We don’t need to dwell on the already well-known explosion in the quantity of data and the ever increasing speed of exchanges. The planet has become a global village with a tendency towards the exchange of data on a massive scale based on transparency. Information has become a commodity, and many current problems stem from this fact, which gives rise to a need to create new protective walls. That is why the new European Regulation on data protection was adopted. Approved on April 14, it will be applicable as a binding standard in 2018 throughout the European Union without having to be translated into national law. According to Yves Reding, the arrival of this regulation will be quite a challenge for some companies who will need to upgrade. "Adjustments will have to be made in the next two years. And if companies don’t begin early enough, they could be quite tedious to make..."
Another key event was the invalidation of the "Safe Harbor Agreement" on October 6, 2015. The agreement was considered "detrimental to the essential content of the fundamental right to privacy". For many, this was a "legal tsunami". In retrospect, it was primarily an important decision for more data protection. Overnight, more than 4,500 companies including GAFA (Google, Amazon, Facebook, Apple) that were storing the data of European users in servers in the United States, were suddenly operating illegally.
A Safe Harbor 2 is emerging. To date, even if there has been progress, nothing has yet been concluded. The Europeans and Americans still stumble on several issues, which shows how sensitive the subject is. According to the CEO of EBRC, the real challenge of the European continent is to control the key asset of tomorrow, data, if it wants to keep up. "A country that does not control its own information will be quickly left behind!"
Yves Reding sees two trends in this area: firstly, the creation by the European Union of a digital single market via secure standards and European labels; secondly, the decision of major countries to shape their own digital future. In this area, the most visible and strongest initiative is that of Germany. It already enjoys a reputation for excellence in the field of data protection. In addition, Germany has launched its "Bundescloud" initiative, a national sovereign cloud, which complies with the principle of free movement within Europe but whose design nevertheless implies that by 2020 no public or parastatal German data may leave the national territory anymore.
"Luxembourg should follow the German model, which promotes a high level of data protection, or even exceed it, advocates Yves Reding. If we want to be part of a European cloud in the future, it is indeed necessary to focus on the protection of our sovereign data. Obviously you need to be pragmatic and business-friendly and not succumb to dogma. But issues of security and privacy will become key questions. To be credible and competitive in this field at the international level, we have to be exemplary on our own territory and have a sovereign cloud regulated with a unique security level which will serve as a reference to others."
By leveraging the high level of data protection of a cloud with Luxembourgish regulation, the country could eventually attract more international companies. Data protection is a new trend, but it is irreversible. Luxembourg has a spotless reputation internationally when it comes to risk management, security, governance and regulation. Data protection "with Luxembourgish regulation and guarantees" could be designed in a way similar to the PSF label in the financial sector and be based on recognised international certifications.
The high exposure of the ICT sector to the financial industry, including FinTech companies, ensures its sustainability and long-term potential. The high quality level required by the PSF status is a unique differentiator in Europe in terms of expertise. The combination of expertise in the financial world and FinTech industry associated with the great tradition of regulation, security and data protection represents a real asset that can be used to position the country on the playing field for the protection of personal data.
EBRC itself is constantly investing in data protection. In 2015, EBRC strengthened its model based on trust and security by obtaining new certifications, including ISO 27018 (protection of Personally Identifiable Information -PII- in the cloud) and ISO 22301 (business continuity management system).
Always trying to support its customers in guarding against the "new" threats, EBRC has strengthened its SOC (Security Operations Centre), which is fully certified and operates 24h / 24h, it has launched its CERT (Computer Emergency Response Team) and deployed new service offerings for information security via its international partners. "To protect and manage the sensitive information of our customers and partners is our core business, adds Yves Reding. In this sense, EBRC proudly waves the country's flag. The European Regulation is a unique setting. What matters now is being the best in this group of twenty-eight member states to take full advantage of this market for data protection."
There are several initiatives that can be used: a sovereign cloud in Luxembourg with a European calling, specific regulation on risk management to ensure greater confidence in IT, and privacy and security innovation, either through new data protection technologies and the identification of issues in the FinTech sector or via the launch of new services.
Luxembourg now has a unique opportunity. It has to seize it!
Article published in Soluxions Magazine - June, July 2016
Download The French article (196 kb)