from simple visa issues to surveillance to targeted attacks. In a recent case, SDKs built into apps figured out locations, and forwarded information to the U.S. military. One case in Austria, a neutral country but with substantial trades with Iraq, Iran and Russia, fell under possible sanctions from a U.S. perspective. Similarly, around Nord Stream 2 there are significant issues for the companies engaged in that.
If you were to utilize a European provider, are there any European laws like the Cloud Act that would subject companies to the same kind of risk?
M.S.: From a practical perspective, the capabilities of Europe compared to the U.S. are lower and there is no strict alignment between member states presently. Some states like Germany, France, and Sweden have the capacity for surveillance where others do not. From a legal perspective, article 4 of EU law exempts from GDPR, and compliance issues are simply not there because of the exemption. Basically, if you host in Europe, you are compliant.
If you look at the timeline back to 2015, there have been many developments, such as the U.S. Patriot act, Cloud Act, and Privacy Shield. It seems there are always inconsistencies between EU regulations and the U.S. What can we expect in the future?
M.S.: There is a high probability that these conflicts will continue and increase. For a long time, globally, there was little regulation of the Internet, but this has changed substantially and nowadays, we are seeing so much more. Unfortunately, there is not much of a coordinated approach, so the legislation will simply conflict more often. It is hoped that soon, at least within the EU, there will be a uniform approach to a range of different privacy issues and what we will probably see moving forwards are more data localizations as a result.
Would the US comply with EU law? Is this ever likely to happen?
M.S.: That became much more likely following the second judgment, as the U.S. began to understand the stance of the European Commission. However, much will depend on the U.S. administration of the time, and the feeling is that any changes will take time and be difficult, as fundamentally it would mean the U.S. giving rights to non-U.S. citizens.
If you were to use a U.S. cloud supplier, would encrypting your data help?
M.S.: Maybe, providing there are actual assurances that no U.S. entity could see the data. The main problem however is once the data rests in the U.S., there is no set standard for encryption, how that would even be performed, or a system we know that does the task adequately. At the end of the day, cost and legally wise, it is probably more efficient to just host in Europe.
Max, you know a lot about U.S. and European law and how they interact and often conflict. What are the actual risks and consequences an iGaming operator would face if they were to utilize AWS, Google cloud or similar services?
M.S.: The most common cases, presently, involve organizational workers or customers. A company might have a dispute with a union or customer (usually about something else) which then escalates to an investigation into the privacy policy. In Portugal, one case began on the basis of complaints, but on further examination of data transfers, discovered a U.S. provider involved in a breach. The company became exposed to a class action for emotional damages, which can be much larger than any GDPR fines. Based on Schrems II ruling, organizations should urgently find alternative legal solutions to work with U.S. vendors.
Would a solution be for U.S. hosting companies to just set up a legal entity in the EU?
M.S.: Technically that could be a solution, but complicated due to rules about ownership ties. Presently, it is not known if anyone has successfully done that. It would be necessary to further investigate with specialists in corporate or company law on this matter.
One Swedish government agency recently published a comment that based on Schrems II ruling, organizations should try to find alternative legal solutions when working with U.S. vendors. What is your comment?
M.S.: If there was a straightforward legal solution to hand, I would definitely present it. Maybe, instead of Privacy Shield, standard contractual clauses could be used, which could work if your recipient in the U.S. is not an electronic communication service provider. But it would be very difficult to implement until there are concrete changes in the relevant legislation.
Conclusion
According to Max Schrems, the potential implications for the iGaming industry regarding data privacy of clients and players are extraordinary. The discord that exists between GDPR and Cloud Act regulations, in the absence of Privacy Shield protection, means European organizations are facing substantial risk. Traditional cloud solutions from tech giants such as Microsoft and AWS no longer provide sufficient security, and companies transferring data outside the EU need to increase their efforts to comply. As more legislation inconsistencies emerge, there will be more data localization. It will simply become impossible for organizations to comply with all the rules at the same time.
The safest or preferred solution, in this case, would be to use European-based hosting services that are fully ISO certified, compliant with GDPR, provide bespoke custom-made solutions, and possess the necessary expertise in order to safely protect your data.
