Data Protection Academy » Data Protection News » Data protection in the USA - Part 1 of the delegation trip
Data protection in the USA - Part 1 of the delegation trip
Delegation trip with the Cyber Security Council of Germany
In Europe and its neighbouring countries, the GDPR now arrived after one and a half years. The German discussion about data protection is increasingly focusing on the exchange of data with third countries, primarily with the USA. There, the tech giants such as Microsoft, Amazon and Facebook have recently come in for criticism. In order to get a first-hand impression of data protection in the USA, Prof. Dr. Andre Döring went on a two-week delegation trip, organized by the Cyber Security Council of Germany. In the three-part series, Prof. Dr. Döring reports on his impressions in three stops.
Data protection situation in Germany
The Hessian state data protection commissioner advises against using the Office365 package from Microsoft due to data protection concerns. The data protection conference agrees that Windows 10 cannot be used in compliance with GDPR. Amazon collects thousands of data points from its customers and Facebook is criticized not least because of the data leak to Cambridge Analytica.
“Aus meiner Sicht ist es sinnvoll, Entwicklungen in Sachen Datenschutz jenseits des Atlantiks aus deutscher oder besser europäischer Sicht kritisch zu begleiten. Es ist aber auch immer gut, sich persönlich ein Bild von der Lage zu machen. Aus diesem Grund habe ich mich der diesjährigen US-Delegation des Cyber-Sicherheitsrates Deutschland e. V. vom 08.11 bis 14.11.2019 angeschlossen.” so Prof. Dr. Döring. Die exzellenten Kontakte des Cyber-Sicherheitsrates ermöglichten es der Delegation, tiefe Einblicke in den Datenschutz und die Sicherheitsstruktur amerikanischer Unternehmen wie Microsoft und Amazon und Sicherheitsbehörden wie des Department of Homeland Security zu erlangen, die sonst verschlossen blieben würden.
The East Coast: a Mecca for cyber security
The first stop of the delegation's trip was in Washington D.C., the capital of the USA, which is home to all important US authorities on the topic of "security". The Pentagon, FBI headquarters and important parts of the Department of Homeland Security are located in Washington. Around D.C.: as in Howard County in Maryland, the NSA and the US-Cyber-Command have their main locations. The training of cyber experts in the military and civilian environment is provided in D.C. by the National Defense University.
It is therefore no wonder that this hotspot for cyber security was an important goal of the delegation. Howard County in particular has been home to many private cyber companies that have created thousands of jobs in this sector.
National Defense University, D.C.
The first meeting led to the National Defense University. The National Defense University (NDU) trains primarily members of the American cyber forces for deployment in long and short programs. There we met Tom Wingfield, Acting Chancellor of the NDU and on the career jump as Deputy Director in the cyber environment of the Pentagon, who reported on the structure of military cyber training and the programs of the university.
In line with the wishes of the delegation, there was an intensive discussion on the current major challenges of cyber security. Tom Wingfield sees two important topics here.
Firstly, the actors in the cyber-environment must network much better, both nationally and internationally. It must be possible to exchange (meta-)data and information on cyber issues as quickly as possible in the event of an attack. The aim should be secondly to provide a comprehensive overall picture of the current cyber situation both at national and international level of allied states. This is a demand that brings with it immense technical and political challenges.
Looking at the German situation in this regard, such an exchange and networking as well as the presentation of a real-time capable overall situation "Cyber Security Germany seems hardly achievable due to the federal structure of Germany. Nevertheless, in my view it makes absolute sense to consider designing a joint cyber defence centre in such a way that it is permanently staffed by representatives of the Länder, the security authorities and the most important providers of cyber infrastructure in Germany.
In the event of a national attack, the rapid exchange and flow of information would be possible and rapid responses could be coordinated and triggered for the whole of Germany.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Department of Homeland Security
Another very interesting exchange took place with representatives from the field of cybercrime in the U.S. Department of Homeland Security (DSH) with Deputy Assistant Secretary Richard Driggers and Principal Deputy Director Matt Kelly. Topics included DHS support for other authorities and for the private sector in the cyber security environment.
Using its own tools, DHS offers the domestic authority an automated regular analysis of the IT infrastructure for weak points, which is then used to provide the relevant departments with daily or weekly reports.
Maryland, Howard County: The Cyber Stronghold
After a short stop at the Business Software Alliance in DC the third meeting to the cyber stronghold to Howard County in Maryland, about an hour and a half drive from D.C. The meeting took place in an incubator for cyber security companies, where cybersector actors from politics, public authorities and the private sector are networked. There, the delegation met very open-minded entrepreneurs and representatives of public authorities who were eager to discuss concrete possibilities for cooperation between Germany and the USA.
The discussion was intensive and controversial. From the point of view of the resident companies, the DSGVO in particular will in future have a strong influence on the many existing business relationships of European and American companies. The concept of data protection (privacy) in the USA appears to be changing fundamentally in the coming months in the direction of the principles of the GDPR. One of the triggers for this is the California Consumer Privacy Act (CCPA), which will come into force at the beginning of 2020. As a result of the CCPA, personal data will no longer belong to the companies that collect it, but rather - as with the GDPR - to the customers and employees from whom it is collected.
Organisation of American States
Last appointment in DC was the visit to the Organisation of American States (OAS). There a panel discussion took place between representatives of the OAS (Kerry-Ann Bennett, Policy Specialist), the Cyber Security Council Germany (Hans-Wilhelm Dünn, President), Department of Homeland Security (Bob Koslasky, Director) and the Internet Security Alliance (Larry Clinton, President) on the topics of cyber security and data protection.
Larry Clinton criticized the GDPR as the worst law he has ever seen. Despite the very polarised opinion and the ensuing discussion, it is worth reflecting on one point of his argumentation: His central question was how and whether the effect of the GDPR can actually be measured? I think there are indeed still some shortcomings in his argumentation that need to be remedied, even if the positive effect of the GDPR is always concretely demonstrable in our customer projects. Because from the point of view of managers in the USA, the world is quite simple at this point: according to the principle of "Management by Objectives", all non-measurable measures are simply stopped. For the GDPR to gain greater acceptance in the USA, its benefits must ideally be statistically verifiable.
The next part of the delegation trip is to the tech giants in Redmont and Seattle.
- COVID-19 and data protection - March 25, 2020
- Data protection in the USA - part 3 of the delegation visit - December 6, 2019
- Data protection in the USA - part 2 of the delegation visit - December 3, 2019