Thomas Nietsch: “Self-regulation of the cloud market would be the best way to rebuild EU customers’ trust”

A senior associate at K&L Gates’s growing Berlin office explains the challenges of emerging technology, the new needs around compliance systems and how the invalidation of Privacy Shield will affect European service providers.

Posté le Wednesday, June 30th 2021
Thomas Nietsch: “Self-regulation of the cloud market would be the best way to rebuild EU customers’ trust”

Thomas Nietsch

Leaders League: You promote the cohesion of your European IT and AI team and its knowledge of specific countries. Could you explain further how your company is structured and the way your team works across jurisdictions?

Thomas Nietsch: K&L Gates LLP is a fully integrated law firm operating globally across five continents. The firm is subdivided into practice and industry groups to provide clients with the most relevant set of expertise for their projects. This structure leads to a harmonized and coherent structure of attorneys within our data protection and IT practice group, and allows us to efficiently collaborate across borders and related fields of the law (e.g. labor) under one consistent quality regime. The inherently international nature of our clients’ projects benefits from our close-knit practice since we can gather the required resources seamlessly and with a one-stop-shop approach. The EU team is closely connected at the professional and personal level, and discusses current projects, regulatory evolutions and exchange experiences. This enables us to offer our clients not only a sectoral review but also to take into account legal and operational idiosyncrasies across key markets, in particular on GDPR interpretation, which still remains in its infancy.

“Emerging technologies often attract the interest of regulators, which are tempted to enact new rules affecting frontrunners already relying on such technologies”

Your team dedicates itself to emerging technology areas and focuses on the rising client challenges in deep tech. Could you further explain what these specific fields are, how they drive the markets, and what your current client needs are?

Companies are challenged with disruptive technological developments and must take decisions on a day-to-day basis to deal with these evolutions. Cutting-edge technologies such as AI, machine learning and the Internet of Things all have in common the need for large volumes of data to be relevant. While they can have massive advantages for competitiveness, these technologies can often be at odds with privacy and data protection principles. Where such data is personal, it’s necessary to bring in line these contradicting goals (e.g. data minimization, the right to be forgotten, and similar principles).

In addition, emerging technologies often attracts the interest of regulators, which are tempted to enact new rules affecting frontrunners already relying on such technologies. A recent example is the joint statement of EU regulators on the ban of facial recognition. We help our clients navigate those emerging landscapes and build bridges between stakeholders who may not be speaking to each other or speaking the same “language”.

 

You specialize in complex IT matters with a key focus on international data transfers and general data protection law and compliance. What are some challenges and growing opportunities for your clients and your firm?

Digitalization plays a key role for all types of enterprise: regardless of their business model, size and origin, they all thrive for efficiency and to improve their business processes, e.g. through cloud-based/communication solutions and data pooling. Using third-party services comes with material cost savings and increased computing capacities that a company could not achieve by maintaining its on-premise structure. The current COVID pandemic merely acted as an accelerator in this regard.

These opportunities directly translate into an increased need for legal advice, in particular for third-country data transfers, cybersecurity and negotiation of underlying agreements. We cooperate with our clients in order to implement compliant systems, enabling the smooth operation of their business especially during troubled times. On the other hand, we also cooperate with large service providers to make their services compliant and usable for EU customers.

“AI, machine learning and the Internet of Things all have in common the need for large volumes of data to be relevant, which is often at odds with data protection principles”

In July 2020, the Privacy Shield between Europe and the US was invalidated. You developed a Code of Conduct in terms of data compliance. What are the main outcomes of this decision and why did you introduce this Code? Who will be the main beneficiaries?

Already prior to July 2020 and the Privacy Shield invalidation, it had become apparent that transfers of personal data to the US and other countries with strong security practices were under scrutiny. In addition, foreign (cloud) service providers were losing the trust of EU customers due to the increased maturity of EU providers.

We quickly realized that self-regulation of the cloud market ecosystem would be the most natural means to rebuild this trust. This was the origin of the initial EU Cloud Code of Conduct (CoC), which was established by SCOPE (Self and Co-Regulation for an Optimized Policy Environment in Europe) Europe.

Since we regularly advise both international and EU-based cloud service providers and customers, supporting SCOPE Europe and the EU CoC was a natural path for us. While the main body of the EU CoC has been approved recently, which is already a fantastic success, we are now working on a special module designed to address transfers of personal data to cloud service providers located in foreign countries, as an alternative to the recently released Standard Contractual Clauses or similar tools.