Data Sovereignty and Privacy Compliance Post Schrems II
Cite this article
Several high-profile companies have faced serious consequences for failing to comply with GDPR and the Schrems II ruling, pointing out how critical data privacy and data security are for international operations.
The European Data Protection Supervisor (EDPS) initiated investigations into the use of cloud services provided by Amazon Web Services and Microsoft by EU institutions. The probes aimed to assess compliance with the Schrems II judgment, particularly concerning data transfers to non-EU countries and the associated risks.
In July 2022, the Danish DPA banned the use of Google Chromebooks and Google Workspace in schools within the Helsingør Municipality. The decision was based on the municipality's failure to ensure adequate data protection measures, especially concerning data transfers to the U.S., thereby violating GDPR requirements post-Schrems II. Danish DPA Banned the Use of Google Chromebooks and Google Workspace in Schools in Helsingør Municipality by Marcelo Corrales Compagnucci :: SSRN
In July 2020, the Court of Justice of the European Union (CJEU) gave its judgment on Schrems II, a case with profound consequences for any organization in or dealing with EU data in the United States (US). For businesses handling international data transfers, especially in cloud environments, this ruling has reshaped expectations around cloud data security and cloud data privacy.
So, what is Schrems II, and what does it mean for businesses going forward?
The New Data Transfer Landscape for Europe and the US
Schrems II is the work of Max Schrems, an Austrian activist with a focus on data privacy. As a result of the judgment given in July 2020, the CJEU ruled that the Privacy Shield agreement between the EU and US was no longer valid due to the continued use of mass surveillance techniques in the US.
To understand the judgment’s impact, we need to look at GDPR. This regulation requires organizations processing the data of European citizens to comply with strict standards to maintain the data security and data privacy of confidential information. Moreover, these rules apply internationally regardless of the location of the organization involved.
The European Commission has declared certain non-EU countries, including Japan, Israel, Switzerland and New Zealand, to have equivalent data protection safeguards to the EU itself.
As a result, organizations in these nations can freely transfer the data of EU citizens without the need for additional data security mechanisms. The Privacy Shield Agreement granted this same status to the US.
However, with the agreement now declared invalid by the CJEU, US-based businesses dealing with the data of EU citizens potentially face much stricter measures for cloud data privacy.
In this evolving landscape, the development of a new transatlantic cloud data privacy framework becomes critical to enable safe and legally compliant data transfers between the EU and US.
How Can Organizations Remain Compliant?
While Schrems II has sown further confusion and doubt for businesses, the good news is the European Data Protection Board (EDPB) has issued official guidance on keeping compliant with GDPR when transferring personal data to the US.
Organizations receiving the data of EU citizens must be able to prove in court that they’ve taken sufficient measures to protect it from being accessed by authorities using mass surveillance. Various measures are recommended, including data minimization procedures, transparency policies around governmental requests, and the applications of international data security standards such as the ISO series.
The EDPB also recommends technical measures such as pseudonymization, where data is stored and processed in a way that cannot be used to identify an individual. Encryption is one of the most important technical cloud data security solutions, although it must meet several factors to be deemed sufficient.
Data must be protected with strong encryption prior to transmission, and the encryption must be strong enough to withstand attempted cryptanalysis by public authorities.
Perhaps most importantly, the cryptographic keys used in the encryption process must be maintained in the European Economic Area (EEA). The data exporter – the one ultimately responsible for the data in the event of a data privacy or data security breach – must be in sole control of the keys.
The Role of the Cloud and External Key Management
If a data exporter uses a cloud provider based in a non-EU country where it may be forced to hand data over to the authorities, the organization could quickly find itself in breach of GDPR and cloud data security requirements. One solution is using a Bring Your Own Key Management System (BYOKMS), where firms can create their own keys and store them in their own data center. If data is encrypted using keys stored and managed from a location in the EEA, the organization will be free to send sensitive data to non-EU countries, improving cloud data security and cloud data privacy compliance.
This ties into the concept of data sovereignty, where data is subject to the country’s laws where it is first collected. If data is encrypted when it leaves the country and not decrypted again until arrival, a form of virtual data sovereignty is assured, and cloud data security solutions become more defensible. Compliance can be further strengthened with the use of confidential computing. This new technology protects data from being compromised at runtime by using a completely isolated trusted execution environment known as a “secure enclave.” Thus, even if the infrastructure is compromised, the data will remain safe.
While uncertainty remains for organizations storing and processing EU data overseas, implementing the processes and technology in accordance with the EDBP’s guidance will give firms the best chance of operating normally and meeting data privacy rules.
Furthermore, applying strong encryption to all data before it leaves the EU, backed with an effective BYOKMS strategy, will ensure that enterprises meet crucial requirements to keep both data and encryption keys under their direct control.
