In the context of remote air traffic control operations and service virtualization, legal considerations regarding data sovereignty and data regionality come into play.
Advancing Virtualization to Enable Remote Air Traffic Services
The Single European Sky Initiative and EUROCONTROL's ATM Masterplan are advocating interoperability and remote air traffic control operations. This leads to an ongoing process of virtualization of services. Virtual services allow for remote operations, as they can be operated from any location, while also increasing resilience, efficiency, and dynamic interoperability.
But virtualization also often comes in unison with data and service hosting. Data and service hosting on platforms like AWS, Google or Microsoft Azure offer advantages such as scalability, faster time to market, cost efficiency, global reach, and access to advanced infrastructure and services.
Schrems II and Concerns about Data Protection and Compliance
The Schrems II court decision emphasized the importance of protecting personal data transferred outside the European Economic Area (EEA) to countries with potentially lower data protection standards. This decision has significant implications for organizations involved in remote air traffic control operations, where sensitive data transfers across borders are prevalent.
In this article, we explore the role of Air Traffic Safety Electronics Personnel (ATSEP) in ensuring data protection, with a particular focus on data residency, regionality, digital sovereignty, and GDPR compliance in the context of remote system monitoring and control.
Data Residency
Where is data hosted for European companies and by whom?
For European companies, the question of data residency is crucial. Hosting data on cloud platforms like AWS raises concerns about the physical location of the data and the entity responsible for its hosting. Let us look a bit deeper into the case of AWS. Amazon Web Services (AWS) operates through its European subsidiary, and hosts data in various European data centers, such as those in Ireland, Sweden, the UK, Germany, Italy, France, and Spain.
Important is that European companies can choose AWS Europe as their hosting provider, ensuring their data remains within the EEA.
Regionality
Does data stay in Europe? Data regionality is a key consideration for European companies seeking to maintain control over their data. The big cloud service providers (CSPs) like AWS offer a feature called "Regionality," which enables customers to impose data residency requirements.
By utilizing this feature and setting specific attributes for keys, data can be encrypted and decrypted only in authorized regions. This ensures that data stays within the boundaries of Europe, providing organizations with greater control over their sensitive information.
Digital Sovereignty
Is the company and nobody else in control of the data? Digital sovereignty is a critical aspect of data protection, ensuring that companies retain control over their data and mitigate risks associated with unauthorized access through other companies, individuals or governments. ATSEP play a pivotal role in upholding digital sovereignty in remote air traffic control operations. By advocating and maintaining robust encryption measures, employing secure communication protocols, and adhering to strict access control policies, ATSEP ensure that only authorized individuals and systems can access and manipulate data. This approach guarantees that the company, not the cloud service provider or any third parties, remains in control of the data throughout its lifecycle.
The Interdependence of Data Residency, Regionality, and Digital Sovereignty
Data Residency, Regionality, and Digital Sovereignty are closely interdependent. In the Schrems II ruling, the European Court of Justice of the European Union decided that data hosted in the USA would not be protected sufficiently by third-party access and terminated the Privacy Shield agreement. This was substantiated by Edward Snowden's revelations on NSA's access on hosted data in the USA, in particular of non-US American origins.
The Court of Justice of the European Union (CJEU) ruled that "the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States" (source).
GDPR Compliance - Is Hosting ok from a Legal point?
Ensuring compliance with the General Data Protection Regulation (GDPR) is paramount for organizations handling personal data. The Regional Court of Karlsruhe (Oberlandesgericht) delivered an important verdict in a case involving a European subsidiary of a US company hosting data in Europe. The court ruled that doubts about trustworthiness cannot be solely based on the CSP's affiliation with a US parent company. Customers are not obliged to assume that the subsidiary would receive and follow illegal instructions from its parent company.
This verdict aligns with the "in-dubio-pro-reo" principle, which favors the accused in cases of doubt. European companies can have confidence in the conduct of the CSP with regards to GDPR compliance. It provides legal support for organizations leveraging European cloud services, reassuring them that their data is hosted in compliance with GDPR regulations (source).
ATSEP's Role in Ensuring Data Protection
In the context of remote system monitoring and control, ATSEP play a crucial role in safeguarding the confidentiality, integrity, and availability of sensitive data. They possess the technical expertise to advocate and maintain robust security measures, monitor network traffic, and detect and respond to potential threats promptly. Even though they normally would not physically implement the ATM infrastructure, they are the ones who know best the status quo, the loopholes and the need for improvement.
ATSEP, legal experts and data protection authorities need to closely cooperate to navigate the evolving legal landscape, ensuring compliance with data security, sovereignty, and regionality requirements. Their involvement ensures that remote air traffic control operations adhere to data protection regulations and industry best practices, bolstering the overall security of the system.
SkyRadar's System Monitoring & Control Solution
Virtualized and service-oriented architectures are a keystone in EUROCONTROL's and ICAO's ATM master plans. SkyRadar's SkySMC training infrastructure provides virtualized architectures from servers to radars. A perfect training infrastructure for our ATSEP trainees.
SkySMC - SkyRadar’s System Monitoring and Control Suite is a pedagogically enhanced, fully operational monitoring & control tool. We have optimized it to cater for the ATSEP-SMC training compliant to EASA's Easy Access Rules for ATM-ANS (Regulation (EU) 2017/373) and ICAO Doc 10057.
SkyRadar provides SkySMC as a complete laboratory in a turn-key approach, or as a service.
SkySMC is not a simulator, but a fully operational open monitoring system. It comes by default with a server including various virtualized applications and virtualized servers, but also connects to simulated systems. In addition, there are various hardware extensions available including training infrastructures, monitorable training radars, or even complete ATM systems, all connected to the System Monitoring & Control solution.
SkyRadar's System Monitoring & Control training system can be easily blended into distance learning solutions.
Let's talk
Stay tuned to be always the first to learn about new use cases and training solutions in radar qualification (real radars or simulators) for ATSEP.
Or simply talk to us to discuss your training solution.
Further Reading
Dr Ulrich Scholten and Christian Bollich previously published about the subject: "Hosting on AWS as a European Company - What about Data Residency, Regionality, Digital Sovereignty and GDPR Compliance?" on the website of the cybersecurity company Cryptomathic.
Also interesting and published on the same website by Dr. Ulrich Scholten and Stefan Hansen: "New Executive Order on U.S. Surveillance Might Lead to Schrems III"