Data protection in the USA - part 2 of the delegation visit
Delegation trip with the Cyber Security Council of Germany
In Europe and its neighbouring countries, the General Data Protection Regulation (GDPR) now arrived after one and a half years. The German discussion about data protection is increasingly focusing on the exchange of data with third countries, primarily with the USA. There, the tech giants such as Microsoft, Amazon and Facebook have recently come in for criticism. In order to get a first-hand impression of data protection in the USA, Prof. Dr. Andre Döring went on a two-week delegation trip, organized by the Cyber Security Council of Germany. In the three-part series, Prof. Dr. Döring reports on his impressions in three stops.
Data protection situation in Germany
The Hessian state data protection commissioner advises against using the Office365 package from Microsoft due to data protection concerns. The data protection conference agrees that Windows 10 cannot be used in compliance with GDPR. Amazon collects thousands of data points from its customers and Facebook is criticized not least because of the data leak to Cambridge Analytica.
"In my view, it makes sense to critically follow developments in data protection on the other side of the Atlantic from a German or, better, a European perspective. But it is also always good to get a personal impression of the situation. For this reason, I have joined this year's US delegation of the Cyber Security Council Germany e.V. from 08.11. to 14.11.2019," said Prof. Dr. Döring. The Cyber Security Council's excellent contacts enabled the delegation to gain deep insights into the data protection and security structure of American companies such as Microsoft and Amazon and security authorities such as the Department of Homeland Security, which would otherwise remain closed.
The tech giants in Redmont and Seattle
After a domestic flight from DC to Seattle, the IT giants Microsoft and Amazon AWS were on the agenda. The domestic flight itself lasted six hours and forty-five minutes. You get a good feeling of how large the geographical extent of the USA actually is when you think about where you could land on a flight of this length with take-off in Berlin or Frankfurt.
Visit our free demos
We regularly offer online demos in which we introduce you to our Robin Data data protection software. Get insight into the structure and functional scope of the digital activity report of the Robin Data software. Our experts will give you and other interested parties comprehensive insight and answer your questions.
Microsoft Cybercrime Center and Cyber Operations Center
The visit to Microsoft's headquarters in Redmont was certainly a highlight of the delegation's trip. After a warm welcome by the National IT Compliance Officer for Microsoft Germany, Ralf Wigand, a senior compliance officer and a senior business development officer, we were introduced to Microsoft's general activities regarding cyber security and other applicable regulations, such as the GDPR.
In this context, it is interesting to note that some time ago, the German Federal Office for Information Security (BSI) visited Microsoft in Redmont with two software specialists to have Microsoft's security measures for the Windows 10 operating system explained in detail. All critical questions of the BSI seemed to have been answered and are to be published in a promptly updated version of the SiSyPHuS Study of the BSI to Windows 10.
In my opinion, the decision of the data protection commissioners of the federal states on the GDPR-compliant use of Windows 10 should also be reconsidered after the study has been completed, as this decision is based in part on the SiSyPHuS study, which will probably soon become obsolete.
My conclusion from the meeting is that Microsoft itself is doing a lot for the easiest possible implementation of international regulations such as the GDPR and is also continuously adapting its own products to the GDPR. The statements correspond with the blog post by Julie Brill, Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer at Microsoft, in which she calls for a GDPR for the USA.
For example, the Compliance Board in Office 365 enables the setting of deletion policies and the continuous automated or manual classification of documents, thus helping to meet the requirements of Article 17 GDPR to make it feasible also for smaller companies. Furthermore, Microsoft is in the process of reducing the amount of transferred metadata for the analysis of program errors and security vulnerabilities to a minimum. A development which obviously takes a certain time with complex software.
The Cyber Crime Center of Microsoft (picture MS-CC), which we then visited, deals with the analysis of current, worldwide threat scenarios and topics of malware detection and IT forensics.
In the Cyber Operations Center we were welcomed by its director John Dellinger. He reported that Microsoft not only handles live cyber attacks, but that seven Red Teams are actively working on cyber security alerts.
AWS at Amazon HQ in Seattle
Amazon's headquarters in Seattle is an impressive structure. More than 50,000 people now work in the tall Amazon towers. In the middle of the campus, Amazon has created a biosphere with futuristic architecture that invites employees to relax.
Since the meeting with Amazon took place right after the meeting with Microsoft, you could immediately feel the difference in the company culture. While Microsoft seemed more conservative and unagitated, Amazon seemed a lot hipper, as you would expect from a relatively young company.
We were welcomed by a senior member of the Artificial Intelligence (AI) department and another senior member of the Cyber Crime department. The presentations were short and precise, so there was time to discuss topics such as the vulnerability of AI techniques.
Data protection Delegation trip to the USA
- To the first part of the delegation trip: The East Coast: a Mecca for cyber security
- The third and last part of the delegation's journey will take Prof. Dr. Andre Döring to Silicon Valley.
- COVID-19 and data protection - March 25, 2020
- Data protection in the USA - part 3 of the delegation visit - December 6, 2019
- Data protection in the USA - part 2 of the delegation visit - December 3, 2019